The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b766affbe86571886e2740963e3de5c0250af0cd

commit b766affbe86571886e2740963e3de5c0250af0cd
Author: Kees Cook <keescook@chromium.org>
Date: Fri Jun 30 21:24:29 2017

UPSTREAM: fs/exec.c: account for argv/envp pointers

When limiting the argv/envp strings during exec to 1/4 of the stack limit,
the storage of the pointers to the strings was not included.  This means
that an exec with huge numbers of tiny strings could eat 1/4 of the stack
limit in strings and then additional space would be later used by the
pointers to the strings.

For example, on 32-bit with a 8MB stack rlimit, an exec with 1677721
single-byte strings would consume less than 2MB of stack, the max (8MB /
4) amount allowed, but the pointers to the strings would consume the
remaining additional stack space (1677721 * 4 == 6710884).

The result (1677721 + 6710884 == 8388605) would exhaust stack space
entirely.  Controlling this stack exhaustion could result in
pathological behavior in setuid binaries (CVE-2017-1000365).

[akpm@linux-foundation.org: additional commenting from Kees]
Fixes: b6a2fea39318 ("mm: variable length argument support")
Link: http://lkml.kernel.org/r/20170622001720.GA32173@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Qualys Security Advisory <qsa@qualys.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

BUG= chromium:737530 
TEST=Build and run

Change-Id: I4b05eaa9cabff8117571e93e03f88eb7497d592b
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 98da7d08850fb8bdeb395d6368ed15753304aa0c)
Reviewed-on: https://chromium-review.googlesource.com/558189
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/b766affbe86571886e2740963e3de5c0250af0cd/fs/exec.c

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug requires manual review: M60 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/4732716ee313ba57cdd1f3e870373c2ee1054135

commit 4732716ee313ba57cdd1f3e870373c2ee1054135
Author: Kees Cook <keescook@chromium.org>
Date: Thu Jul 06 20:59:23 2017

UPSTREAM: fs/exec.c: account for argv/envp pointers

When limiting the argv/envp strings during exec to 1/4 of the stack limit,
the storage of the pointers to the strings was not included.  This means
that an exec with huge numbers of tiny strings could eat 1/4 of the stack
limit in strings and then additional space would be later used by the
pointers to the strings.

For example, on 32-bit with a 8MB stack rlimit, an exec with 1677721
single-byte strings would consume less than 2MB of stack, the max (8MB /
4) amount allowed, but the pointers to the strings would consume the
remaining additional stack space (1677721 * 4 == 6710884).

The result (1677721 + 6710884 == 8388605) would exhaust stack space
entirely.  Controlling this stack exhaustion could result in
pathological behavior in setuid binaries (CVE-2017-1000365).

[akpm@linux-foundation.org: additional commenting from Kees]
Fixes: b6a2fea39318 ("mm: variable length argument support")
Link: http://lkml.kernel.org/r/20170622001720.GA32173@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Qualys Security Advisory <qsa@qualys.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

BUG= chromium:737530 
TEST=Build and run

Change-Id: I4b05eaa9cabff8117571e93e03f88eb7497d592b
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 98da7d08850fb8bdeb395d6368ed15753304aa0c)
Reviewed-on: https://chromium-review.googlesource.com/558189
Reviewed-by: Dylan Reid <dgreid@chromium.org>
(cherry picked from commit b766affbe86571886e2740963e3de5c0250af0cd)
Reviewed-on: https://chromium-review.googlesource.com/561957

[modify] https://crrev.com/4732716ee313ba57cdd1f3e870373c2ee1054135/fs/exec.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/8daccb05713699f26708789b7af1b9a39d62c991

commit 8daccb05713699f26708789b7af1b9a39d62c991
Author: Kees Cook <keescook@chromium.org>
Date: Mon Jul 10 16:18:57 2017

UPSTREAM: fs/exec.c: account for argv/envp pointers

When limiting the argv/envp strings during exec to 1/4 of the stack limit,
the storage of the pointers to the strings was not included.  This means
that an exec with huge numbers of tiny strings could eat 1/4 of the stack
limit in strings and then additional space would be later used by the
pointers to the strings.

For example, on 32-bit with a 8MB stack rlimit, an exec with 1677721
single-byte strings would consume less than 2MB of stack, the max (8MB /
4) amount allowed, but the pointers to the strings would consume the
remaining additional stack space (1677721 * 4 == 6710884).

The result (1677721 + 6710884 == 8388605) would exhaust stack space
entirely.  Controlling this stack exhaustion could result in
pathological behavior in setuid binaries (CVE-2017-1000365).

[akpm@linux-foundation.org: additional commenting from Kees]
Fixes: b6a2fea39318 ("mm: variable length argument support")
Link: http://lkml.kernel.org/r/20170622001720.GA32173@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Qualys Security Advisory <qsa@qualys.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

BUG= chromium:737530 
TEST=Build and run

Change-Id: I4b05eaa9cabff8117571e93e03f88eb7497d592b
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 98da7d08850fb8bdeb395d6368ed15753304aa0c)
Reviewed-on: https://chromium-review.googlesource.com/558189
Reviewed-by: Dylan Reid <dgreid@chromium.org>
(cherry picked from commit b766affbe86571886e2740963e3de5c0250af0cd)
Reviewed-on: https://chromium-review.googlesource.com/565104

[modify] https://crrev.com/8daccb05713699f26708789b7af1b9a39d62c991/fs/exec.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/53b84126a96eee86dd76b9a90a4227f4638b04de

commit 53b84126a96eee86dd76b9a90a4227f4638b04de
Author: Kees Cook <keescook@chromium.org>
Date: Mon Jul 10 16:19:02 2017

UPSTREAM: fs/exec.c: account for argv/envp pointers

When limiting the argv/envp strings during exec to 1/4 of the stack limit,
the storage of the pointers to the strings was not included.  This means
that an exec with huge numbers of tiny strings could eat 1/4 of the stack
limit in strings and then additional space would be later used by the
pointers to the strings.

For example, on 32-bit with a 8MB stack rlimit, an exec with 1677721
single-byte strings would consume less than 2MB of stack, the max (8MB /
4) amount allowed, but the pointers to the strings would consume the
remaining additional stack space (1677721 * 4 == 6710884).

The result (1677721 + 6710884 == 8388605) would exhaust stack space
entirely.  Controlling this stack exhaustion could result in
pathological behavior in setuid binaries (CVE-2017-1000365).

[akpm@linux-foundation.org: additional commenting from Kees]
Fixes: b6a2fea39318 ("mm: variable length argument support")
Link: http://lkml.kernel.org/r/20170622001720.GA32173@beast
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Qualys Security Advisory <qsa@qualys.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

BUG= chromium:737530 
TEST=Build and run

Change-Id: I4b05eaa9cabff8117571e93e03f88eb7497d592b
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 98da7d08850fb8bdeb395d6368ed15753304aa0c)
Reviewed-on: https://chromium-review.googlesource.com/558189
Reviewed-by: Dylan Reid <dgreid@chromium.org>
(cherry picked from commit b766affbe86571886e2740963e3de5c0250af0cd)
Reviewed-on: https://chromium-review.googlesource.com/561957
(cherry picked from commit 4732716ee313ba57cdd1f3e870373c2ee1054135)
Reviewed-on: https://chromium-review.googlesource.com/565519

[modify] https://crrev.com/53b84126a96eee86dd76b9a90a4227f4638b04de/fs/exec.c

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot