On Fri, Mar 3, 2017 at 4:55 PM, Peter Maydell <peter.mayd...@linaro.org> wrote:
> On 3 March 2017 at 11:25, P J P <ppan...@redhat.com> wrote:
>> From: Prasad J Pandit <p...@fedoraproject.org>
>>
>> Limit the number of arguments passed to execve(2) call from
>> a user program, as large number of them could lead to a bad
>> guest address error.
>>
>> Reported-by: Jann Horn <ja...@google.com>
>> Signed-off-by: Prasad J Pandit <p...@fedoraproject.org>
>> ---
>> linux-user/syscall.c | 7 +++++++
>> 1 file changed, 7 insertions(+)
>>
>> diff --git a/linux-user/syscall.c b/linux-user/syscall.c
>> index 9be8e95..c545c12 100644
>> --- a/linux-user/syscall.c
>> +++ b/linux-user/syscall.c
>> @@ -7766,6 +7766,7 @@ abi_long do_syscall(void *cpu_env, int num, abi_long
>> arg1,
>> #endif
>> case TARGET_NR_execve:
>> {
>> +#define ARG_MAX 65535
>> char **argp, **envp;
>> int argc, envc;
>> abi_ulong gp;
>> @@ -7794,6 +7795,12 @@ abi_long do_syscall(void *cpu_env, int num, abi_long
>> arg1,
>> envc++;
>> }
>>
>> + if (argc > ARG_MAX || envc > ARG_MAX) {
>> + fprintf(stderr,
>> + "argc(%d), envc(%d) exceed %d\n", argc, envc,
>> ARG_MAX);
>> + ret = -TARGET_EFAULT;
>> + break;
>> + }
>> argp = alloca((argc + 1) * sizeof(void *));
>> envp = alloca((envc + 1) * sizeof(void *));
>
> This code is already supposed to handle "argument string too big",
> see commit a6f79cc9a5e.
>
> What's the actual bug case we're trying to handle here?
commit a6f79cc9a5e doesn't help here, it only bails out after the two
alloca() calls
