On 3 March 2017 at 14:54, Eric Blake <ebl...@redhat.com> wrote: >> + ret = -TARGET_EFAULT; >> + break; >> + } >> argp = alloca((argc + 1) * sizeof(void *)); >> envp = alloca((envc + 1) * sizeof(void *)); > > ...Uggh. You're using alloca() but allowing an allocation of way more > than 4k. That means a guest can cause corruption of the stack (or, with > large enough arguments, even escape out of the stack) before you even > get to the execve() call to even worry about E2BIG issues.
Yeah, linux-user is shot through with that kind of alloca() usage. (It's not great, but it's not a security hole because we already give the guest binary complete control to do anything it likes. Worth fixing bugs if we run into them, though.) thanks -- PMM
