oss-sec mailing list archives
Re: [PATCH 2/2] execve: check the VM has enough memory at first
From: Linus Torvalds <torvalds () linux-foundation org>
Date: Thu, 16 Sep 2010 08:01:30 -0700
2010/9/15 KOSAKI Motohiro <kosaki.motohiro () jp fujitsu com>:
Briefly says, to introduce new limit has bad benefit/risk balance. Sadly.
Well, I mostly agree. That said, I do think we could extend the limiter some ways. For example, I think the "stack limit / 4" is perfectly sane, but it would make total sense to perhaps also take into account the AS and RSS limits. And I do think that your attempt to use __vm_enough_memory() was good. It happens to be coded in a way that makes it useless for a one-pass model, and some of what it does would be too expensive to do up-front when you can't short-circuit it, but I do think that it would probably be appropriate to at least try to take the _rough_ code there and use it as a limit for maximum stack size too. For example, we could have a function somewhat like unsigned long max_stack_size(void) { unsigned long allowed, used, limit; switch (sysctl_overcommit_memory) { case OVERCOMMIT_ALWAYS: allowed = ULONG_MAX; break; case OVERCOMMIT_GUESS: .. maybe we can come up with some upper bound here too .. break; default: allowed = (totalram_pages - hugetlb_total_pages()) * sysctl_overcommit_ratio / 100; if (!cap_sys_admin) allowed -= allowed / 32; allowed += total_swap_pages; /* Don't let a single process grow too big: leave 3% of the size of this process for other processes */ if (mm) allowed -= mm->total_vm / 32; /* What is already committed to? */ used = percpu_counter_read_positive(&vm_committed_as); if (used > allowed) return 0; allowed -= used; break; } limit = ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4; if (allowed > limit) allowed = limit; return allowed; } which we'd call once at the beginning of the execve(), and then remember that result and use it instead of the current 'rlimit/4' value. Now, admittedly the OVERCOMMIT_GUESS case is the interesting one, and the one that is hard to write efficiently. But maybe we could make 'nr_free_pages()' cheap enough that doin that whole OVERCOMMIT_GUESS "approximate free pages" thing from __vm_enough_memory would work out too? I dunno. It doesn't look hopeless. Linus
Current thread:
- [PATCH 0/2] execve memory exhaust of argument-copying fixes, (continued)
- [PATCH 0/2] execve memory exhaust of argument-copying fixes KOSAKI Motohiro (Sep 09)
- [PATCH 1/2] oom: don't ignore rss in nascent mm KOSAKI Motohiro (Sep 09)
- Message not available
- Re: [PATCH 1/2] oom: don't ignore rss in nascent mm Roland McGrath (Sep 10)
- Message not available
- [PATCH] move cred_guard_mutex from task_struct to signal_struct KOSAKI Motohiro (Sep 10)
- Re: [PATCH] move cred_guard_mutex from task_struct to signal_struct Oleg Nesterov (Sep 10)
- Re: [PATCH] move cred_guard_mutex from task_struct to signal_struct KOSAKI Motohiro (Sep 15)
- [PATCH 2/2] execve: check the VM has enough memory at first KOSAKI Motohiro (Sep 09)
- Re: [PATCH 2/2] execve: check the VM has enough memory at first Linus Torvalds (Sep 10)
- Re: [PATCH 2/2] execve: check the VM has enough memory at first KOSAKI Motohiro (Sep 13)
- Re: [PATCH 2/2] execve: check the VM has enough memory at first KOSAKI Motohiro (Sep 15)
- Re: [PATCH 2/2] execve: check the VM has enough memory at first Linus Torvalds (Sep 16)
- Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer Solar Designer (Aug 30)
- Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer Brad Spengler (Aug 30)
- Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer Solar Designer (Aug 31)
- Re: [PATCH] exec argument expansion can inappropriately triggerOOM-killer Tetsuo Handa (Aug 31)