All of lore.kernel.org
 help / color / mirror / Atom feed
From: Leonard den Ottolander <leonard-lists-2Avth2y2NeLyQNdsBcn8aGZHpeb/A1Y/@public.gmane.org>
To: linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: binfmts.h MAX_ARG_STRINGS excessive value allows heap spraying
Date: Fri, 17 Mar 2017 14:12:31 +0100	[thread overview]
Message-ID: <1489756351.5187.30.camel@quad> (raw)
In-Reply-To: <b736f01f-ef0a-56de-bf57-c6d3d74262a4-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

On Mon, 2017-03-13 at 20:51 -0400, Carlos O'Donell wrote:
> On 03/10/2017 07:10 AM, Leonard den Ottolander wrote:
> > A whopping gigabyte on 32 bit systems for arguments passed to an
> > executable. That sounds excessive. A use case of "ls *"-ing 128k files
> > with 32 byte names adds up to 4 MiB. That is 16 times what you need to
> > build a kernel. That sounds sufficient don't you think? And again, if
> > not, show us a use case.
> 
> You have already been given use cases.
> 
> * Mail spool directory with millions of files.

That is quite an excessive use case to bring up to counter my effort to
get a serious attack vector, heap spraying, fixed. Also not that ls on
such a directory will work fine, it's only when you start to use
wildcards that you run into limits. Easily fixed by someone with only a
basic knowledge of scripting.

> * Large and complex build system with potentially long paths.

I have given you a concrete example: You can build a kernel on CentOS-7
with a kernel built with these values. You still have not shown a
counter example. Perhaps the build of glibc fails with such values?
Firefox? MySQL/MariaDB?

You keep repeating conjectured arguments to counter my concrete example.
Please provide a real case where a total of 256KiB for command line
arguments breaks anything in real life.

> Artificial limits are always going to cause problems, particularly when
> going from a higher limit to a lower limit.

15 years ago a total of 128KiB arguments was fine. I can imagine we need
a multitude of that by now, but for the use case I present 256KiB seems
plenty.

As I have pointed out all systems use artificial limits everywhere, not
to annoy the user, but to protect the users system against (dangerously)
misbehaving.

> Your present justification is simply that nobody could have use for
> lots of arguments, which is not true, and that heap spraying needs to be
> stopped, which may be right but may not be the place to start.

No, I have presented you a concrete use case that I believe to be at the
top end of what one would need for the total amount of argument data.
You have still not presented a serious counter example.

> You have now been given the expert opinion of Joseph Myers and myself,
> so take that as you will.

Who exactly is the judge of that qualification? Are you trying to
disqualify me by using such terms and applying them to yourselves?

> Deployed existing code stands, and the burden of proof is on _you_ to
> justify changing the code, not on me to justify all the use cases that
> users might have for the current implementation.

The example I have given you
https://googleprojectzero.blogspot.nl/2014/08/the-poisoned-nul-byte-2014-edition.html
clearly illustrates the viability of attacking a system with heap
spraying and its potency as an attack vector.

> Please invite more experts, security or otherwise, to come discuss on
> linux-api, the relative merits of _where_ we should be fixing attacks
> of this kind.

Apparently the amount of people chipping in is more important to you
than the value of the arguments. You being an employee of a large
company will always be able to bring out more people to argue your side
of the argument. That in itself does not make your arguments more valid
though.

The change to split that single value MAX_ARG_PAGES into two
(MAX_ARG_STRINGS & MAX_ARG_STRLEN) when MMU was implemented has not been
justified. It now turns out to have been a dangerous decision as the
multiplication of the two quickly brings us in the danger zone where the
entire heap can be initialized by an attacker (malevolent local user, or
someone cracking f.e. apache running on a 32 bit ABI).

Instead of trying to disqualify me and my arguments with cheap rhetoric
you might run some tests with the value(s) I provided so we can
establish a sensible limit for MAX_ARG_STRINGS * MAX_ARG_STRLEN or its
(to be restored) cap "MAX_ARG_BYTES" and fix the dangerous attack venue
that heap spraying is.

Regards,
Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research

  parent reply	other threads:[~2017-03-17 13:12 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-07 14:44 binfmts.h MAX_ARG_STRINGS excessive value allows heap spraying Leonard den Ottolander
2017-03-08 17:54 ` Carlos O'Donell
     [not found]   ` <f7f9f60b-0f39-7dce-1778-3aa40ba198ef-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-08 18:18     ` Leonard den Ottolander
2017-03-08 18:21       ` Leonard den Ottolander
2017-03-08 20:47       ` Joseph Myers
2017-03-08 21:05       ` Carlos O'Donell
     [not found]         ` <f16cd7f8-f996-cf66-d640-50b0ccee06c7-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-09 14:04           ` Leonard den Ottolander
2017-03-09 14:35             ` Carlos O'Donell
2017-03-09 14:14           ` Leonard den Ottolander
2017-03-09 20:34             ` Carlos O'Donell
     [not found]               ` <81d8e14e-e110-4b96-5d45-8bb3b56f4866-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-10 12:10                 ` Leonard den Ottolander
2017-03-14  0:51                   ` Carlos O'Donell
     [not found]                     ` <b736f01f-ef0a-56de-bf57-c6d3d74262a4-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-03-17 13:12                       ` Leonard den Ottolander [this message]
2017-03-09 23:10             ` Joseph Myers
     [not found]               ` <alpine.DEB.2.20.1703092304110.23273-9YEB1lltEqivcGRMvF24k2I39yigxGEX@public.gmane.org>
2017-03-10  0:01                 ` Carlos O'Donell
2017-03-08 18:48     ` Leonard den Ottolander
  -- strict thread matches above, loose matches on Subject: below --
2017-03-06 15:29 Leonard den Ottolander

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1489756351.5187.30.camel@quad \
    --to=leonard-lists-2avth2y2nelyqndsbcn8agzhpeb/a1y/@public.gmane.org \
    --cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.