On Thu, 2007-06-14 at 13:58 -0700, Ollie Wild wrote: > A good heuristic, though, might be to limit > argument size to a percentage (say 25%) of maximum stack size and > validate this inside copy_strings().
This seems to do: Signed-off-by: Peter Zijlstra <[EMAIL PROTECTED]> --- fs/exec.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) Index: linux-2.6-2/fs/exec.c =================================================================== --- linux-2.6-2.orig/fs/exec.c 2007-06-15 11:05:09.000000000 +0200 +++ linux-2.6-2/fs/exec.c 2007-06-15 11:05:18.000000000 +0200 @@ -199,6 +199,23 @@ static struct page *get_arg_page(struct if (ret <= 0) return NULL; + if (write) { + struct rlimit *rlim = current->signal->rlim; + unsigned long size = bprm->vma->vm_end - bprm->vma->vm_start; + + /* + * Limit to 1/4-th the stack size for the argv+env strings. + * This ensures that: + * - the remaining binfmt code will not run out of stack space, + * - the program will have a reasonable amount of stack left + * to work from. + */ + if (size > rlim[RLIMIT_STACK].rlim_cur / 4) { + put_page(page); + return NULL; + } + } + return page; } - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/