[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 7 Jul 2017 12:57:00 -0700
From: Kees Cook <keescook@...omium.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Kees Cook <keescook@...omium.org>,
Andy Lutomirski <luto@...nel.org>,
David Howells <dhowells@...hat.com>,
Serge Hallyn <serge@...lyn.com>,
John Johansen <john.johansen@...onical.com>,
Casey Schaufler <casey@...aufler-ca.com>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Michal Hocko <mhocko@...nel.org>,
Ben Hutchings <ben@...adent.org.uk>,
Hugh Dickins <hughd@...gle.com>,
Oleg Nesterov <oleg@...hat.com>,
"Jason A. Donenfeld" <Jason@...c4.com>,
Rik van Riel <riel@...hat.com>,
Alexander Viro <viro@...iv.linux.org.uk>,
James Morris <james.l.morris@...cle.com>,
Greg Ungerer <gerg@...ux-m68k.org>,
Ingo Molnar <mingo@...nel.org>,
Nicolas Pitre <nicolas.pitre@...aro.org>,
Stephen Smalley <sds@...ho.nsa.gov>,
Paul Moore <paul@...l-moore.com>,
Vivek Goyal <vgoyal@...hat.com>,
Mickaël Salaün <mic@...ikod.net>,
Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>,
linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org
Subject: [PATCH 2/2] exec: Use sane stack rlimit for setuid exec
Before memory layout selection and credentials having been updated,
reset stack rlimit to something sane for setuid execs to avoid having
the caller having control over memory layouts.
$ ulimit -s
8192
$ ulimit -s unlimited
$ /bin/sh -c 'ulimit -s'
unlimited
$ sudo /bin/sh -c 'ulimit -s'
8192
Signed-off-by: Kees Cook <keescook@...omium.org>
---
fs/exec.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/exec.c b/fs/exec.c
index 1e8d647d8e7c..2b072cf79f6d 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1335,6 +1335,16 @@ void setup_new_exec(struct linux_binprm * bprm)
if (security_bprm_secureexec(bprm)) {
/* Record for AT_SECURE. */
bprm->secureexec = 1;
+
+ /*
+ * If this is a setuid execution, reset the stack limit to
+ * sane default to avoid bad behavior from the prior rlimits.
+ * This has to happen before arch_pick_mmap_layout(), which
+ * examines RLIMIT_STACK, but after the point of not return
+ * to avoid cleaning up the change on failure.
+ */
+ if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM)
+ current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM;
}
arch_pick_mmap_layout(current->mm);
--
2.7.4
Powered by blists - more mailing lists