From: Leonard den Ottolander <leonard-lists-2Avth2y2NeLyQNdsBcn8aGZHpeb/A1Y/@public.gmane.org>
To: linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: binfmts.h MAX_ARG_STRINGS excessive value allows heap spraying
Date: Wed, 08 Mar 2017 19:48:11 +0100 [thread overview]
Message-ID: <1488998891.5155.20.camel@quad> (raw)
In-Reply-To: <f7f9f60b-0f39-7dce-1778-3aa40ba198ef-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On Wed, 2017-03-08 at 12:54 -0500, Carlos O'Donell wrote:
> In glibc we limit setuid applications, for example sanitizing their
> environment where it would cause problems or alter behaviour in
> unintended ways.
Please explain what these limitations are, and when they were imposed,
as in the article
https://googleprojectzero.blogspot.nl/2014/08/the-poisoned-nul-byte-2014-edition.html
the author is actually using a setuid binary (pkexec) and clearly not
running into any limitations with that particular exploit.
Also note that heap spraying can happen in any binary that has memory
leaks in its option parsing. pkexec.c and pkcheck.c are known to suffer
such issues, but other binaries could be affected. Setting
MAX_ARG_STRINGS to a sensible value significantly reduces the impact of
such heap spraying.
Regards,
Leonard.
--
mount -t life -o ro /dev/dna /genetic/research
next prev parent reply other threads:[~2017-03-08 18:48 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-07 14:44 binfmts.h MAX_ARG_STRINGS excessive value allows heap spraying Leonard den Ottolander
2017-03-08 17:54 ` Carlos O'Donell
[not found] ` <f7f9f60b-0f39-7dce-1778-3aa40ba198ef-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-08 18:18 ` Leonard den Ottolander
2017-03-08 18:21 ` Leonard den Ottolander
2017-03-08 20:47 ` Joseph Myers
2017-03-08 21:05 ` Carlos O'Donell
[not found] ` <f16cd7f8-f996-cf66-d640-50b0ccee06c7-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-09 14:04 ` Leonard den Ottolander
2017-03-09 14:35 ` Carlos O'Donell
2017-03-09 14:14 ` Leonard den Ottolander
2017-03-09 20:34 ` Carlos O'Donell
[not found] ` <81d8e14e-e110-4b96-5d45-8bb3b56f4866-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-10 12:10 ` Leonard den Ottolander
2017-03-14 0:51 ` Carlos O'Donell
[not found] ` <b736f01f-ef0a-56de-bf57-c6d3d74262a4-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-17 13:12 ` Leonard den Ottolander
2017-03-09 23:10 ` Joseph Myers
[not found] ` <alpine.DEB.2.20.1703092304110.23273-9YEB1lltEqivcGRMvF24k2I39yigxGEX@public.gmane.org>
2017-03-10 0:01 ` Carlos O'Donell
2017-03-08 18:48 ` Leonard den Ottolander [this message]
-- strict thread matches above, loose matches on Subject: below --
2017-03-06 15:29 Leonard den Ottolander
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1488998891.5155.20.camel@quad \
--to=leonard-lists-2avth2y2nelyqndsbcn8agzhpeb/a1y/@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.