| From da029c11e6b12f321f36dac8771e833b65cec962 Mon Sep 17 00:00:00 2001 |
| From: Kees Cook <keescook@chromium.org> |
| Date: Fri, 7 Jul 2017 11:57:29 -0700 |
| Subject: exec: Limit arg stack to at most 75% of _STK_LIM |
| |
| From: Kees Cook <keescook@chromium.org> |
| |
| commit da029c11e6b12f321f36dac8771e833b65cec962 upstream. |
| |
| To avoid pathological stack usage or the need to special-case setuid |
| execs, just limit all arg stack usage to at most 75% of _STK_LIM (6MB). |
| |
| Signed-off-by: Kees Cook <keescook@chromium.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/exec.c | 11 ++++++----- |
| 1 file changed, 6 insertions(+), 5 deletions(-) |
| |
| --- a/fs/exec.c |
| +++ b/fs/exec.c |
| @@ -220,8 +220,7 @@ static struct page *get_arg_page(struct |
| |
| if (write) { |
| unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start; |
| - unsigned long ptr_size; |
| - struct rlimit *rlim; |
| + unsigned long ptr_size, limit; |
| |
| /* |
| * Since the stack will hold pointers to the strings, we |
| @@ -250,14 +249,16 @@ static struct page *get_arg_page(struct |
| return page; |
| |
| /* |
| - * Limit to 1/4-th the stack size for the argv+env strings. |
| + * Limit to 1/4 of the max stack size or 3/4 of _STK_LIM |
| + * (whichever is smaller) for the argv+env strings. |
| * This ensures that: |
| * - the remaining binfmt code will not run out of stack space, |
| * - the program will have a reasonable amount of stack left |
| * to work from. |
| */ |
| - rlim = current->signal->rlim; |
| - if (size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) |
| + limit = _STK_LIM / 4 * 3; |
| + limit = min(limit, rlimit(RLIMIT_STACK) / 4); |
| + if (size > limit) |
| goto fail; |
| } |
| |
