oss-sec mailing list archives
[PATCH] exec argument expansion can inappropriately trigger OOM-killer
From: Kees Cook <kees.cook () canonical com>
Date: Fri, 27 Aug 2010 15:02:58 -0700
Brad Spengler published a local memory-allocation DoS that evades the OOM-killer (though not the virtual memory RLIMIT): http://www.grsecurity.net/~spender/64bit_dos.c The recent changes to create a stack guard page helps slightly to discourage this attack, but it is not sufficient. Compiling it statically moves the libraries out of the way, allowing the stack VMA to fill the entire TASK_SIZE. There are two issues: 1) the OOM killer doesn't notice this argv memory explosion 2) the argv expansion does not check if rlim[RLIMIT_STACK].rlim_cur is -1. I figure a quick solution for #2 would be the following patch. However, running multiple copies of this program could result in similar OOM behavior, so issue #1 still needs a solution. Reported-by: Brad Spengler <spender () grsecurity net> Signed-off-by: Kees Cook <kees.cook () canonical com> --- fs/exec.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index dab85ec..be40063 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -194,7 +194,8 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, * to work from. */ rlim = current->signal->rlim; - if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) { + if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4 || + size > TASK_SIZE / 4) { put_page(page); return NULL; } -- 1.7.1 -- Kees Cook Ubuntu Security Team
Current thread:
- [PATCH] exec argument expansion can inappropriately trigger OOM-killer Kees Cook (Aug 27)
- Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer KOSAKI Motohiro (Aug 29)
- Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer Roland McGrath (Aug 29)
- Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer Solar Designer (Aug 29)
- Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer Roland McGrath (Aug 30)
- Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer Solar Designer (Aug 30)
- Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer Roland McGrath (Aug 31)
- [PATCH 0/3] execve argument-copying fixes Roland McGrath (Sep 07)
- [PATCH 1/3] setup_arg_pages: diagnose excessive argument size Roland McGrath (Sep 07)
- Message not available
- Re: [PATCH 1/3] setup_arg_pages: diagnose excessive argument size KOSAKI Motohiro (Sep 09)
- Re: [PATCH 1/3] setup_arg_pages: diagnose excessive argument size Roland McGrath (Sep 10)
- Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer Solar Designer (Aug 29)