Bug 628498
Summary: | kernel: Problem with execve(2) reintroduced [rhel-4.9] | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Eugene Teo (Security Response) <eteo> | |
Component: | kernel | Assignee: | Dave Anderson <anderson> | |
Status: | CLOSED NOTABUG | QA Contact: | Red Hat Kernel QE team <kernel-qe> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 4.9 | CC: | dhoward, eteo, jolsa, lwang, plyons, roland, vgoyal | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 629176 629178 629179 629180 (view as bug list) | Environment: | ||
Last Closed: | 2010-09-27 07:18:59 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 629176, 629178, 629179, 629180 |
Description
Eugene Teo (Security Response)
2010-08-30 08:40:26 UTC
Roland proposed, http://lkml.org/lkml/2010/8/30/138. I don't think this justify a CVE name, and should be handled as a normal bug. [PATCH 2/3] execve: improve interactivity with large arguments http://lkml.org/lkml/2010/9/7/495 [PATCH 3/3] execve: make responsive to SIGKILL with large arguments http://lkml.org/lkml/2010/9/7/497 Can you verify that you are requesting a backport of the two patches in comment #2? (In reply to comment #3) > Can you verify that you are requesting a backport of the two patches > in comment #2? Yes Dave. commit 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 commit 7993bc1f4663c0db67bb8f0d98e6678145b387cd Thanks, Eugene > "Now it appears that, besides the issue that started this thread, the same
> problem I mentioned above got re-introduced. We still have strnlen_user() and
> the "max" argument to count(), but we no longer have hard limits for "max".
> Someone set MAX_ARG_STRINGS to 0x7FFFFFFF, and this is just too much.
> MAX_ARG_STRLEN is set to 32 pages, and these two combined allow a userspace
> program to make the kernel loop for days.
The (large) MAX_ARG_STRINGS was introduced upstream in 2.6.23, and was backported
to RHEL5 in 2.6.18-112.el5. But it was never backported to RHEL4, so I don't
understand why this patch should be considered for RHEL4?
(In reply to comment #5) > > "Now it appears that, besides the issue that started this thread, the same > > problem I mentioned above got re-introduced. We still have strnlen_user() and > > the "max" argument to count(), but we no longer have hard limits for "max". > > Someone set MAX_ARG_STRINGS to 0x7FFFFFFF, and this is just too much. > > MAX_ARG_STRLEN is set to 32 pages, and these two combined allow a userspace > > program to make the kernel loop for days. > > The (large) MAX_ARG_STRINGS was introduced upstream in 2.6.23, and was > backported > to RHEL5 in 2.6.18-112.el5. But it was never backported to RHEL4, so I don't > understand why this patch should be considered for RHEL4? Hmm, thanks. Closing the bug. |