All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kees Cook <kees.cook@canonical.com>
To: linux-kernel@vger.kernel.org
Cc: oss-security@lists.openwall.com,
	Al Viro <viro@zeniv.linux.org.uk>,
	Andrew Morton <akpm@linux-foundation.org>,
	Oleg Nesterov <oleg@redhat.com>,
	KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>,
	Neil Horman <nhorman@tuxdriver.com>,
	Roland McGrath <roland@redhat.com>,
	linux-fsdevel@vger.kernel.org
Subject: [PATCH] exec argument expansion can inappropriately trigger OOM-killer
Date: Fri, 27 Aug 2010 15:02:58 -0700	[thread overview]
Message-ID: <20100827220258.GF4703@outflux.net> (raw)

Brad Spengler published a local memory-allocation DoS that
evades the OOM-killer (though not the virtual memory RLIMIT):
http://www.grsecurity.net/~spender/64bit_dos.c

The recent changes to create a stack guard page helps slightly to
discourage this attack, but it is not sufficient. Compiling it statically
moves the libraries out of the way, allowing the stack VMA to fill the
entire TASK_SIZE.

There are two issues:
 1) the OOM killer doesn't notice this argv memory explosion
 2) the argv expansion does not check if rlim[RLIMIT_STACK].rlim_cur is -1.

I figure a quick solution for #2 would be the following patch. However,
running multiple copies of this program could result in similar OOM
behavior, so issue #1 still needs a solution.

Reported-by: Brad Spengler <spender@grsecurity.net>
Signed-off-by: Kees Cook <kees.cook@canonical.com>
---
 fs/exec.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index dab85ec..be40063 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -194,7 +194,8 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
 		 *    to work from.
 		 */
 		rlim = current->signal->rlim;
-		if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) {
+		if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4 ||
+		    size > TASK_SIZE / 4) {
 			put_page(page);
 			return NULL;
 		}
-- 
1.7.1

-- 
Kees Cook
Ubuntu Security Team

             reply	other threads:[~2010-08-27 22:03 UTC|newest]

