Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp813122rdg;
        Wed, 11 Oct 2023 06:21:52 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IH+sD2NQxiZu8B0cxAIFrdr+5WSSc6ZwtsUdjX//zCdaitqGD5+KEfq2bqT6Z78Mi66JV+F
X-Received: by 2002:a17:90b:e91:b0:27c:f016:49a2 with SMTP id fv17-20020a17090b0e9100b0027cf01649a2mr3983799pjb.7.1697030511899;
        Wed, 11 Oct 2023 06:21:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1697030511; cv=none;
        d=google.com; s=arc-20160816;
        b=Pas+pYHvmMm3nlsNG2rg7AXeSSUp+J5yfGLCR03Weh3sPgJlrtq7MP3a3n4fln17l7
         iWCaB9vp54TnjVXBuN/aXyXdLs7H5ow3e28NvAVqemis7/HRBFt+HmbD6I8D+ZajHNes
         ucSIis82WogsTx9R8R1GK19bUiWh0nygvfBmTfxvXWB5DCNlhJBN0c4hqgE8IUOxMcUo
         8LMrSUyLkBo0BbaNpn5YsMGiAaHvlNJ0UvbgpoA/YPj3a6RfY2Z2PoBrnWV68V1OuJzH
         ICQC1FWAF7f1EZto8j6sVyW1FVpGzq2I1xl/UgEqdWQZ208px95SLRX1mM0LHiozjdq0
         N0WA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent
         :content-transfer-encoding:references:in-reply-to:date:cc:to:from
         :subject:message-id;
        bh=3Cq1Ds4z1z+vwL9rzAx4WGg0UFTWn7ewTpMo4KsqYIg=;
        fh=IaHIGecTgtBZWzHFdribiMaBLwiIQP47sp/WWUYgmOw=;
        b=IeoDTOE896yAe3t9q7byEDDN9IXnVEOOdzuMYrjnbWYInzk5bm6Ru3i09BUP/jBUsz
         p+fte21G7+E8L+r746ZHk1n5zTE5gUe7yoDNpiWUTEid4pym+YVp4uOxF1BbDEPII7G0
         TJaZTvtBB7ik+0iCUSa2OipfQiXwOQsSf4g1YVciecwKr6Ms01I3p+qiqCKajnI/4wUj
         2K52KDzZYGtOAScqm0Xw7SuyIp3tkHe8rdLjks6QOrvzB9pr5Jv1INFy/VcBtpVft5ug
         ajviTnOgk9vK28LQhuTFlQND6G0cwGuEUG1tairlJUwFEvMQdCSqs2gHhAymHr3dVV/u
         ngdw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
        by mx.google.com with ESMTPS id u5-20020a17090a890500b00279202f4151si3861658pjn.45.2023.10.11.06.21.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Oct 2023 06:21:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by lipwig.vger.email (Postfix) with ESMTP id F10CC807EB36;
	Wed, 11 Oct 2023 06:21:48 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232165AbjJKNVh convert rfc822-to-8bit (ORCPT
        <rfc822;tarbal@gmail.com> + 99 others);
        Wed, 11 Oct 2023 09:21:37 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49016 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231524AbjJKNVg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 11 Oct 2023 09:21:36 -0400
Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D31C990;
        Wed, 11 Oct 2023 06:21:35 -0700 (PDT)
Received: from imladris.home.surriel.com ([10.0.13.28] helo=imladris.surriel.com)
        by shelob.surriel.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        (Exim 4.96.1)
        (envelope-from <riel@shelob.surriel.com>)
        id 1qqZ9U-0002pt-2W;
        Wed, 11 Oct 2023 09:21:28 -0400
Message-ID: <60b4d916663ea31ae05a958b6dea8aa5bf740d0a.camel@surriel.com>
Subject: Re: [PATCH] execve.2: execve also returns E2BIG if a string is too
 long
From:   Rik van Riel <riel@surriel.com>
To:     Alejandro Colomar <alx@kernel.org>
Cc:     linux-man@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        kernel-team@meta.com, Eric Biederman <ebiederm@xmission.com>
Date:   Wed, 11 Oct 2023 09:21:28 -0400
In-Reply-To: <ZSZ7yXwYAg-xPC7P@debian>
References: <20231010234153.021826b1@imladris.surriel.com>
         <ZSZ7yXwYAg-xPC7P@debian>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8BIT
User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) 
MIME-Version: 1.0
Sender: riel@surriel.com
X-Spam-Status: No, score=2.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 11 Oct 2023 06:21:49 -0700 (PDT)
X-Spam-Level: **

On Wed, 2023-10-11 at 12:41 +0200, Alejandro Colomar wrote:
> Hi Rik,
> 
> On Tue, Oct 10, 2023 at 11:41:53PM -0400, Rik van Riel wrote:
> > Document that if a command line or environment string is too long
> > (> MAX_ARG_STRLEN), execve will also return E2BIG.
> 
> That's already implied by the current text:
> 
>        E2BIG  The total number of bytes in the environment (envp) and
> argument
>               list (argv) is too large.
> 
> That means that
> 
> size_t  bytes;
> 
> bytes = 0;
> for (char *e = envp; e != NULL; e++)
>         bytes += strlen(e) + 1;  // I have doubts about the +1
> for (char *a = argv; a != NULL; a++)
>         bytes += strlen(a) + 1;  // Same doubts
> 
> if (bytes > MAX_ARG_STRLEN)  // Maybe >= ?
>         return -E2BIG;

The code in fs/exec.c enforces MAX_ARG_STRLEN against
each individual string, not against the total.

If any string, either argument or environment, is larger
than 32 * PAGE_SIZE, the kernel will return -E2BIG.

do_execveat_common() has this code, which uses copy_strings
to copy both the strings from the environment, and from
the command line arguments:

        retval = copy_strings(bprm->envc, envp, bprm);
        if (retval < 0)
                goto out_free;

        retval = copy_strings(bprm->argc, argv, bprm);
        if (retval < 0)
                goto out_free;

Inside copy_strings() we have this code:


        while (argc-- > 0) {
...
                len = strnlen_user(str, MAX_ARG_STRLEN);
                if (!len)
                        goto out;

                ret = -E2BIG;
                if (!valid_arg_len(bprm, len))
                        goto out;

The valid_arg_len() function does not need explanation:

static bool valid_arg_len(struct linux_binprm *bprm, long len)
{
        return len <= MAX_ARG_STRLEN;
}


The current man page wording is very clear about the total
length being enforced, but IMHO not as clear about the limit
that gets enforced on each individual string.

The total length limit of environment & commandline arguments
is enforced by bprm_stack_limits(), and is checked against
either 1/4 of the maximum stack size, or 3/4 of _STK_LIM, whichever
is smaller. The MAX_ARG_STRLEN value does not come into play when
enforcing the total.

-- 
All Rights Reversed.