Fw: [kernel/f14/master] Fix DOS with large argument lists.
Chuck Ebbert
cebbert at redhat.com
Wed Sep 15 12:04:49 UTC 2010
Begin forwarded message:
Date: Wed, 15 Sep 2010 01:06:16 +0000 (UTC)
From: Chuck Ebbert <cebbert at fedoraproject.org>
To: kernel-owner at fedoraproject.org, scm-commits at lists.fedoraproject.org
Subject: [kernel/f14/master] Fix DOS with large argument lists.
commit 14525abb6daa564fd076a6a111e05dada9bc442b
Author: Chuck Ebbert <cebbert at redhat.com>
Date: Tue Sep 14 21:05:09 2010 -0400
Fix DOS with large argument lists.
...mprove-interactivity-with-large-arguments.patch | 36 ++++++++++++++
...esponsive-to-sigkill-with-large-arguments.patch | 51 ++++++++++++++++++++
kernel.spec | 18 ++++++-
...rg_pages-diagnose-excessive-argument-size.patch | 42 ++++++++++++++++
4 files changed, 145 insertions(+), 2 deletions(-)
---
diff --git a/execve-improve-interactivity-with-large-arguments.patch b/execve-improve-interactivity-with-large-arguments.patch
new file mode 100644
index 0000000..7908e6c
--- /dev/null
+++ b/execve-improve-interactivity-with-large-arguments.patch
@@ -0,0 +1,36 @@
+From: Roland McGrath <roland at redhat.com>
+Date: Wed, 8 Sep 2010 02:36:28 +0000 (-0700)
+Subject: execve: improve interactivity with large arguments
+X-Git-Tag: v2.6.36-rc4~13
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=7993bc1f4663c0db67bb8f0d98e6678145b387cd
+
+execve: improve interactivity with large arguments
+
+This adds a preemption point during the copying of the argument and
+environment strings for execve, in copy_strings(). There is already
+a preemption point in the count() loop, so this doesn't add any new
+points in the abstract sense.
+
+When the total argument+environment strings are very large, the time
+spent copying them can be much more than a normal user time slice.
+So this change improves the interactivity of the rest of the system
+when one process is doing an execve with very large arguments.
+
+Signed-off-by: Roland McGrath <roland at redhat.com>
+Reviewed-by: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 1b63237..6f2d777 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -419,6 +419,8 @@ static int copy_strings(int argc, const char __user *const __user *argv,
+ while (len > 0) {
+ int offset, bytes_to_copy;
+
++ cond_resched();
++
+ offset = pos % PAGE_SIZE;
+ if (offset == 0)
+ offset = PAGE_SIZE;
diff --git a/execve-make-responsive-to-sigkill-with-large-arguments.patch b/execve-make-responsive-to-sigkill-with-large-arguments.patch
new file mode 100644
index 0000000..a9e531a
--- /dev/null
+++ b/execve-make-responsive-to-sigkill-with-large-arguments.patch
@@ -0,0 +1,51 @@
+From: Roland McGrath <roland at redhat.com>
+Date: Wed, 8 Sep 2010 02:37:06 +0000 (-0700)
+Subject: execve: make responsive to SIGKILL with large arguments
+X-Git-Tag: v2.6.36-rc4~12
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9aea5a65aa7a1af9a4236dfaeb0088f1624f9919
+
+execve: make responsive to SIGKILL with large arguments
+
+An execve with a very large total of argument/environment strings
+can take a really long time in the execve system call. It runs
+uninterruptibly to count and copy all the strings. This change
+makes it abort the exec quickly if sent a SIGKILL.
+
+Note that this is the conservative change, to interrupt only for
+SIGKILL, by using fatal_signal_pending(). It would be perfectly
+correct semantics to let any signal interrupt the string-copying in
+execve, i.e. use signal_pending() instead of fatal_signal_pending().
+We'll save that change for later, since it could have user-visible
+consequences, such as having a timer set too quickly make it so that
+an execve can never complete, though it always happened to work before.
