Re: [PATCH] exec: Limit arg stack to at most _STK_LIM / 4 * 3

From: Kees Cook
Date: Mon Jul 10 2017 - 11:40:05 EST

Next message: Ben Guthro: "Re: Potential scheduler regression"
Previous message: Geert Uytterhoeven: "Re: [PATCH] dpaa_eth: use correct device for DMA mapping API"
In reply to: Michal Hocko: "Re: [PATCH] exec: Limit arg stack to at most _STK_LIM / 4 * 3"
Next in thread: Michal Hocko: "Re: [PATCH] exec: Limit arg stack to at most _STK_LIM / 4 * 3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 10, 2017 at 6:13 AM, Michal Hocko <mhocko@xxxxxxxxxx> wrote:
> I am not sure whether this is still actual because there are just too
> many pathes flying around these days. I am still trying to catch up...

Linus applied this one, yes.

>
> On Fri 07-07-17 11:57:29, Kees Cook wrote:
>> To avoid pathological stack usage or the need to special-case setuid
>> execs, just limit all arg stack usage to at most _STK_LIM / 4 * 3 (6MB).
>
> I am worried that we've grown users which rely on a large argument
> lists and now we are pulling more magic constants into the game. This
> just calls for another breakage.

I think it would be best to only apply this to setuid processes, but
Linus asked that this change be universal. After my secureexec
refactoring, I think it should be possible to add a "how much stack
has already been used?" check in setup_new_exec() and abort the
privileged exec if it exceeds the secureexec stack limit.

> I think we should simply step back and think about what we want to fix
> here actually. If this is the pathological case when the attacker can
> grow the stack too large and too close to a regular mappings then we
> already have means to address that (stack gap).

I think Linus's intention is to back off from the stack gap, but maybe
I misunderstood.

> If we are worried that mmaps can get way too close to the stack then
> I would question why this is possible at all. Bottom-up layout will
> require consuming mmap space and top-down layout seems just broken
> because we do not try to offset the mmap_base relative to the stack and
> rather calculate both from TASK_SIZE. Or at least this is my current
> undestanding. Am I missing something? Aren't we just trying to fix a bug
> at a wrong place?

With a variable stack limit, we'll continue to run risks of
gap-jumping if the compiler isn't doing stack probing, so while we
might be able to further improve the layout logic, I think we still
need to impose limits on setuid programs.

-Kees

--
Kees Cook
Pixel Security

Next message: Ben Guthro: "Re: Potential scheduler regression"
Previous message: Geert Uytterhoeven: "Re: [PATCH] dpaa_eth: use correct device for DMA mapping API"
In reply to: Michal Hocko: "Re: [PATCH] exec: Limit arg stack to at most _STK_LIM / 4 * 3"
Next in thread: Michal Hocko: "Re: [PATCH] exec: Limit arg stack to at most _STK_LIM / 4 * 3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]