From: Kees Cook <keescook@chromium.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Rob Landley <rob@landley.net>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
toybox@lists.landley.net, enh@gmail.com
Subject: Re: Regression: commit da029c11e6b1 broke toybox xargs.
Date: Fri, 3 Nov 2017 18:37:27 -0700 [thread overview]
Message-ID: <CAGXu5jK9OFZpvNeyKCit7gcSJQ=cR=KhHuv-LS3vf7AdxueA9Q@mail.gmail.com> (raw)
In-Reply-To: <CA+55aFzDFD6dnRvUFW93r3TGaV9LVw6bTSABvr7vv2jGZdBAjQ@mail.gmail.com>
On Fri, Nov 3, 2017 at 6:22 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Fri, Nov 3, 2017 at 5:42 PM, Kees Cook <keescook@chromium.org> wrote:
>>
>> If we didn't do the "but no more than 75% of _STK_LIM", and moved to
>> something like "check stack utilization after loading the binary", we
>> end up in the position where the kernel is past the point of no return
>> (so instead of E2BIG, the execve()ing process just SEGVs), which is
>> much harder to debug or recover from (i.e. there's no process left to
>> return from the execve() from).
>
> Yeah, we've had that problem in the past, and it's the worst of all worlds.
>
> You can still trigger it (set RLIMIT_DATA to something much too small,
> for example, and then generate more than that by just repeating the
> same argument multiple times so that the execve() user doesn't trigger
> the limit, but the newly executed process does).
>
> But it should really be something that you need to be truly insane to trigger.
>
> I think we still don't know whether we're going to be suid at the time
> we copy the arguments, do we?
We don't. (In fact, arg copying happens before we've even figured out
which binfmt is involved.) I lifted it to just before the point of no
return, but moving it before arg copying looks very hard (which
contributed to why we went with the implementation we did).
> So it's pretty painful to make the limits different for suid and
> non-suid binaries.
I would agree.
-Kees
--
Kees Cook
Pixel Security
next prev parent reply other threads:[~2017-11-04 1:37 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-01 23:34 Regression: commit da029c11e6b1 broke toybox xargs Rob Landley
2017-11-02 3:30 ` Kees Cook
[not found] ` <CA+55aFyw74DcPygS=SB0d-Fufz3j73zTVp2UXUUOUt4=1_He=Q@mail.gmail.com>
2017-11-02 15:40 ` Linus Torvalds
2017-11-03 23:58 ` Rob Landley
2017-11-04 0:03 ` [Toybox] " enh
2017-11-04 0:42 ` Kees Cook
2017-11-04 1:22 ` Linus Torvalds
2017-11-04 1:37 ` Kees Cook [this message]
2017-11-05 1:10 ` Rob Landley
2017-11-04 1:07 ` Linus Torvalds
2017-11-05 0:39 ` Rob Landley
2017-11-05 20:46 ` Linus Torvalds
2017-11-15 22:10 ` enh
2017-11-15 22:45 ` Linus Torvalds
2017-11-15 21:12 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGXu5jK9OFZpvNeyKCit7gcSJQ=cR=KhHuv-LS3vf7AdxueA9Q@mail.gmail.com' \
--to=keescook@chromium.org \
--cc=enh@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rob@landley.net \
--cc=torvalds@linux-foundation.org \
--cc=toybox@lists.landley.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.