To avoid pathological stack usage or the need to special-case setuid execs, just limit all arg stack usage to at most _STK_LIM / 4 * 3 (6MB).
Signed-off-by: Kees Cook <keesc...@chromium.org> --- fs/exec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/exec.c b/fs/exec.c index 904199086490..ddca2cf15f71 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -221,7 +221,6 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, if (write) { unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start; unsigned long ptr_size; - struct rlimit *rlim; /* * Since the stack will hold pointers to the strings, we @@ -250,14 +249,15 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, return page; /* - * Limit to 1/4-th the stack size for the argv+env strings. + * Limit to 1/4 of the max stack size or 3/4 of _STK_LIM + * (whichever is smaller) for the argv+env strings. * This ensures that: * - the remaining binfmt code will not run out of stack space, * - the program will have a reasonable amount of stack left * to work from. */ - rlim = current->signal->rlim; - if (size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur) / 4) + if (size > min_t(unsigned long, rlimit(RLIMIT_STACK) / 4, + _STK_LIM / 4 * 3)) goto fail; } -- 2.7.4 -- Kees Cook Pixel Security