Mitigate DOS with large argument lists.

4 files changed, 144 insertions, 2 deletions

diff --git a/execve-improve-interactivity-with-large-arguments.patch b/execve-improve-interactivity-with-large-arguments.patch
new file mode 100644
index 0000000..7908e6c
--- /dev/null
+++ b/execve-improve-interactivity-with-large-arguments.patch
@@ -0,0 +1,36 @@
+From: Roland McGrath <roland@redhat.com>
+Date: Wed, 8 Sep 2010 02:36:28 +0000 (-0700)
+Subject: execve: improve interactivity with large arguments
+X-Git-Tag: v2.6.36-rc4~13
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=7993bc1f4663c0db67bb8f0d98e6678145b387cd
+
+execve: improve interactivity with large arguments
+
+This adds a preemption point during the copying of the argument and
+environment strings for execve, in copy_strings().  There is already
+a preemption point in the count() loop, so this doesn't add any new
+points in the abstract sense.
+
+When the total argument+environment strings are very large, the time
+spent copying them can be much more than a normal user time slice.
+So this change improves the interactivity of the rest of the system
+when one process is doing an execve with very large arguments.
+
+Signed-off-by: Roland McGrath <roland@redhat.com>
+Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 1b63237..6f2d777 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -419,6 +419,8 @@ static int copy_strings(int argc, const char __user *const __user *argv,
+ 		while (len > 0) {
+ 			int offset, bytes_to_copy;
+ 
++			cond_resched();
++
+ 			offset = pos % PAGE_SIZE;
+ 			if (offset == 0)
+ 				offset = PAGE_SIZE;
diff --git a/execve-make-responsive-to-sigkill-with-large-arguments.patch b/execve-make-responsive-to-sigkill-with-large-arguments.patch
new file mode 100644
index 0000000..a9e531a
--- /dev/null
+++ b/execve-make-responsive-to-sigkill-with-large-arguments.patch
@@ -0,0 +1,51 @@
+From: Roland McGrath <roland@redhat.com>
+Date: Wed, 8 Sep 2010 02:37:06 +0000 (-0700)
+Subject: execve: make responsive to SIGKILL with large arguments
+X-Git-Tag: v2.6.36-rc4~12
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9aea5a65aa7a1af9a4236dfaeb0088f1624f9919
+
+execve: make responsive to SIGKILL with large arguments
+
+An execve with a very large total of argument/environment strings
+can take a really long time in the execve system call.  It runs
+uninterruptibly to count and copy all the strings.  This change
+makes it abort the exec quickly if sent a SIGKILL.
+
+Note that this is the conservative change, to interrupt only for
+SIGKILL, by using fatal_signal_pending().  It would be perfectly
+correct semantics to let any signal interrupt the string-copying in
+execve, i.e. use signal_pending() instead of fatal_signal_pending().
+We'll save that change for later, since it could have user-visible
+consequences, such as having a timer set too quickly make it so that
+an execve can never complete, though it always happened to work before.
+
+Signed-off-by: Roland McGrath <roland@redhat.com>
+Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 6f2d777..828dd24 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -376,6 +376,9 @@ static int count(const char __user * const __user * argv, int max)
+ 			argv++;
+ 			if (i++ >= max)
+ 				return -E2BIG;
++
++			if (fatal_signal_pending(current))
++				return -ERESTARTNOHAND;
+ 			cond_resched();
+ 		}
+ 	}
+@@ -419,6 +422,10 @@ static int copy_strings(int argc, const char __user *const __user *argv,
+ 		while (len > 0) {
+ 			int offset, bytes_to_copy;
+ 
++			if (fatal_signal_pending(current)) {
++				ret = -ERESTARTNOHAND;
++				goto out;
++			}
+ 			cond_resched();
+ 
+ 			offset = pos % PAGE_SIZE;
diff --git a/kernel.spec b/kernel.spec
index 5e043be..5bcb905 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -847,6 +847,11 @@ Patch14150: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
 
 Patch14200: net-do-not-check-capable-if-kernel.patch
 
+# Mitigate DOS with large argument lists
+Patch14210: execve-improve-interactivity-with-large-arguments.patch
+Patch14211: execve-make-responsive-to-sigkill-with-large-arguments.patch
+Patch14212: setup_arg_pages-diagnose-excessive-argument-size.patch
+
 # ==============================================================================
 %endif
 
@@ -1566,6 +1571,11 @@ ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch
 # rhbz #598796
 ApplyPatch net-do-not-check-capable-if-kernel.patch
 
+# Mitigate DOS with large argument lists
+ApplyPatch execve-improve-interactivity-with-large-arguments.patch
+ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch
+ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch
+
 # END OF PATCH APPLICATIONS ====================================================
 %endif
 
@@ -2218,10 +2228,13 @@ fi
 %kernel_variant_files -k vmlinux %{with_kdump} kdump
 
 %changelog
-* Tue Sep 14 2010 Kyle McMartin <kyle@redhat.com> 2.6.32.21-168
+* Tue Sep 14 2010 Chuck Ebbert <cebbert@redhat.com> 2.6.32.21-168
+- Mitigate DOS with large argument lists.
+
+* Tue Sep 14 2010 Kyle McMartin <kyle@redhat.com>
 - x86_64: plug compat syscalls holes. (CVE-2010-3081, CVE-2010-3301)
   upgrading is highly recommended.
-- aio: check for multiplication overflow in do_io_submit.
+- aio: check for multiplication overflow in do_io_submit. (CVE-2010-3067)
 
 * Mon Sep 06 2010 Kyle McMartin <kyle@redhat.com>
 - Backport two fixes from Eric Paris to resolve #598796 which avoids a
diff --git a/setup_arg_pages-diagnose-excessive-argument-size.patch b/setup_arg_pages-diagnose-excessive-argument-size.patch
new file mode 100644
index 0000000..ead972a
--- /dev/null
+++ b/setup_arg_pages-diagnose-excessive-argument-size.patch
@@ -0,0 +1,42 @@
+From: Roland McGrath <roland@redhat.com>
+Date: Wed, 8 Sep 2010 02:35:49 +0000 (-0700)
+Subject: setup_arg_pages: diagnose excessive argument size
+X-Git-Tag: v2.6.36-rc4~14
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1b528181b2ffa14721fb28ad1bd539fe1732c583
+
+setup_arg_pages: diagnose excessive argument size
+
+The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not
+check the size of the argument/environment area on the stack.
+When it is unworkably large, shift_arg_pages() hits its BUG_ON.
+This is exploitable with a very large RLIMIT_STACK limit, to
+create a crash pretty easily.
+
+Check that the initial stack is not too large to make it possible
+to map in any executable.  We're not checking that the actual
+executable (or intepreter, for binfmt_elf) will fit.  So those
+mappings might clobber part of the initial stack mapping.  But
+that is just userland lossage that userland made happen, not a
+kernel problem.
+
+Signed-off-by: Roland McGrath <roland@redhat.com>
+Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/fs/exec.c b/fs/exec.c
+index 2d94552..1b63237 100644
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -594,6 +594,11 @@ int setup_arg_pages(struct linux_binprm *bprm,
+ #else
+ 	stack_top = arch_align_stack(stack_top);
+ 	stack_top = PAGE_ALIGN(stack_top);
++
++	if (unlikely(stack_top < mmap_min_addr) ||
++	    unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
++		return -ENOMEM;
++
+ 	stack_shift = vma->vm_end - stack_top;
+ 
+ 	bprm->p -= stack_shift;