7d09435354
Mind this is aesthetics mainly - we do not care much about privilege escalations in AppVM.
47 lines
1.6 KiB
Plaintext
47 lines
1.6 KiB
Plaintext
From: Roland McGrath <roland@redhat.com>
|
|
Date: Wed, 8 Sep 2010 02:35:49 +0000 (-0700)
|
|
Subject: setup_arg_pages: diagnose excessive argument size
|
|
Git-commit: 1b528181b2ffa14721fb28ad1bd539fe1732c583
|
|
Patch-mainline: 2.6.36-rc4
|
|
References: bnc#635425
|
|
Introduced-by: 2.6.23
|
|
|
|
setup_arg_pages: diagnose excessive argument size
|
|
|
|
The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not
|
|
check the size of the argument/environment area on the stack.
|
|
When it is unworkably large, shift_arg_pages() hits its BUG_ON.
|
|
This is exploitable with a very large RLIMIT_STACK limit, to
|
|
create a crash pretty easily.
|
|
|
|
Check that the initial stack is not too large to make it possible
|
|
to map in any executable. We're not checking that the actual
|
|
executable (or intepreter, for binfmt_elf) will fit. So those
|
|
mappings might clobber part of the initial stack mapping. But
|
|
that is just userland lossage that userland made happen, not a
|
|
kernel problem.
|
|
|
|
Signed-off-by: Roland McGrath <roland@redhat.com>
|
|
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
|
|
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Acked-by: Jeff Mahoney <jeffm@suse.com>
|
|
---
|
|
|
|
fs/exec.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
--- a/fs/exec.c
|
|
+++ b/fs/exec.c
|
|
@@ -593,6 +593,11 @@ int setup_arg_pages(struct linux_binprm
|
|
#else
|
|
stack_top = arch_align_stack(stack_top);
|
|
stack_top = PAGE_ALIGN(stack_top);
|
|
+
|
|
+ if (unlikely(stack_top < mmap_min_addr) ||
|
|
+ unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
|
|
+ return -ENOMEM;
|
|
+
|
|
stack_shift = vma->vm_end - stack_top;
|
|
|
|
bprm->p -= stack_shift;
|