| blob | e9f32e87ebcd64802d062dfd3a1592cb78a11c8c |
1 <!-- subject: Will the real <code>ARG_MAX</code> please stand up? Part 2 -->
2 <!-- date: 2021-04-18 01:49:29 -->
3 <!-- tags: arg_max, unix, linux -->
4 <!-- categories: Articles, Techblog -->
8 experimentally how it limits arguments passed to programs and what influences
9 the value. This time, we’ll look directly at the source to verify our
11 system libraries and kernel itself.
13 <!-- FULL -->
19 uses to report the limit. But even though the result of the function is
20 closely related to the kernel, looking for its definition in the Linux source
21 code is an exercise in futility. Rather, the function is defined in the
22 C system library which, in GNU/Linux distributions, is commonly providedy by
23 the glibc package.
25 <p>glibc is a cross-platform library which supports many kernels and
26 architectures. It often includes multiple definitions of the same function
27 each tailored for particular platform. Such is the case
29 in glibc 2.33, the implementation we’re interested in is located
32 <pre>
33 #define legacy_ARG_MAX 131072
37 long int
38 __sysconf (int name)
39 {
40 const char *procfname = NULL;
42 switch (name)
43 {
46 case _SC_ARG_MAX:
47 {
48 struct rlimit rlimit;
49 /* Use getrlimit to get the stack limit. */
51 return MAX (legacy_ARG_MAX, rlimit.rlim_cur / 4);
53 return legacy_ARG_MAX;
54 }
57 }
59 return posix_sysconf (name);
60 }
61 </pre>
63 <p>This code explains discrepancies we’ve observed
69 as quarter of maximum stack size.
71 <p>glibc isn’t the only library used on Linux systems. Others have their
77 has released
78 with <a href="https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a9880586eedb3ba89ca6a7c5e3f0664c279cf636">my
81 large stacks.
89 In Linux 5.11.11 it looks as follows:
91 <pre>
92 SYSCALL_DEFINE3(execve,
93 const char __user *, filename,
94 const char __user *const __user *, argv,
95 const char __user *const __user *, envp)
96 {
97 return do_execve(getname(filename), argv, envp);
98 }
99 </pre>
103 so that’s what we’re going to take a closer look at. It is where most of the
104 checks and calculations happen:
106 <pre>
107 static int do_execveat_common(int fd, struct filename *filename,
108 struct user_arg_ptr argv,
109 struct user_arg_ptr envp,
110 int flags)
111 {
112 struct linux_binprm *bprm;
113 int retval;
116 retval = count(argv, MAX_ARG_STRINGS);
118 goto out_free;
119 bprm->argc = retval;
121 retval = count(envp, MAX_ARG_STRINGS);
123 goto out_free;
124 bprm->envc = retval;
126 retval = bprm_stack_limits(bprm);
128 goto out_free;
130 retval = copy_string_kernel(bprm->filename, bprm);
132 goto out_free;
135 retval = copy_strings(bprm->envc, envp, bprm);
137 goto out_free;
139 retval = copy_strings(bprm->argc, argv, bprm);
141 goto out_free;
143 retval = bprm_execve(bprm, fd, filename, flags);
146 return retval;
147 }
148 </pre>
151 command line arguments and environment variables. Each call may fail if the
153 another limit but in practice the constant is over two billion and, as we’ll
154 see later, there is no way to reach this number without reaching other limits
156 return an error is in case of memory fault, but that’s not interesting for our
157 analysis.
164 structure. It’s defined as follows:
166 <pre>
167 static int bprm_stack_limits(struct linux_binprm *bprm)
168 {
169 unsigned long limit, ptr_size;
173 limit = max_t(unsigned long, limit, ARG_MAX);
176 if (limit <= ptr_size)
177 return -E2BIG;
178 limit -= ptr_size;
181 return 0;
182 }
183 </pre>
186 first expression in the function is what introduces the upper bound of 6 MiB
187 for arguments. It’s worth noting that it’s a relatively new restriction
188 introduced in Linux 4.13 (and later back-ported to previous releases). Why
189 it’s there might be a story for another time.
