From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, David Herrmann <dh.herrmann@gmail.com>,
Willy Tarreau <w@1wt.eu>,
Linus Torvalds <torvalds@linux-foundation.org>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.10 21/80] unix: correctly track in-flight fds in sending process user_struct
Date: Tue, 1 Mar 2016 15:45:15 -0800 [thread overview]
Message-ID: <20160301234350.326002434@linuxfoundation.org> (raw)
In-Reply-To: <20160301234349.667990420@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
commit 415e3d3e90ce9e18727e8843ae343eda5a58fad6 upstream.
The commit referenced in the Fixes tag incorrectly accounted the number
of in-flight fds over a unix domain socket to the original opener
of the file-descriptor. This allows another process to arbitrary
deplete the original file-openers resource limit for the maximum of
open files. Instead the sending processes and its struct cred should
be credited.
To do so, we add a reference counted struct user_struct pointer to the
scm_fp_list and use it to account for the number of inflight unix fds.
Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
Reported-by: David Herrmann <dh.herrmann@gmail.com>
Cc: David Herrmann <dh.herrmann@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/af_unix.h | 4 ++--
include/net/scm.h | 1 +
net/core/scm.c | 7 +++++++
net/unix/af_unix.c | 4 ++--
net/unix/garbage.c | 8 ++++----
5 files changed, 16 insertions(+), 8 deletions(-)
--- a/include/net/af_unix.h
+++ b/include/net/af_unix.h
@@ -6,8 +6,8 @@
#include <linux/mutex.h>
#include <net/sock.h>
-extern void unix_inflight(struct file *fp);
-extern void unix_notinflight(struct file *fp);
+extern void unix_inflight(struct user_struct *user, struct file *fp);
+extern void unix_notinflight(struct user_struct *user, struct file *fp);
extern void unix_gc(void);
extern void wait_for_unix_gc(void);
extern struct sock *unix_get_socket(struct file *filp);
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -21,6 +21,7 @@ struct scm_creds {
struct scm_fp_list {
short count;
short max;
+ struct user_struct *user;
struct file *fp[SCM_MAX_FD];
};
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *c
*fplp = fpl;
fpl->count = 0;
fpl->max = SCM_MAX_FD;
+ fpl->user = NULL;
}
fpp = &fpl->fp[fpl->count];
@@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *c
*fpp++ = file;
fpl->count++;
}
+
+ if (!fpl->user)
+ fpl->user = get_uid(current_user());
+
return num;
}
@@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *sc
scm->fp = NULL;
for (i=fpl->count-1; i>=0; i--)
fput(fpl->fp[i]);
+ free_uid(fpl->user);
kfree(fpl);
}
}
@@ -337,6 +343,7 @@ struct scm_fp_list *scm_fp_dup(struct sc
for (i = 0; i < fpl->count; i++)
get_file(fpl->fp[i]);
new_fpl->max = new_fpl->count;
+ new_fpl->user = get_uid(fpl->user);
}
return new_fpl;
}
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1466,7 +1466,7 @@ static void unix_detach_fds(struct scm_c
UNIXCB(skb).fp = NULL;
for (i = scm->fp->count-1; i >= 0; i--)
- unix_notinflight(scm->fp->fp[i]);
+ unix_notinflight(scm->fp->user, scm->fp->fp[i]);
}
static void unix_destruct_scm(struct sk_buff *skb)
@@ -1531,7 +1531,7 @@ static int unix_attach_fds(struct scm_co
return -ENOMEM;
for (i = scm->fp->count - 1; i >= 0; i--)
- unix_inflight(scm->fp->fp[i]);
+ unix_inflight(scm->fp->user, scm->fp->fp[i]);
return max_level;
}
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -122,7 +122,7 @@ struct sock *unix_get_socket(struct file
* descriptor if it is for an AF_UNIX socket.
*/
-void unix_inflight(struct file *fp)
+void unix_inflight(struct user_struct *user, struct file *fp)
{
struct sock *s = unix_get_socket(fp);
@@ -139,11 +139,11 @@ void unix_inflight(struct file *fp)
}
unix_tot_inflight++;
}
- fp->f_cred->user->unix_inflight++;
+ user->unix_inflight++;
spin_unlock(&unix_gc_lock);
}
-void unix_notinflight(struct file *fp)
+void unix_notinflight(struct user_struct *user, struct file *fp)
{
struct sock *s = unix_get_socket(fp);
@@ -157,7 +157,7 @@ void unix_notinflight(struct file *fp)
list_del_init(&u->link);
unix_tot_inflight--;
}
- fp->f_cred->user->unix_inflight--;
+ user->unix_inflight--;
spin_unlock(&unix_gc_lock);
}
next prev parent reply other threads:[~2016-03-02 2:18 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-01 23:44 [PATCH 3.10 00/80] 3.10.99-stable review Greg Kroah-Hartman
2016-03-01 23:44 ` [PATCH 3.10 01/80] tracepoints: Do not trace when cpu is offline Greg Kroah-Hartman
2016-03-01 23:44 ` [PATCH 3.10 02/80] drm/ast: Initialized data needed to map fbdev memory Greg Kroah-Hartman
2016-03-01 23:44 ` [PATCH 3.10 03/80] netfilter: nf_conntrack: fix RCU race in nf_conntrack_find_get Greg Kroah-Hartman
2016-03-01 23:44 ` [PATCH 3.10 04/80] bcache: unregister reboot notifier if bcache fails to unregister device Greg Kroah-Hartman
2016-03-01 23:44 ` [PATCH 3.10 05/80] tools: Add a "make all" rule Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 06/80] drm/radeon: fix hotplug race at startup Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 07/80] efi: Disable interrupts around EFI calls, not in the epilog/prolog calls Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 08/80] dm thin metadata: fix bug when taking a metadata snapshot Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 09/80] dm thin: fix race condition when destroying thin pool workqueue Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 10/80] can: ems_usb: Fix possible tx overflow Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 11/80] USB: cp210x: add IDs for GE B650V3 and B850V3 boards Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 12/80] USB: option: add support for SIM7100E Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 14/80] proc: Fix ptrace-based permission checks for accessing task maps Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 15/80] iw_cxgb3: Fix incorrectly returning error on success Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 16/80] MIPS: KVM: Fix ASID restoration logic Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 17/80] MIPS: KVM: Fix CACHE immediate offset sign extension Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 18/80] MIPS: KVM: Uninit VCPU in vcpu_create error path Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 19/80] splice: sendfile() at once fails for big files Greg Kroah-Hartman
2016-03-01 23:45 ` Greg Kroah-Hartman [this message]
2016-03-01 23:45 ` [PATCH 3.10 23/80] dts: vt8500: Add SDHC node to DTS file for WM8650 Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 24/80] clocksource/drivers/vt8500: Increase the minimum delta Greg Kroah-Hartman
