Bug 628498 - kernel: Problem with execve(2) reintroduced [rhel-4.9]
Summary: kernel: Problem with execve(2) reintroduced [rhel-4.9]
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.9
Hardware: All
OS: Linux
high
high
Target Milestone: ---
: ---
Assignee: Dave Anderson
QA Contact: Red Hat Kernel QE team
URL:
Whiteboard:
Depends On:
Blocks: 629176 629178 629179 629180
TreeView+ depends on / blocked
 
Reported: 2010-08-30 08:40 UTC by Eugene Teo (Security Response)
Modified: 2013-01-11 03:14 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 629176 629178 629179 629180 (view as bug list)
Environment:
Last Closed: 2010-09-27 07:18:59 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Eugene Teo (Security Response) 2010-08-30 08:40:26 UTC 
Description of problem:
Reported by Solar Designer.

This issue was fixed during the 2.0/2.3 kernel days:
http://marc.info/?l=bugtraq&m=93728282528791

"(2.0.38) (2.2.12) (*)
While investigating the problem mentioned above, as well as porting Pavel Kankovsky's fd 0-2 fix to Linux 2.2, I've noticed yet another problem with execve(2), which has a similar impact.  The problem is that all arguments are first counted, and their lengths measured, and only after that the results are checked against the limit (32 pages, or 128 KB on x86).  Thus, it is possible to make execve(2) spend a significant amount of CPU cycles in the kernel, with the big kernel lock obtained.  In terms of real time, I was able to get 25 minutes for one execve(2) call on Alpha (the 64-bit address space helps), and
several seconds on modern x86 boxes.  The latter can still be halted to death by repeating the call in a loop, and in a few processes.

Fixing this required a trivial modification to the argument counting function, and a switch to strnlen_user() for the strings (on 2.2). The latter is an architecture-specific assembly function.  My patch only fixes it on x86 and Alpha, and 2.2.13 will do that for some more architectures (but maybe not all supported by Linux 2.2, yet).  Linux 2.0 didn't have a strlen_user(), and thus used a simple loop in this place, which had the same vulnerability (but not in my 2.0.38 patch, of course).

Note that RLIMIT_AS can be used as a workaround for this problem, and you should probably be using it for other reasons, anyway."

But it was reported to be reintroduced:
http://seclists.org/oss-sec/2010/q3/247

"Now it appears that, besides the issue that started this thread, the same problem I mentioned above got re-introduced.  We still have strnlen_user() and the "max" argument to count(), but we no longer have hard limits for "max".  Someone set MAX_ARG_STRINGS to 0x7FFFFFFF, and this is just too much.  MAX_ARG_STRLEN is set to 32 pages, and these two combined allow a userspace program to make the kernel loop for days.

So I think that we should re-introduce some artificial limit(s), maybe adjustable by root (by the host system's real root only when container virtualization is involved).  Maybe we should lower MAX_ARG_STRINGS and/or maybe we should limit the portion of stack space usable for argv to, say, 0.75 GB (or even less)."

He suggested:
  -               if (size > rlim[RLIMIT_STACK].rlim_cur / 4) {
  +               if (size > rlim[RLIMIT_STACK].rlim_cur / 4 ||
  +                   size > MAX_ARG_STACK) {

  -#define MAX_ARG_STRINGS 0x7FFFFFFF
  +#define MAX_ARG_STACK (0xC0000000UL / 4)
  +#define MAX_ARG_STRINGS (MAX_ARG_STACK / 5)

but may not be a sufficient solution.
Comment 1 Eugene Teo (Security Response) 2010-09-01 04:40:11 UTC 
Roland proposed, http://lkml.org/lkml/2010/8/30/138. I don't think this justify a CVE name, and should be handled as a normal bug.
Comment 2 Eugene Teo (Security Response) 2010-09-08 08:18:00 UTC 
[PATCH 2/3] execve: improve interactivity with large arguments
http://lkml.org/lkml/2010/9/7/495
[PATCH 3/3] execve: make responsive to SIGKILL with large arguments
http://lkml.org/lkml/2010/9/7/497
Comment 3 Dave Anderson 2010-09-17 20:08:05 UTC 
Can you verify that you are requesting a backport of the two patches
in comment #2?
Comment 4 Eugene Teo (Security Response) 2010-09-18 01:39:53 UTC 
(In reply to comment #3)
> Can you verify that you are requesting a backport of the two patches
> in comment #2?

Yes Dave.

commit 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919
commit 7993bc1f4663c0db67bb8f0d98e6678145b387cd

Thanks, Eugene
Comment 5 Dave Anderson 2010-09-24 19:11:16 UTC 
> "Now it appears that, besides the issue that started this thread, the same
> problem I mentioned above got re-introduced.  We still have strnlen_user() and
> the "max" argument to count(), but we no longer have hard limits for "max". 
> Someone set MAX_ARG_STRINGS to 0x7FFFFFFF, and this is just too much. 
> MAX_ARG_STRLEN is set to 32 pages, and these two combined allow a userspace
> program to make the kernel loop for days.

The (large) MAX_ARG_STRINGS was introduced upstream in 2.6.23, and was backported
to RHEL5 in 2.6.18-112.el5.  But it was never backported to RHEL4, so I don't
understand why this patch should be considered for RHEL4?
Comment 6 Eugene Teo (Security Response) 2010-09-27 07:18:59 UTC 
(In reply to comment #5)
> > "Now it appears that, besides the issue that started this thread, the same
> > problem I mentioned above got re-introduced.  We still have strnlen_user() and
> > the "max" argument to count(), but we no longer have hard limits for "max". 
> > Someone set MAX_ARG_STRINGS to 0x7FFFFFFF, and this is just too much. 
> > MAX_ARG_STRLEN is set to 32 pages, and these two combined allow a userspace
> > program to make the kernel loop for days.
> 
> The (large) MAX_ARG_STRINGS was introduced upstream in 2.6.23, and was
> backported
> to RHEL5 in 2.6.18-112.el5.  But it was never backported to RHEL4, so I don't
> understand why this patch should be considered for RHEL4?

Hmm, thanks. Closing the bug.
Note You need to log in before you can comment on or make changes to this bug.