lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <34b776c32a3f75ff155bc85d3c1554e21be7bab2.1500330091.git.luto@kernel.org>
Date:   Mon, 17 Jul 2017 15:22:02 -0700
From:   Andy Lutomirski <luto@...nel.org>
To:     security@...nel.org, Andrew Morton <akpm@...ux-foundation.org>
Cc:     linux-kernel@...r.kernel.org, Andy Lutomirski <luto@...nel.org>
Subject: [PATCH] exec: Check stack space more strictly

We can currently blow past the stack rlimit and cause odd behavior
if there are accounting bugs, rounding issues, or races.  It's not
clear that the odd behavior is actually a problem, but it's nicer to
fail the exec instead of getting out of sync with stack limits.

Improve the code to more carefully check for space and to abort if
our stack mm gets too large in setup_arg_pages().

Signed-off-by: Andy Lutomirski <luto@...nel.org>
---
 fs/exec.c | 44 ++++++++++++++++++++++++++++++++++----------
 1 file changed, 34 insertions(+), 10 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 62175cbcc801..0c60c0495269 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -764,23 +764,47 @@ int setup_arg_pages(struct linux_binprm *bprm,
 	/* mprotect_fixup is overkill to remove the temporary stack flags */
 	vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
 
-	stack_expand = 131072UL; /* randomly 32*4k (or 2*64k) pages */
-	stack_size = vma->vm_end - vma->vm_start;
 	/*
 	 * Align this down to a page boundary as expand_stack
 	 * will align it up.
 	 */
 	rlim_stack = rlimit(RLIMIT_STACK) & PAGE_MASK;
+	stack_size = vma->vm_end - vma->vm_start;
+
+	if (stack_size > rlim_stack) {
+		/*
+		 * If we've already used too much space (due to accounting
+		 * bugs, alignment, races, or any other cause), bail.
+		 */
+		ret = -ENOMEM;
+		goto out_unlock;
+	}
+
+	/*
+	 * stack_expand is the amount of space beyond the space already used
+	 * that we're going to pre-allocate in our stack.  For historical
+	 * reasons, it's 128kB, unless we have less space than that available
+	 * in our rlimit.
+	 *
+	 * This particular historical wart is wrong-headed, though, since
+	 * we haven't finished binfmt-specific setup, and the binfmt code
+	 * is going to eat up some or all of this space.
+	 */
+	stack_expand = min(rlim_stack - stack_size, 131072UL);
+
 #ifdef CONFIG_STACK_GROWSUP
-	if (stack_size + stack_expand > rlim_stack)
-		stack_base = vma->vm_start + rlim_stack;
-	else
-		stack_base = vma->vm_end + stack_expand;
+	if (TASK_SIZE_MAX - vma->vm_end < stack_expand) {
+		ret = -ENOMEM;
+		goto out_unlock;
+	}
+	stack_base = vma->vm_end + stack_expand;
 #else
-	if (stack_size + stack_expand > rlim_stack)
-		stack_base = vma->vm_end - rlim_stack;
-	else
-		stack_base = vma->vm_start - stack_expand;
+	if (vma->vm_start < mmap_min_addr ||
+	    vma->vm_start - mmap_min_addr < stack_expand) {
+		ret = -ENOMEM;
+		goto out_unlock;
+	}
+	stack_base = vma->vm_start - stack_expand;
 #endif
 	current->mm->start_stack = bprm->p;
 	ret = expand_stack(vma, stack_base);
-- 
2.9.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