From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752696AbdGHCqK (ORCPT <rfc822;w@1wt.eu>);
        Fri, 7 Jul 2017 22:46:10 -0400
Received: from mail-it0-f41.google.com ([209.85.214.41]:35478 "EHLO
        mail-it0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752637AbdGHCqJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 7 Jul 2017 22:46:09 -0400
MIME-Version: 1.0
In-Reply-To: <CA+55aFwJmJnv2T=WR5N2jgAJgQbwsxc=YH7YKLfXyH5KgppbCA@mail.gmail.com>
References: <20170707185729.GA70967@beast> <CA+55aFwJmJnv2T=WR5N2jgAJgQbwsxc=YH7YKLfXyH5KgppbCA@mail.gmail.com>
From: Kees Cook <keescook@chromium.org>
Date: Fri, 7 Jul 2017 19:46:07 -0700
X-Google-Sender-Auth: ljAnt3gky5uLenSMEl5os7DDmm4
Message-ID: <CAGXu5jKus0xd_6U6r_ebBmLdz8KR==i+wdt-7iMnwOX8c-S2ww@mail.gmail.com>
Subject: Re: [PATCH] exec: Limit arg stack to at most _STK_LIM / 4 * 3
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Michal Hocko <mhocko@kernel.org>, Ben Hutchings <ben@decadent.org.uk>,
        Hugh Dickins <hughd@google.com>, Oleg Nesterov <oleg@redhat.com>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>, Rik van Riel <riel@redhat.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jul 7, 2017 at 3:24 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Fri, Jul 7, 2017 at 11:57 AM, Kees Cook <keescook@chromium.org> wrote:
>> To avoid pathological stack usage or the need to special-case setuid
>> execs, just limit all arg stack usage to at most _STK_LIM / 4 * 3 (6MB).
>
> Ok, this I think I should just apply, but would prefer to avoid
> multi-line complex conditionals around things like this.
>
> So how about the attached slightly edited version instead?
>
> I didn't test it (and I'm not really committing it until I get an ack
> or two), but it seemed all ObviouslyCorrect(tm). FamousLastWords(tm).
>
> Comments?

That works for me, thanks. Testing showed the same sane results:

$ ulimit -s 32768
$ ./args
Detected max args size near: 6291023 bytes
$ ulimit -s 24576
$ ./args
Detected max args size near: 6291022 bytes
$ ulimit -s 20480
$ ./args
Detected max args size near: 5242448 bytes
$ ulimit -s 16384
$ ./args
Detected max args size near: 4193871 bytes
$ ulimit -s 8192
$ ./args
Detected max args size near: 2096719 bytes
$ ulimit -s 4096
$ ./args
Detected max args size near: 1048143 bytes

-Kees

-- 
Kees Cook
Pixel Security