Commit 04e35f44 authored by Kees Cook's avatar Kees Cook Committed by Linus Torvalds
Browse files

exec: avoid RLIMIT_STACK races with prlimit()

While the defense-in-depth RLIMIT_STACK limit on setuid processes was
protected against races from other threads calling setrlimit(), I missed
protecting it against races from external processes calling prlimit().
This adds locking around the change and makes sure that rlim_max is set

Fixes: 64701dee

 ("exec: Use sane stack rlimit under secureexec")
Signed-off-by: default avatarKees Cook <>
Reported-by: default avatarBen Hutchings <>
Reported-by: default avatarBrad Spengler <>
Acked-by: default avatarSerge Hallyn <>
Cc: James Morris <>
Cc: Andy Lutomirski <>
Cc: Oleg Nesterov <>
Cc: Jiri Slaby <>
Cc: <>
Signed-off-by: default avatarAndrew Morton <>
Signed-off-by: default avatarLinus Torvalds <>
parent 5f1d43de
......@@ -1340,10 +1340,15 @@ void setup_new_exec(struct linux_binprm * bprm)
* avoid bad behavior from the prior rlimits. This has to
* happen before arch_pick_mmap_layout(), which examines
* RLIMIT_STACK, but after the point of no return to avoid
* needing to clean up the change on failure.
* races from other threads changing the limits. This also
* must be protected from races with prlimit() calls.
if (current->signal->rlim[RLIMIT_STACK].rlim_cur > _STK_LIM)
current->signal->rlim[RLIMIT_STACK].rlim_cur = _STK_LIM;
if (current->signal->rlim[RLIMIT_STACK].rlim_max > _STK_LIM)
current->signal->rlim[RLIMIT_STACK].rlim_max = _STK_LIM;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment