[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH] linux-user: limit number of arguments to execve
From: |
Jann Horn |
Subject: |
Re: [Qemu-devel] [PATCH] linux-user: limit number of arguments to execve |
Date: |
Fri, 3 Mar 2017 16:57:46 +0100 |
On Fri, Mar 3, 2017 at 4:55 PM, Peter Maydell <address@hidden> wrote:
> On 3 March 2017 at 11:25, P J P <address@hidden> wrote:
>> From: Prasad J Pandit <address@hidden>
>>
>> Limit the number of arguments passed to execve(2) call from
>> a user program, as large number of them could lead to a bad
>> guest address error.
>>
>> Reported-by: Jann Horn <address@hidden>
>> Signed-off-by: Prasad J Pandit <address@hidden>
>> ---
>> linux-user/syscall.c | 7 +++++++
>> 1 file changed, 7 insertions(+)
>>
>> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
>> index 9be8e95..c545c12 100644
>> --- a/linux-user/syscall.c
>> +++ b/linux-user/syscall.c
>> @@ -7766,6 +7766,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long
>> arg1,
>> #endif
>> case TARGET_NR_execve:
>> {
>> +#define ARG_MAX 65535
>> char **argp, **envp;
>> int argc, envc;
>> abi_ulong gp;
>> @@ -7794,6 +7795,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long
>> arg1,
>> envc++;
>> }
>>
>> + if (argc > ARG_MAX || envc > ARG_MAX) {
>> + fprintf(stderr,
>> + "argc(%d), envc(%d) exceed %d\n", argc, envc,
>> ARG_MAX);
>> + ret = -TARGET_EFAULT;
>> + break;
>> + }
>> argp = alloca((argc + 1) * sizeof(void *));
>> envp = alloca((envc + 1) * sizeof(void *));
>
> This code is already supposed to handle "argument string too big",
> see commit a6f79cc9a5e.
>
> What's the actual bug case we're trying to handle here?
commit a6f79cc9a5e doesn't help here, it only bails out after the two
alloca() calls