Re: Proper /proc/pid/cmdline behavior when command line is corrupt?

From: Jan Engelhardt
Date: Fri Sep 08 2006 - 16:02:53 EST

Next message: Siddha, Suresh B: "Re: [PATCH] Fix longstanding load balancing bug in the scheduler."
Previous message: Matthew Garrett: "Re: patch [0/2]: acpi: add generic removable drive bay support"
In reply to: Edward Falk: "Re: Proper /proc/pid/cmdline behavior when command line is corrupt?"
Next in thread: Edward Falk: "Re: Proper /proc/pid/cmdline behavior when command line is corrupt?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Edward,

>>> that the environment buffer is assumed to immediately follow the
>>> command line buffer.
>>
>> The environment buffer is not assumed to be there, it is _known_ to
>> come right after the argument string, because that is how the kernel
>> sets it up on execve (for x86 at least).
>
> Is that in a spec somewhere?

http://www.x86-64.org/documentation/abi.pdf#search=%22argv%20envp%20x86%20ABI%22
page 29 figure 3.9 lists the data block in question as "Information
block, including argument strings, environment strings, auxiliary
information", but does not specify it further, like how it is laid out.

What it does mention is "argument pointers" (aka argv[N]) and their
exact position. In fact, right below the figure is the explanation:
"Argument strings, environment strings, and the auxiliary information
appear in no specific order within the information block and they need
not be compactly allocated."

What this means: we are guaranteed that argv[N] is valid, but that not
that the memory range [&argv[0][0] .. &argv[X][Y]] is contiguous. In
fact, if the argument string was not contiguous, but, let's say, have a
map hole, using setproctitle() will inevidently lead to a SIGSEGV.
Probably that is the reason why Linux/glibc do not come with a
setproctitle(3) function. I have taken a look at sendmail, which ships
its own setproctitle (for this very reason), and a source code comment
says it will only use contiguous argv pointers, but I have not looked
at it more closely.

> Otherwise, I would argue that it isn't _known_ to come right after
> the argument string, it just _happens_ to come right after the
> argument string. This could change in future kernels.

Yes you are right. It may happen that the argument strings come _after_
the environment. Or something even different. In practice that would
mean that writing over the end of the argument string will write into
other vital structures, possibly crashing the userspace program. Or if
not that, it will display garbage in the command line.

What that means for your future patch:

The way how the arg and env strings are laid out are, as far as I can
tell, defined in fs/binfmt_elf.c:create_elf_tables(). And
proc_pid_cmdline() depends on this layout, yes. However, since the
layout is not used anywhere outside the kernel (so says the PDF), there
should not be a problem. If you modify the layout, make sure it is
consistent within the kernel. It is unspecified for userspace, and a
user program accessing this area nonetheless is doing so at its own risk.

Hope this helps.

Regards,
Jan Engelhardt
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Siddha, Suresh B: "Re: [PATCH] Fix longstanding load balancing bug in the scheduler."
Previous message: Matthew Garrett: "Re: patch [0/2]: acpi: add generic removable drive bay support"
In reply to: Edward Falk: "Re: Proper /proc/pid/cmdline behavior when command line is corrupt?"
Next in thread: Edward Falk: "Re: Proper /proc/pid/cmdline behavior when command line is corrupt?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]