2016-03-01 23:45 ` Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 25/80] lockd: create NSM handles per net namespace Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 26/80] devres: fix a for loop bounds check Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 27/80] wm831x_power: Use IRQF_ONESHOT to request threaded IRQs Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 28/80] megaraid_sas: Do not use PAGE_SIZE for max_sectors Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 29/80] megaraid_sas : SMAP restriction--do not access user memory from IOCTL code Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 30/80] mmc: remove bondage between REQ_META and reliable write Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 31/80] mac: validate mac_partition is within sector Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 32/80] ARC: dw2 unwind: Remove falllback linear search thru FDE entries Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 33/80] vfs: Avoid softlockups with sendfile(2) Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 34/80] ring-buffer: Update read stamp with first real commit on page Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 35/80] virtio: fix memory leak of virtio ida cache layers Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 36/80] mac80211: mesh: fix call_rcu() usage Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 37/80] RDS: fix race condition when sending a message on unbound socket Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 38/80] can: sja1000: clear interrupts on start Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 39/80] sched/core: Remove false-positive warning from wake_up_process() Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 40/80] sata_sil: disable trim Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 41/80] dm btree: fix bufio buffer leaks in dm_btree_del() error path Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 42/80] vgaarb: fix signal handling in vga_get() Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 43/80] rfkill: copy the name into the rfkill struct Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 44/80] ses: Fix problems with simple enclosures Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 45/80] ses: fix additional element traversal bug Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 46/80] scripts: recordmcount: break hardlinks Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 47/80] Btrfs: add missing brelse when superblock checksum fails Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 48/80] Btrfs: igrab inode in writepage Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 49/80] Btrfs: send, dont BUG_ON() when an empty symlink is found Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 50/80] Btrfs: fix number of transaction units required to create symlink Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 51/80] s390: fix normalization bug in exception table sorting Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 52/80] s390/dasd: prevent incorrect length error under z/VM after PAV changes Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 53/80] s390/dasd: fix refcount for PAV reassignment Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 54/80] uml: flush stdout before forking Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 55/80] uml: fix hostfs mknod() Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 56/80] [media] media: dvb-core: Dont force CAN_INVERSION_AUTO in oneshot mode Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 57/80] [media] gspca: ov534/topro: prevent a division by 0 Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 58/80] [media] tda1004x: only update the frontend properties if locked Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 59/80] dm snapshot: fix hung bios when copy error occurs Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 60/80] posix-clock: Fix return code on the poll methods error path Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 61/80] mmc: mmci: fix an ages old detection error Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 62/80] sparc64: fix incorrect sign extension in sys_sparc64_personality Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 63/80] drm/vmwgfx: respect nomodeset Greg Kroah-Hartman
2016-03-01 23:45 ` [PATCH 3.10 64/80] drm/radeon: clean up fujitsu quirks Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 67/80] IB/qib: fix mcast detach when qp not attached Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 68/80] libceph: dont bail early from try_read() when skipping a message Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 69/80] cdc-acm:exclude Samsung phone 04e8:685d Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 70/80] rfkill: fix rfkill_fop_read wait_event usage Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 71/80] Revert "workqueue: make sure delayed work run in local cpu" Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 72/80] libata: fix sff host state machine locking while polling Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 73/80] PCI/AER: Flush workqueue on device remove to avoid use-after-free Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 74/80] nfs: fix nfs_size_to_loff_t Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 75/80] KVM: async_pf: do not warn on page allocation failures Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 76/80] tracing: Fix showing function event in available_events Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 77/80] sunrpc/cache: fix off-by-one in qword_get() Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 78/80] kernel/resource.c: fix muxed resource handling in __request_region() Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 79/80] do_last(): dont let a bogus return value from ->open() et.al. to confuse us Greg Kroah-Hartman
2016-03-01 23:46 ` [PATCH 3.10 80/80] xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted Greg Kroah-Hartman
2016-03-02 1:37 ` [PATCH 3.10 00/80] 3.10.99-stable review Shuah Khan
2016-03-02 14:32 ` Guenter Roeck
2016-03-02 15:48 ` Willy Tarreau
2016-03-02 17:29 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160301234350.326002434@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dh.herrmann@gmail.com \
--cc=hannes@stressinduktion.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.