qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] [PATCH] linux-user: limit number of arguments to execve

From: Peter Maydell
Subject: Re: [Qemu-devel] [PATCH] linux-user: limit number of arguments to execve
Date: Fri, 3 Mar 2017 15:56:47 +0000 
On 3 March 2017 at 14:54, Eric Blake <address@hidden> wrote:
>> +                ret = -TARGET_EFAULT;
>> +                break;
>> +            }
>>              argp = alloca((argc + 1) * sizeof(void *));
>>              envp = alloca((envc + 1) * sizeof(void *));
>
> ...Uggh. You're using alloca() but allowing an allocation of way more
> than 4k.  That means a guest can cause corruption of the stack (or, with
> large enough arguments, even escape out of the stack) before you even
> get to the execve() call to even worry about E2BIG issues.

Yeah, linux-user is shot through with that kind of alloca() usage.

(It's not great, but it's not a security hole because we already
give the guest binary complete control to do anything it likes.
Worth fixing bugs if we run into them, though.)

thanks
-- PMM
reply via email to
[Prev in Thread] Current Thread [Next in Thread]