Patchwork linux-user: fail execve() if env/args too big

login
register
mail settings
Submitter Ulrich Hecht
Date Jan. 31, 2012, 11:43 a.m.
Message ID <1328010196-32134-1-git-send-email-uli@suse.de>
Download mbox | patch
Permalink /patch/138816/
State New
Headers show

Comments

Ulrich Hecht - Jan. 31, 2012, 11:43 a.m.
If the host's page size is equal to or smaller than the target's, native
execve() will fail appropriately with E2BIG if called with too big an
environment for the target to handle. It may falsely succeed, however, if
the host's page size is bigger, and feed the executed target process an
environment that is too big for it to handle, at which point QEMU barfs and
exits, confusing procmail's autoconf script and causing the build to fail.

This patch makes sure that execve() will return E2BIG if the environment is
too large for the target.

Signed-off-by: Ulrich Hecht <uli@suse.de>
---
 linux-user/syscall.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)
Stefan Hajnoczi - Feb. 9, 2012, 8:30 a.m.
On Tue, Jan 31, 2012 at 12:43:16PM +0100, Ulrich Hecht wrote:
> If the host's page size is equal to or smaller than the target's, native
> execve() will fail appropriately with E2BIG if called with too big an
> environment for the target to handle. It may falsely succeed, however, if
> the host's page size is bigger, and feed the executed target process an
> environment that is too big for it to handle, at which point QEMU barfs and
> exits, confusing procmail's autoconf script and causing the build to fail.
> 
> This patch makes sure that execve() will return E2BIG if the environment is
> too large for the target.
> 
> Signed-off-by: Ulrich Hecht <uli@suse.de>
> ---
>  linux-user/syscall.c |    9 +++++++++
>  1 files changed, 9 insertions(+), 0 deletions(-)

Thanks, applied to the trivial patches tree:
https://github.com/stefanha/qemu/commits/trivial-patches

Stefan

Patch

diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index 2bf9e7e..fba3f29 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -4797,6 +4797,7 @@  abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
             abi_ulong guest_envp;
             abi_ulong addr;
             char **q;
+            int total_size = 0;
 
             argc = 0;
             guest_argp = arg2;
@@ -4828,6 +4829,7 @@  abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
                     break;
                 if (!(*q = lock_user_string(addr)))
                     goto execve_efault;
+                total_size += strlen(*q) + 1;
             }
             *q = NULL;
 
@@ -4839,9 +4841,16 @@  abi_long do_syscall(void *cpu_env, int num, abi_long arg1,
                     break;
                 if (!(*q = lock_user_string(addr)))
                     goto execve_efault;
+                total_size += strlen(*q) + 1;
             }
             *q = NULL;
 
+            /* This case will not be caught by the host's execve() if its
+               page size is bigger than the target's. */
+            if (total_size > MAX_ARG_PAGES * TARGET_PAGE_SIZE) {
+                ret = -TARGET_E2BIG;
+                goto execve_end;
+            }
             if (!(p = lock_user_string(arg1)))
                 goto execve_efault;
             ret = get_errno(execve(p, argp, envp));