Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
What's wrong with the obvious workaround of setting a stack size limit? The exploit program then outputs a boring "execve failed" message and nothing bad happens.
Another old security problem
Posted Sep 9, 2010 20:30 UTC (Thu) by martinfick (subscriber, #4455)
I suspect that the obvious problem is the limit. Who wants arbitrary limits that are not based on available resources and that affect potentially valid use cases (non exploits)? As for the nothing bad happens, did you forget that the program (and now likely others that should) didn't run? By many people's standards, that would be something bad happening. :(
Posted Sep 9, 2010 22:38 UTC (Thu) by marcH (subscriber, #57642)
Calling a megabytes argv a "valid use case" is a bit of a stretch.
Posted Sep 9, 2010 23:02 UTC (Thu) by bronson (subscriber, #4806)
A gigabytes argv would be a stretch. But megabytes? That seems pretty reasonable to me.
Posted Sep 15, 2010 0:51 UTC (Wed) by roelofs (guest, #2599)
Absolutely. A minor side project of mine involves the generation of 35000 time-series images per year, each with a name of the form "fubar-XX-yyyymmdd-hhmm-UTC.png". As a same-dir glob, that works out to just over a megabyte; add a "yyyy/" directory prefix and multiple years, and you're easily into the 10MB range. Increase the time resolution by a factor of 3 to 5, and you're well on your way to 100MB. (And yes, it's very cool to watch a full-year sequence animate, particularly on a fast machine; a 5- or 10-year sequence would be even better, assuming I could hit 60fps on the decode.) Of course, at some point it becomes a database-driven custom app, but 10MB command lines are not out of the question with the trivial hack I have so far.
Posted Sep 9, 2010 23:04 UTC (Thu) by martinfick (subscriber, #4455)
Posted Sep 13, 2010 19:18 UTC (Mon) by nix (subscriber, #2304)
Posted Sep 13, 2010 19:25 UTC (Mon) by martinfick (subscriber, #4455)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds