On 3 March 2017 at 11:25, P J P <ppan...@redhat.com> wrote:
> From: Prasad J Pandit <p...@fedoraproject.org>
>
> Limit the number of arguments passed to execve(2) call from
> a user program, as large number of them could lead to a bad
> guest address error.
>
> Reported-by: Jann Horn <ja...@google.com>
> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
> ---
> linux-user/syscall.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
> index 9be8e95..c545c12 100644
> --- a/linux-user/syscall.c
> +++ b/linux-user/syscall.c
> @@ -7766,6 +7766,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long
> arg1,
> #endif
> case TARGET_NR_execve:
> {
> +#define ARG_MAX 65535
> char **argp, **envp;
> int argc, envc;
> abi_ulong gp;
> @@ -7794,6 +7795,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long
> arg1,
> envc++;
> }
>
> + if (argc > ARG_MAX || envc > ARG_MAX) {
> + fprintf(stderr,
> + "argc(%d), envc(%d) exceed %d\n", argc, envc,
> ARG_MAX);
> + ret = -TARGET_EFAULT;
> + break;
> + }
> argp = alloca((argc + 1) * sizeof(void *));
> envp = alloca((envc + 1) * sizeof(void *));
This code is already supposed to handle "argument string too big",
see commit a6f79cc9a5e.
What's the actual bug case we're trying to handle here?
EFAULT looks like a decidedly odd error to return here, too.
thanks
-- PMM
