[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH v2 1/2] linux-user: limit number of arguments to
From: |
Eric Blake |
Subject: |
Re: [Qemu-devel] [PATCH v2 1/2] linux-user: limit number of arguments to execve |
Date: |
Mon, 6 Mar 2017 09:54:59 -0600 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0 |
On 03/06/2017 09:42 AM, Peter Maydell wrote:
> On 6 March 2017 at 07:17, P J P <address@hidden> wrote:
>> From: Prasad J Pandit <address@hidden>
>>
>> Limit the number of arguments passed to execve(2) call from
>> a user program, as large number of them could lead to a bad
>> guest address error.
>>
>> Reported-by: Jann Horn <address@hidden>
>> Signed-off-by: Prasad J Pandit <address@hidden>
>> ---
>> linux-user/syscall.c | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> {
>> +#define ARG_MAX 65535
>> char **argp, **envp;
>> int argc, envc;
>> abi_ulong gp;
>> @@ -7794,6 +7795,11 @@ abi_long do_syscall(void *cpu_env, int num, abi_long
>> arg1,
>> envc++;
>> }
>>
>> + if (argc > ARG_MAX || envc > ARG_MAX) {
>> + gemu_log("argc(%d), envc(%d) exceed %d\n", argc, envc,
>> ARG_MAX);
>> + ret = -TARGET_E2BIG;
>> + break;
>> + }
>> argp = alloca((argc + 1) * sizeof(void *));
>> envp = alloca((envc + 1) * sizeof(void *));
>
>
> We need to fix this by not using alloca(), not by imposing
> an arbitrary limit that's still rather over-large for an
> alloca allocation, as Eric suggested.
And patch 2/2 does that. Does that patch in isolation fix the problem?
In which case, we don't want this patch.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature