Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp813122rdg; Wed, 11 Oct 2023 06:21:52 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH+sD2NQxiZu8B0cxAIFrdr+5WSSc6ZwtsUdjX//zCdaitqGD5+KEfq2bqT6Z78Mi66JV+F X-Received: by 2002:a17:90b:e91:b0:27c:f016:49a2 with SMTP id fv17-20020a17090b0e9100b0027cf01649a2mr3983799pjb.7.1697030511899; Wed, 11 Oct 2023 06:21:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697030511; cv=none; d=google.com; s=arc-20160816; b=Pas+pYHvmMm3nlsNG2rg7AXeSSUp+J5yfGLCR03Weh3sPgJlrtq7MP3a3n4fln17l7 iWCaB9vp54TnjVXBuN/aXyXdLs7H5ow3e28NvAVqemis7/HRBFt+HmbD6I8D+ZajHNes ucSIis82WogsTx9R8R1GK19bUiWh0nygvfBmTfxvXWB5DCNlhJBN0c4hqgE8IUOxMcUo 8LMrSUyLkBo0BbaNpn5YsMGiAaHvlNJ0UvbgpoA/YPj3a6RfY2Z2PoBrnWV68V1OuJzH ICQC1FWAF7f1EZto8j6sVyW1FVpGzq2I1xl/UgEqdWQZ208px95SLRX1mM0LHiozjdq0 N0WA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id; bh=3Cq1Ds4z1z+vwL9rzAx4WGg0UFTWn7ewTpMo4KsqYIg=; fh=IaHIGecTgtBZWzHFdribiMaBLwiIQP47sp/WWUYgmOw=; b=IeoDTOE896yAe3t9q7byEDDN9IXnVEOOdzuMYrjnbWYInzk5bm6Ru3i09BUP/jBUsz p+fte21G7+E8L+r746ZHk1n5zTE5gUe7yoDNpiWUTEid4pym+YVp4uOxF1BbDEPII7G0 TJaZTvtBB7ik+0iCUSa2OipfQiXwOQsSf4g1YVciecwKr6Ms01I3p+qiqCKajnI/4wUj 2K52KDzZYGtOAScqm0Xw7SuyIp3tkHe8rdLjks6QOrvzB9pr5Jv1INFy/VcBtpVft5ug ajviTnOgk9vK28LQhuTFlQND6G0cwGuEUG1tairlJUwFEvMQdCSqs2gHhAymHr3dVV/u ngdw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id u5-20020a17090a890500b00279202f4151si3861658pjn.45.2023.10.11.06.21.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Oct 2023 06:21:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id F10CC807EB36; Wed, 11 Oct 2023 06:21:48 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232165AbjJKNVh convert rfc822-to-8bit (ORCPT + 99 others); Wed, 11 Oct 2023 09:21:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49016 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231524AbjJKNVg (ORCPT ); Wed, 11 Oct 2023 09:21:36 -0400 Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D31C990; Wed, 11 Oct 2023 06:21:35 -0700 (PDT) Received: from imladris.home.surriel.com ([10.0.13.28] helo=imladris.surriel.com) by shelob.surriel.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96.1) (envelope-from ) id 1qqZ9U-0002pt-2W; Wed, 11 Oct 2023 09:21:28 -0400 Message-ID: <60b4d916663ea31ae05a958b6dea8aa5bf740d0a.camel@surriel.com> Subject: Re: [PATCH] execve.2: execve also returns E2BIG if a string is too long From: Rik van Riel To: Alejandro Colomar Cc: linux-man@vger.kernel.org, LKML , kernel-team@meta.com, Eric Biederman Date: Wed, 11 Oct 2023 09:21:28 -0400 In-Reply-To: References: <20231010234153.021826b1@imladris.surriel.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) MIME-Version: 1.0 Sender: riel@surriel.com X-Spam-Status: No, score=2.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Wed, 11 Oct 2023 06:21:49 -0700 (PDT) X-Spam-Level: ** On Wed, 2023-10-11 at 12:41 +0200, Alejandro Colomar wrote: > Hi Rik, > > On Tue, Oct 10, 2023 at 11:41:53PM -0400, Rik van Riel wrote: > > Document that if a command line or environment string is too long > > (> MAX_ARG_STRLEN), execve will also return E2BIG. > > That's already implied by the current text: > >        E2BIG  The total number of bytes in the environment (envp) and > argument >               list (argv) is too large. > > That means that > > size_t  bytes; > > bytes = 0; > for (char *e = envp; e != NULL; e++) >         bytes += strlen(e) + 1;  // I have doubts about the +1 > for (char *a = argv; a != NULL; a++) >         bytes += strlen(a) + 1;  // Same doubts > > if (bytes > MAX_ARG_STRLEN)  // Maybe >= ? >         return -E2BIG; The code in fs/exec.c enforces MAX_ARG_STRLEN against each individual string, not against the total. If any string, either argument or environment, is larger than 32 * PAGE_SIZE, the kernel will return -E2BIG. do_execveat_common() has this code, which uses copy_strings to copy both the strings from the environment, and from the command line arguments: retval = copy_strings(bprm->envc, envp, bprm); if (retval < 0) goto out_free; retval = copy_strings(bprm->argc, argv, bprm); if (retval < 0) goto out_free; Inside copy_strings() we have this code: while (argc-- > 0) { ... len = strnlen_user(str, MAX_ARG_STRLEN); if (!len) goto out; ret = -E2BIG; if (!valid_arg_len(bprm, len)) goto out; The valid_arg_len() function does not need explanation: static bool valid_arg_len(struct linux_binprm *bprm, long len) { return len <= MAX_ARG_STRLEN; } The current man page wording is very clear about the total length being enforced, but IMHO not as clear about the limit that gets enforced on each individual string. The total length limit of environment & commandline arguments is enforced by bprm_stack_limits(), and is checked against either 1/4 of the maximum stack size, or 3/4 of _STK_LIM, whichever is smaller. The MAX_ARG_STRLEN value does not come into play when enforcing the total. -- All Rights Reversed.