From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <azanella@sourceware.org>
Received: by sourceware.org (Postfix, from userid 1791)
 id 5AAA93953C38; Tue, 13 Apr 2021 20:12:06 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 5AAA93953C38
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Adhemerval Zanella <azanella@sourceware.org>
To: glibc-cvs@sourceware.org
Subject: [glibc] linux: sysconf: limit _SC_MAX_ARG to 6 MiB (BZ #25305)
X-Act-Checkin: glibc
X-Git-Author: Michal Nazarewicz <mina86@mina86.com>
X-Git-Refname: refs/heads/master
X-Git-Oldrev: f2913118cdbe72e1e6d89273eddabdf35e9d6b73
X-Git-Newrev: a9880586eedb3ba89ca6a7c5e3f0664c279cf636
Message-Id: <20210413201206.5AAA93953C38@sourceware.org>
Date: Tue, 13 Apr 2021 20:12:06 +0000 (GMT)
X-BeenThere: glibc-cvs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-cvs mailing list <glibc-cvs.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/glibc-cvs>,
 <mailto:glibc-cvs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-cvs/>
List-Help: <mailto:glibc-cvs-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/glibc-cvs>,
 <mailto:glibc-cvs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 20:12:06 -0000

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a9880586eedb3ba89ca6a7c5e3f0664c279cf636

commit a9880586eedb3ba89ca6a7c5e3f0664c279cf636
Author: Michal Nazarewicz <mina86@mina86.com>
Date:   Wed Apr 7 17:10:58 2021 +0200

    linux: sysconf: limit _SC_MAX_ARG to 6 MiB (BZ #25305)
    
    Since Linux 4.13, kernel limits the maximum command line arguments
    length to 6 MiB [1].  Normally the limit is still quarter of the maximum
    stack size but if that limit exceeds 6 MiB it's clamped down.
    
    glibc's __sysconf implementation for Linux platform is not aware of
    this limitation and for stack sizes of over 24 MiB it returns higher
    ARG_MAX than Linux will actually accept.  This can be verified by
    executing the following application on Linux 4.13 or newer:
    
        #include <stdio.h>
        #include <string.h>
        #include <sys/resource.h>
        #include <sys/time.h>
        #include <unistd.h>
    
        int main(void) {
                const struct rlimit rlim = { 40 * 1024 * 1024,
                                             40 * 1024 * 1024 };
                if (setrlimit(RLIMIT_STACK, &rlim) < 0) {
                        perror("setrlimit: RLIMIT_STACK");
                        return 1;
                }
    
                printf("ARG_MAX     : %8ld\n", sysconf(_SC_ARG_MAX));
                printf("63 * 100 KiB: %8ld\n", 63L * 100 * 1024);
                printf("6 MiB       : %8ld\n", 6L * 1024 * 1024);
    
                char str[100 * 1024], *argv[64], *envp[1];
                memset(&str, 'A', sizeof str);
                str[sizeof str - 1] = '\0';
                for (size_t i = 0; i < sizeof argv / sizeof *argv - 1; ++i) {
                        argv[i] = str;
                }
                argv[sizeof argv / sizeof *argv - 1] = envp[0] = 0;
    
                execve("/bin/true", argv, envp);
                perror("execve");
                return 1;
        }
    
    On affected systems the program will report ARG_MAX as 10 MiB but
    despite that executing /bin/true with a bit over 6 MiB of command line
    arguments will fail with E2BIG error.  Expected result is that ARG_MAX
    is reported as 6 MiB.
    
    Update the __sysconf function to clamp ARG_MAX value to 6 MiB if it
    would otherwise exceed it.  This resolves bug #25305 which was market
    WONTFIX as suggested solution was to cap ARG_MAX at 128 KiB.
    
    As an aside and point of comparison, bionic (a libc implementation for
    Android systems) decided to resolve this issue by always returning 128
    KiB ignoring any potential xargs regressions [2].
    
    On older kernels this results in returning overly conservative value
    but that's a safer option than being aggressive and returning invalid
    value on recent systems.  It's also worth noting that at this point
    all supported Linux releases have the 6 MiB barrier so only someone
    running an unsupported kernel version would get incorrectly truncated
    result.
    
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
    
    [1] See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=da029c11e6b12f321f36dac8771e833b65cec962
    [2] See https://android.googlesource.com/platform/bionic/+/baed51ee3a13dae4b87b11870bdf7f10bdc9efc1

Diff:
---
 sysdeps/unix/sysv/linux/sysconf.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/sysdeps/unix/sysv/linux/sysconf.c b/sysdeps/unix/sysv/linux/sysconf.c
index 366fcef01e..41319b19ac 100644
--- a/sysdeps/unix/sysv/linux/sysconf.c
+++ b/sysdeps/unix/sysv/linux/sysconf.c
@@ -33,6 +33,9 @@
    actual value varies based on the stack size.  */
 #define legacy_ARG_MAX 131072
 
+/* Newer kernels (4.13) limit the maximum command line arguments lengths to
+   6MiB.  */
+#define maximum_ARG_MAX 6291456
 
 static long int posix_sysconf (int name);
 
@@ -55,7 +58,10 @@ __sysconf (int name)
         struct rlimit rlimit;
         /* Use getrlimit to get the stack limit.  */
         if (__getrlimit (RLIMIT_STACK, &rlimit) == 0)
-	  return MAX (legacy_ARG_MAX, rlimit.rlim_cur / 4);
+	  {
+	    const long int limit = MAX (legacy_ARG_MAX, rlimit.rlim_cur / 4);
+	    return MIN (limit, maximum_ARG_MAX);
+	  }
 
         return legacy_ARG_MAX;
       }