Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Kosina <jkosina@suse.cz>2018-09-19 23:51:50 +0200
committerJiri Kosina <jkosina@suse.cz>2018-09-19 23:51:50 +0200
commitf3b9d2dfddd82f6810affaa1c61990b6c2e1b60d (patch)
treef71d7486153ff550498028390ccf72882e337e00
parent05ad04ff09c316b97edb1abac9389c333e137635 (diff)
parent1a45952c8c2db479b034b46b97d40e77a52ff057 (diff)
Merge remote-tracking branch 'origin/users/mhocko/cve/linux-3.0/for-next_EMBARGO' into users/jkosina/SLE11-SP4/for-next_EMBARGO
-rw-r--r--patches.fixes/exec-Limit-arg-stack-to-at-most-75-of-_STK_LIM.patch51
-rw-r--r--series.conf1
2 files changed, 52 insertions, 0 deletions
diff --git a/patches.fixes/exec-Limit-arg-stack-to-at-most-75-of-_STK_LIM.patch b/patches.fixes/exec-Limit-arg-stack-to-at-most-75-of-_STK_LIM.patch
new file mode 100644
index 0000000000..e6d0218bbe
--- /dev/null
+++ b/patches.fixes/exec-Limit-arg-stack-to-at-most-75-of-_STK_LIM.patch
@@ -0,0 +1,51 @@
+From da029c11e6b12f321f36dac8771e833b65cec962 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 7 Jul 2017 11:57:29 -0700
+Subject: [PATCH] exec: Limit arg stack to at most 75% of _STK_LIM
+Git-commit: da029c11e6b12f321f36dac8771e833b65cec962
+Patch-mainline: v4.13-rc1
+References: bnc#1108912, CVE-2018-14634
+
+To avoid pathological stack usage or the need to special-case setuid
+execs, just limit all arg stack usage to at most 75% of _STK_LIM (6MB).
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+
+---
+ fs/exec.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -199,8 +199,7 @@ static struct page *get_arg_page(struct
+
+ if (write) {
+ unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start;
+- unsigned long ptr_size;
+- struct rlimit *rlim;
++ unsigned long ptr_size, limit;
+
+ /*
+ * Since the stack will hold pointers to the strings, we
+@@ -229,14 +228,16 @@ static struct page *get_arg_page(struct
+ return page;
+
+ /*
+- * Limit to 1/4-th the stack size for the argv+env strings.
++ * Limit to 1/4 of the max stack size or 3/4 of _STK_LIM
++ * (whichever is smaller) for the argv+env strings.
+ * This ensures that:
+ * - the remaining binfmt code will not run out of stack space,
+ * - the program will have a reasonable amount of stack left
+ * to work from.
+ */
+- rlim = current->signal->rlim;
+- if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4)
++ limit = _STK_LIM / 4 * 3;
++ limit = min(limit, rlimit(RLIMIT_STACK) / 4);
++ if (size > limit)
+ goto fail;
+ }
+
diff --git a/series.conf b/series.conf
index 7a2c4405b7..ec0bed9ad2 100644
--- a/series.conf
+++ b/series.conf
@@ -2092,6 +2092,7 @@
patches.fixes/mm-mmap.c-do-not-blow-on-PROT_NONE-MAP_FIXED-holes-i.patch
patches.fixes/fs-exec.c-account-for-argv-envp-pointers.patch
+ patches.fixes/exec-Limit-arg-stack-to-at-most-75-of-_STK_LIM.patch
patches.fixes/sanitize-move_pages-permission-checks.patch