Bug 628498
| Summary: | kernel: Problem with execve(2) reintroduced [rhel-4.9] | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Eugene Teo (Security Response) <eteo> | |
| Component: | kernel | Assignee: | Dave Anderson <anderson> | |
| Status: | CLOSED NOTABUG | QA Contact: | Red Hat Kernel QE team <kernel-qe> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 4.9 | CC: | dhoward, eteo, jolsa, lwang, plyons, roland, vgoyal | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 629176 629178 629179 629180 (view as bug list) | Environment: | ||
| Last Closed: | 2010-09-27 07:18:59 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 629176, 629178, 629179, 629180 | |||
|
Description
Eugene Teo (Security Response)
2010-08-30 08:40:26 UTC
Roland proposed, http://lkml.org/lkml/2010/8/30/138. I don't think this justify a CVE name, and should be handled as a normal bug. [PATCH 2/3] execve: improve interactivity with large arguments http://lkml.org/lkml/2010/9/7/495 [PATCH 3/3] execve: make responsive to SIGKILL with large arguments http://lkml.org/lkml/2010/9/7/497 Can you verify that you are requesting a backport of the two patches in comment #2? (In reply to comment #3) > Can you verify that you are requesting a backport of the two patches > in comment #2? Yes Dave. commit 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 commit 7993bc1f4663c0db67bb8f0d98e6678145b387cd Thanks, Eugene > "Now it appears that, besides the issue that started this thread, the same
> problem I mentioned above got re-introduced. We still have strnlen_user() and
> the "max" argument to count(), but we no longer have hard limits for "max".
> Someone set MAX_ARG_STRINGS to 0x7FFFFFFF, and this is just too much.
> MAX_ARG_STRLEN is set to 32 pages, and these two combined allow a userspace
> program to make the kernel loop for days.
The (large) MAX_ARG_STRINGS was introduced upstream in 2.6.23, and was backported
to RHEL5 in 2.6.18-112.el5. But it was never backported to RHEL4, so I don't
understand why this patch should be considered for RHEL4?
(In reply to comment #5) > > "Now it appears that, besides the issue that started this thread, the same > > problem I mentioned above got re-introduced. We still have strnlen_user() and > > the "max" argument to count(), but we no longer have hard limits for "max". > > Someone set MAX_ARG_STRINGS to 0x7FFFFFFF, and this is just too much. > > MAX_ARG_STRLEN is set to 32 pages, and these two combined allow a userspace > > program to make the kernel loop for days. > > The (large) MAX_ARG_STRINGS was introduced upstream in 2.6.23, and was > backported > to RHEL5 in 2.6.18-112.el5. But it was never backported to RHEL4, so I don't > understand why this patch should be considered for RHEL4? Hmm, thanks. Closing the bug. |