191 <p>The second expression in the function is what implements the ‘quarter of the
192 stack size’ rule. This is what could be called a ‘normal’ case and definitely
193 is most typical of common desktop and server configurations. With default
194 maximum stack size limit being 8 MiB the default limit for executable
195 arguments ends up being 2 MiB.
197 <p>The third expression sets the limit to be no less than
199 supposed to be a dynamic value and here we see a constant of the same name.
200 As often is the case, the explanation lays in the past. Historically the
201 value was constant and defined as a macro in kernel headers. Eventually,
202 a more dynamic approach was introduced but the definition of the macro stuck.
203 To maintain backwards-compatibility, the dynamic calculation kept the old
204 static value as a lower bound.
206 <p>The last adjustment in the function is to reserve space for
208 accommodate them the function returns an error; otherwise the limit is reduced
209 by the necessary space. This is where we can see that the limit of two
213 million arguments and that’s only on a 32-bit system with all strings empty.
217 arguments can still be stored and the value will be checked later on when
218 program executable path, environment variables and command line arguments are
219 copied. Recall that stack grows downward which is why the field specifies the
220 minimum and why it’s calculated by subtracting the argument size limit from
227 while copying them to the new program’s memory. First, the path to program’s
229 function which is defined as follows:
231 <pre>
232 int copy_string_kernel(const char *arg, struct linux_binprm *bprm)
233 {
235 unsigned long pos = bprm->p;
237 if (len == 0)
238 return -EFAULT;
239 if (!valid_arg_len(bprm, len))
240 return -E2BIG;
242 arg += len;
243 bprm->p -= len;
245 return -E2BIG;
250 return 0;
251 }
252 </pre>
258 the string exceeds the limit, argument list is deemed too long and the
259 function returns an error.
261 <p>Then, the function checks if there’s enough space on stack to fit the string.
262 This is done by moving the stack pointer downwards
264 memory for the argument and checking whether the new position of the edge of
267 argument is copied onto the stack.
270 function calls to transfer environment variables and command line arguments is
271 entirely analogous. The two differences are that i) source data lives in
272 user-space and ii) the function operates in a loop copying a sequence of
273 strings.
275 <pre>
276 static int copy_strings(int argc, struct user_arg_ptr argv,
277 struct linux_binprm *bprm)
278 {
280 int ret;
283 const char __user *str;
284 int len;
285 unsigned long pos;
287 ret = -EFAULT;
288 str = get_user_arg_ptr(argv, argc);
289 if (IS_ERR(str))
290 goto out;
292 len = strnlen_user(str, MAX_ARG_STRLEN);
293 if (!len)
294 goto out;
296 ret = -E2BIG;
297 if (!valid_arg_len(bprm, len))
298 goto out;
300 pos = bprm->p;
301 str += len;
302 bprm->p -= len;
304 goto out;
308 }
309 ret = 0;
310 out:
312 return ret;
313 }
314 </pre>
316 <p>Having to read from user-space complicates the function, though much of that
317 complexity has been hidden from the listing above in the elided code. The
327 <p>This concludes the investigation. In the previous article we’ve seen how the
328 argument length limit affects user-space, here we looked at the source code of
329 the kernel to confirm our previous findings. There are still a few minor
330 mysteries — such as why the 6 MiB exists or what happens if maximum stack size
331 is less that 128 KiB — which I may tackle at another time.
333 <p>It remains important to remember that our findings are true for Linux only.
334 Other kernels will set the limit differently and count different things
335 towards it. POSIX leaves the details purposefully vague. As a result
336 a portable application may struggle to interpret the limit; it should not only
340 <p>Fortunately, UNIX-like systems provide a simple solution in the form
342 should be much easier to use and sufficient for most cases. They will
343 typically know how to deal with the command’s argument size limit.
345 <p>Whatever the case may be, I hope this article has been informative and
346 provided further understanding of the kernel and it’s interaction with
347 user-space}.