exec: Limit arg stack to at most 75% of _STK_LIM

commit da029c11e6b12f321f36dac8771e833b65cec962 upstream. To avoid pathological stack usage or the need to special-case setuid execs, just limit all arg stack usage to at most 75% of _STK_LIM (6MB). Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> [bwh: Backported to 3.16: replaced code is slightly different] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> CVE-2018-14634 Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org> Change-Id: If678301ef4bfa8f7d54716a222768ee80330b3aa
2017-07-07 11:57:29 -07:00 · 2017-07-07 11:57:29 -07:00 · dd8e1fcf8a
parent da7f770c1a
commit dd8e1fcf8a
1 changed files with 6 additions and 5 deletions
--- a/fs/exec.c
+++ b/fs/exec.c
@ -207,8 +207,7 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,

 	if (write) {
 		unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
-		unsigned long ptr_size;
-		struct rlimit *rlim;
+		unsigned long ptr_size, limit;

 		/*
 		 * Since the stack will hold pointers to the strings, we
@ -237,14 +236,16 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
 			return page;

 		/*
-		 * Limit to 1/4-th the stack size for the argv+env strings.
+		 * Limit to 1/4 of the max stack size or 3/4 of _STK_LIM
+		 * (whichever is smaller) for the argv+env strings.
 		 * This ensures that:
 		 *  - the remaining binfmt code will not run out of stack space,
 		 *  - the program will have a reasonable amount of stack left
 		 *    to work from.
 		 */
-		rlim = current->signal->rlim;
-		if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4)
+		limit = _STK_LIM / 4 * 3;
+		limit = min(limit, rlimit(RLIMIT_STACK) / 4);
+		if (size > limit)
 			goto fail;
 	}