Hi Oleg, On Mon, Nov 26, 2018 at 01:23:07PM +0100, Oleg Nesterov wrote: > Hi Guenter, > > On 11/23, Guenter Roeck wrote: > > > > On Mon, Nov 12, 2018 at 05:09:10PM +0100, Oleg Nesterov wrote: > > > get_arg_page() checks bprm->rlim_stack.rlim_cur and re-calculates the > > > "extra" size for argv/envp pointers every time, this is a bit ugly and > > > even not strictly correct: acct_arg_size() must not account this size. > > > > > > Remove all the rlimit code in get_arg_page(). Instead, add bprm->argmin > > > calculated once at the start of __do_execve_file() and change copy_strings > > > to check bprm->p >= bprm->argmin. > > > > > > The patch adds the new helper, prepare_arg_pages() which initializes > > > bprm->argc/envc and bprm->argmin. > > > > > > Signed-off-by: Oleg Nesterov <[email protected]> > > > Acked-by: Kees Cook <[email protected]> > > > > This patch results in various qemu boot failures in -next. Bisect logs > > are attached. It looks like all nommu boots are failing. > ^^^^^ > > Ah, thanks. > > Yes, I forgot about the !CONFIG_MMU version of get_arg_page() which doesn't > check RLIMIT_STACK at all. > > I'll send the trivial fix. Meanwile, could you test the patch below? to ensure > this is the only problem. >
Tested-by: Guenter Roeck <[email protected]> with arm:mps2-an385, xtensa:kc705-nommu, and m68k:mcf5208evb. Thanks, Guenter > Oleg. > > --- a/fs/exec.c > +++ b/fs/exec.c > @@ -526,8 +526,10 @@ static int copy_strings(int argc, struct user_arg_ptr > argv, > pos = bprm->p; > str += len; > bprm->p -= len; > +#ifdef CONFIG_MMU > if (bprm->p < bprm->argmin) > goto out; > +#endif > > while (len > 0) { > int offset, bytes_to_copy; >
