+-- On Fri, 3 Mar 2017, Jann Horn wrote --+
| On Fri, Mar 3, 2017 at 4:55 PM, Peter Maydell <peter.mayd...@linaro.org>
wrote:
| >> + if (argc > ARG_MAX || envc > ARG_MAX) {
| >> + fprintf(stderr,
| >> + "argc(%d), envc(%d) exceed %d\n", argc, envc,
ARG_MAX);
| >> + ret = -TARGET_EFAULT;
| >> + break;
| >> + }
| >> argp = alloca((argc + 1) * sizeof(void *));
| >> envp = alloca((envc + 1) * sizeof(void *));
| >
| > This code is already supposed to handle "argument string too big",
| > see commit a6f79cc9a5e.
| >
| > What's the actual bug case we're trying to handle here?
Not argument string, but argument count too big leads to a bad address in
get_user_ual(...), resulting in segfault.
Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
