Bug 194809
Summary: | [PATCH] binfmts.h MAX_ARG_STRINGS excessive value allows heap spraying | ||
---|---|---|---|
Product: | Other | Reporter: | Leonard den Ottolander (bugzilla) |
Component: | Other | Assignee: | other_other |
Status: | NEW --- | ||
Severity: | normal | ||
Priority: | P1 | ||
Hardware: | All | ||
OS: | Linux | ||
Kernel Version: | 4.10.1 and below | Subsystem: | |
Regression: | No | Bisected commit-id: | |
Attachments: |
set MAX_ARG_STRINGS to 4096 to avoid heap spraying
Introduce MAX_ARG_STRSLEN to cap MAX_ARG_STRINGS * MAX_ARG_STRLEN to avoid heap spraying |
Description
Leonard den Ottolander
2017-03-07 14:39:13 UTC
Created attachment 255163 [details]
Introduce MAX_ARG_STRSLEN to cap MAX_ARG_STRINGS * MAX_ARG_STRLEN to avoid heap spraying
Consider the original patch an "emergency bandaid". These values allow me to build a kernel, but does not handle directories with more than MAX_ARG_STRINGS.
The problem here is that the multiplier of MAX_ARG_STRINGS and MAX_ARG_STRLEN may not be 2 ^ 32 - stacksize (roughly 4GiB) or heap spraying is possible on 32-bit systems.
Attached patch introduces a new value, MAX_ARG_STRSLEN, along the lines of MAX_ARG_PAGES. Keeping this value (well) below 4GiB and it is now safe to increase both MAX_ARG_STRINGS and MAX_ARG_STRLEN beyond where their multiplier is 2 ^ 32.
Attached patch uses conservative values
#define MAX_ARG_STRSLEN 262144
#define MAX_ARG_STRLEN 65536
#define MAX_ARG_STRINGS 4096
that allow me to build a kernel on CentOS-7.
These values can now be safely increased though if a larger default is required. For example:
#define MAX_ARG_STRSLEN 4194304
#define MAX_ARG_STRLEN 131072
#define MAX_ARG_STRINGS 131072
|