Thread overview: 81+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-08-27 22:02 Kees Cook [this message]
2010-08-30  0:19 ` [PATCH] exec argument expansion can inappropriately trigger OOM-killer KOSAKI Motohiro
2010-08-30  0:56 ` Roland McGrath
2010-08-30  3:23   ` Solar Designer
2010-08-30  3:23     ` Solar Designer
2010-08-30 10:06     ` Roland McGrath
2010-08-30 19:48       ` Solar Designer
2010-08-31  0:40         ` Roland McGrath
2010-09-08  2:34       ` [PATCH 0/3] execve argument-copying fixes Roland McGrath
2010-09-08  2:34         ` Roland McGrath
2010-09-08  2:35         ` [PATCH 1/3] setup_arg_pages: diagnose excessive argument size Roland McGrath
2010-09-08  2:35           ` Roland McGrath
2010-09-08  8:29           ` pageexec
2010-09-08  8:29             ` pageexec
2010-09-10  8:59             ` Roland McGrath
2010-09-10  8:59               ` Roland McGrath
2010-09-11 13:30               ` pageexec
2010-09-11 13:30                 ` pageexec-Y8qEzhMunLyT9ig0jae3mg
2010-09-14 19:33                 ` Roland McGrath
2010-09-14 22:35                   ` pageexec
2010-09-14 22:35                     ` pageexec-Y8qEzhMunLyT9ig0jae3mg
2010-09-08 11:57           ` Brad Spengler
2010-09-08 11:57             ` Brad Spengler
2010-09-09  5:31             ` KOSAKI Motohiro
2010-09-09  5:31               ` KOSAKI Motohiro
2010-09-10  9:25               ` Roland McGrath
2010-09-10  9:25                 ` Roland McGrath
2010-09-10  9:43                 ` KOSAKI Motohiro
2010-09-11 13:39                 ` pageexec
2010-09-11 13:39                   ` pageexec-Y8qEzhMunLyT9ig0jae3mg
2010-09-14 18:51                   ` Roland McGrath
2010-09-14 18:51                     ` Roland McGrath
2010-09-14 20:28                     ` pageexec
2010-09-14 20:28                       ` pageexec-Y8qEzhMunLyT9ig0jae3mg
2010-09-14 21:16                       ` Roland McGrath
2010-09-14 21:16                         ` Roland McGrath
2010-09-14 22:27                         ` pageexec
2010-09-14 22:27                           ` pageexec-Y8qEzhMunLyT9ig0jae3mg
2010-09-14 23:04                           ` Roland McGrath
2010-09-14 23:04                             ` Roland McGrath
2010-09-15  9:27                             ` pageexec
2010-09-15  9:27                               ` pageexec-Y8qEzhMunLyT9ig0jae3mg
2010-09-10  9:18             ` Roland McGrath
2010-09-10  9:18               ` Roland McGrath
2010-09-08  2:36         ` [PATCH 2/3] execve: improve interactivity with large arguments Roland McGrath
2010-09-08  2:36           ` Roland McGrath
2010-09-08  2:37         ` [PATCH 3/3] execve: make responsive to SIGKILL " Roland McGrath
2010-09-08  2:37           ` Roland McGrath
2010-09-08  3:00         ` [PATCH 0/3] execve argument-copying fixes KOSAKI Motohiro
2010-09-08  3:00           ` KOSAKI Motohiro
2010-09-09  5:01         ` [PATCH 0/2] execve memory exhaust of " KOSAKI Motohiro
2010-09-09  5:01           ` KOSAKI Motohiro
2010-09-09  5:03           ` [PATCH 1/2] oom: don't ignore rss in nascent mm KOSAKI Motohiro
2010-09-09  5:03             ` KOSAKI Motohiro
2010-09-09 22:05             ` Oleg Nesterov
2010-09-09 22:05               ` Oleg Nesterov
2010-09-10  9:39               ` Roland McGrath
2010-09-10  9:39                 ` Roland McGrath
2010-09-10  9:57               ` [PATCH] move cred_guard_mutex from task_struct to signal_struct KOSAKI Motohiro
2010-09-10  9:57                 ` KOSAKI Motohiro
2010-09-10 17:24                 ` Oleg Nesterov
2010-09-10 17:24                   ` Oleg Nesterov
2010-09-16  5:51                   ` KOSAKI Motohiro
2010-09-16  5:51                     ` KOSAKI Motohiro
2010-09-09  5:04           ` [PATCH 2/2] execve: check the VM has enough memory at first KOSAKI Motohiro
2010-09-09  5:04             ` KOSAKI Motohiro
2010-09-10 15:06             ` Linus Torvalds
2010-09-10 15:06               ` Linus Torvalds
2010-09-14  1:52               ` KOSAKI Motohiro
2010-09-14  1:52                 ` KOSAKI Motohiro
2010-09-16  5:51                 ` KOSAKI Motohiro
2010-09-16  5:51                   ` KOSAKI Motohiro
2010-09-16 15:01                   ` Linus Torvalds
2010-09-16 15:01                     ` Linus Torvalds
2010-08-30 17:49     ` [PATCH] exec argument expansion can inappropriately trigger OOM-killer Solar Designer
2010-08-30 17:49       ` Solar Designer
2010-08-30 22:08       ` Brad Spengler
2010-08-30 22:08         ` Brad Spengler
2010-08-31 11:53         ` Solar Designer
2010-08-31 11:53           ` Solar Designer
2010-08-31 11:56         ` [PATCH] exec argument expansion can inappropriately triggerOOM-killer Tetsuo Handa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100827220258.GF4703@outflux.net \
    --to=kees.cook@canonical.com \
    --cc=akpm@linux-foundation.org \
    --cc=kosaki.motohiro@jp.fujitsu.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nhorman@tuxdriver.com \
    --cc=oleg@redhat.com \
    --cc=oss-security@lists.openwall.com \
    --cc=roland@redhat.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.