Re: [Qemu-devel] [PATCH] linux-user: limit number of arguments to execve

[Jann Horn]

On Fri, Mar 3, 2017 at 4:55 PM, Peter Maydell <address@hidden> wrote:
> On 3 March 2017 at 11:25, P J P <address@hidden> wrote:
>> From: Prasad J Pandit <address@hidden>
>>
>> Limit the number of arguments passed to execve(2) call from
>> a user program, as large number of them could lead to a bad
>> guest address error.
>>
>> Reported-by: Jann Horn <address@hidden>
>> Signed-off-by: Prasad J Pandit <address@hidden>
>> ---
>>  linux-user/syscall.c | 7 +++++++
>>  1 file changed, 7 insertions(+)
>>
>> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
>> index 9be8e95..c545c12 100644
>> --- a/linux-user/syscall.c
>> +++ b/linux-user/syscall.c
>> @@ -7766,6 +7766,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long 
>> arg1,
>>  #endif
>>      case TARGET_NR_execve:
>>          {
>> +#define ARG_MAX 65535
>>              char **argp, **envp;
>>              int argc, envc;
>>              abi_ulong gp;
>> @@ -7794,6 +7795,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long 
>> arg1,
>>                  envc++;
>>              }
>>
>> +            if (argc > ARG_MAX || envc > ARG_MAX) {
>> +                fprintf(stderr,
>> +                        "argc(%d), envc(%d) exceed %d\n", argc, envc, 
>> ARG_MAX);
>> +                ret = -TARGET_EFAULT;
>> +                break;
>> +            }
>>              argp = alloca((argc + 1) * sizeof(void *));
>>              envp = alloca((envc + 1) * sizeof(void *));
>
> This code is already supposed to handle "argument string too big",
> see commit a6f79cc9a5e.
>
> What's the actual bug case we're trying to handle here?

commit a6f79cc9a5e doesn't help here, it only bails out after the two
alloca() calls