+
+Signed-off-by: Roland McGrath <roland at redhat.com>
+Reviewed-by: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 6f2d777..828dd24 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -376,6 +376,9 @@ static int count(const char __user * const __user * argv, int max)
+ argv++;
+ if (i++ >= max)
+ return -E2BIG;
++
++ if (fatal_signal_pending(current))
++ return -ERESTARTNOHAND;
+ cond_resched();
+ }
+ }
+@@ -419,6 +422,10 @@ static int copy_strings(int argc, const char __user *const __user *argv,
+ while (len > 0) {
+ int offset, bytes_to_copy;
+
++ if (fatal_signal_pending(current)) {
++ ret = -ERESTARTNOHAND;
++ goto out;
++ }
+ cond_resched();
+
+ offset = pos % PAGE_SIZE;
diff --git a/kernel.spec b/kernel.spec
index 1c0201b..b93fcf1 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -734,6 +734,11 @@ Patch12090: dell-wmi-add-support-for-eject-key-studio-1555.patch
Patch12517: flexcop-fix-xlate_proc_name-warning.patch
+# mitigate DOS attack with large argument lists
+Patch12520: execve-improve-interactivity-with-large-arguments.patch
+Patch12521: execve-make-responsive-to-sigkill-with-large-arguments.patch
+Patch12522: setup_arg_pages-diagnose-excessive-argument-size.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1357,6 +1362,12 @@ ApplyPatch dell-wmi-add-support-for-eject-key-studio-1555.patch
# bz #575873
ApplyPatch flexcop-fix-xlate_proc_name-warning.patch
+
+# mitigate DOS attack with large argument lists
+ApplyPatch execve-improve-interactivity-with-large-arguments.patch
+ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
+ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -1943,10 +1954,13 @@ fi
# and build.
%changelog
-* Tue Sep 14 2010 Kyle McMartin <kyle at redhat.com> 2.6.35.4-28
+* Tue Sep 14 2010 Chuck Ebbert <cebbert at redhat.com> 2.6.35.4-28
+- Fix DOS with large argument lists.
+
+* Tue Sep 14 2010 Kyle McMartin <kyle at redhat.com>
- x86_64: plug compat syscalls holes. (CVE-2010-3081, CVE-2010-3301)
upgrading is highly recommended.
-- aio: check for multiplication overflow in do_io_submit.
+- aio: check for multiplication overflow in do_io_submit. (CVE-2010-3067)
* Mon Sep 13 2010 Chuck Ebbert <cebbert at redhat.com>
- Add support for perl and python scripting to perf (#632942)
diff --git a/setup_arg_pages-diagnose-excessive-argument-size.patch b/setup_arg_pages-diagnose-excessive-argument-size.patch
new file mode 100644
index 0000000..ead972a
--- /dev/null
+++ b/setup_arg_pages-diagnose-excessive-argument-size.patch
@@ -0,0 +1,42 @@
+From: Roland McGrath <roland at redhat.com>
+Date: Wed, 8 Sep 2010 02:35:49 +0000 (-0700)
+Subject: setup_arg_pages: diagnose excessive argument size
+X-Git-Tag: v2.6.36-rc4~14
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1b528181b2ffa14721fb28ad1bd539fe1732c583
+
+setup_arg_pages: diagnose excessive argument size
+
+The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not
+check the size of the argument/environment area on the stack.
+When it is unworkably large, shift_arg_pages() hits its BUG_ON.
+This is exploitable with a very large RLIMIT_STACK limit, to
+create a crash pretty easily.
+
+Check that the initial stack is not too large to make it possible
+to map in any executable. We're not checking that the actual
+executable (or intepreter, for binfmt_elf) will fit. So those
+mappings might clobber part of the initial stack mapping. But
+that is just userland lossage that userland made happen, not a
+kernel problem.
+
+Signed-off-by: Roland McGrath <roland at redhat.com>
+Reviewed-by: KOSAKI Motohiro <kosaki.motohiro at jp.fujitsu.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 2d94552..1b63237 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -594,6 +594,11 @@ int setup_arg_pages(struct linux_binprm *bprm,
+ #else
+ stack_top = arch_align_stack(stack_top);
+ stack_top = PAGE_ALIGN(stack_top);
++
++ if (unlikely(stack_top < mmap_min_addr) ||
++ unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
++ return -ENOMEM;
++
+ stack_shift = vma->vm_end - stack_top;
+
+ bprm->p -= stack_shift;
More information about the kernel
mailing list