linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <keescook@chromium.org>
To: P J P <ppandit@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
	linux-kernel@vger.kernel.org,
	Andrew Morton <akpm@linux-foundation.org>,
	Josh Triplett <josh@joshtriplett.org>,
	Serge Hallyn <serge.hallyn@canonical.com>,
	linux-fsdevel@vger.kernel.org, halfdog <me@halfdog.net>
Subject: Re: [PATCH] exec: do not leave bprm->interp on stack
Date: Sun, 18 Nov 2012 11:34:48 -0800	[thread overview]
Message-ID: <CAGXu5jJ4ZuviFMQcFocLWfcMreZSt4kCHFNm-PNW+yuy+v+FiQ@mail.gmail.com> (raw)
In-Reply-To: <alpine.LFD.2.02.1211182211350.5012@wniryva.cad.erqung.pbz>

On Sun, Nov 18, 2012 at 11:04 AM, P J P <ppandit@redhat.com> wrote:
> +-- On Fri, 16 Nov 2012, Kees Cook wrote --+
> | Hrm? It should be showing only the live heap-allocated interp -- are
> | you seeing uninitialized contents?
>
>  I don't see uninitialised content; I see interpreter names from previous
> iterations. Which was the case earlier as well. The - interp - array is
> initialised with the interpreter name, before being assigned to bprm->interp.
>
> These - interp - bytes are *leaked* because after 4 recursions, when
> load_script returns -ENOEXEC, - bprm->interp - becomes invalid for it starts
> pointing to an invalid stack memory location.
>
> Crux of the problem is in the fact that the recursion limit -
> BINPRM_MAX_RECURSION(4) - exceeds after ones been rightly adhered to.
>
>         (bprm->recursion_depth > BINPRM_MAX_RECURSION))
>                 return -ENOEXEC;
>
> This check fails due to specific condition, which still exists.
>
> Dynamically allocating memory fixes the leak by making the memory area live
> and valid.

Right. There are two problems. This fixes the first, which is the
memory content leak.

> It does not fix the problem which caused the leak in the first place by
> exceeding the BINPRM_MAX_RECURSION, not by 1 or 2 but possible 2^6
> recursions. Isn't that performance hit?

This is the second problem. I view this as less critical because it's
only 64 instead of 4, but it certainly should be solved as well.

-Kees

-- 
Kees Cook
Chrome OS Security

  reply	other threads:[~2012-11-18 19:34 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-10-24 23:20 [PATCH] exec: do not leave bprm->interp on stack Kees Cook
2012-10-25  4:16 ` Al Viro
2012-10-25  6:21   ` Kees Cook
2012-10-25 11:46     ` P J P
2012-10-25 12:03       ` Tetsuo Handa
2012-10-25 12:57         ` P J P
2012-10-25 12:09       ` Al Viro
2012-10-25 12:38         ` Al Viro
2012-10-26 17:38           ` P J P
2012-10-26 18:36             ` Al Viro
2012-10-27 10:47               ` P J P
2012-10-27 17:05                 ` Kees Cook
2012-10-27 20:16                   ` P J P
2012-10-28  3:32                     ` Kees Cook
2012-11-06  8:10                       ` P J P
2012-11-12 22:10                         ` Kees Cook
2012-11-13  6:50                           ` halfdog
2012-11-16 12:50                           ` P J P
2012-11-16 18:00                             ` Kees Cook
2012-11-18 19:04                               ` P J P
2012-11-18 19:34                                 ` Kees Cook [this message]
2012-11-19  6:57                                   ` P J P
2012-11-19 20:41                                     ` Kees Cook
2012-11-20  7:04                                       ` P J P
2012-11-22 20:06                                       ` P J P
2012-11-23 18:43                                       ` P J P
2012-11-23 23:12                                         ` Tetsuo Handa
     [not found]                                       ` <alpine.LFD.2.02.1211221934220.19768@wniryva.cad.erqung.pbz>
     [not found]                                         ` <CAGXu5jL8zCt5ghW4ODPL9+SyC9+mbuw=4JMUngepY5fC8pSikQ@mail.gmail.com>
2012-11-26  7:09                                           ` P J P
     [not found]                                     ` <CA+55aFx3LFH5Xj1OkNoy7vN5w8y5tH39MUDujKqF3BdnmYibLQ@mail.gmail.com>
2012-11-20  7:08                                       ` P J P

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAGXu5jJ4ZuviFMQcFocLWfcMreZSt4kCHFNm-PNW+yuy+v+FiQ@mail.gmail.com \
    --to=keescook@chromium.org \
    --cc=akpm@linux-foundation.org \
    --cc=josh@joshtriplett.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=me@halfdog.net \
    --cc=ppandit@redhat.com \
    --cc=serge.hallyn@canonical.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).