From: Shan Wei <shanwei@cn.fujitsu.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: "Марк Коренберг" <socketpair@gmail.com>,
"David Miller" <davem@davemloft.net>,
netdev@vger.kernel.org
Subject: Re: Fwd: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :(
Date: Fri, 26 Nov 2010 12:38:07 +0800 [thread overview]
Message-ID: <4CEF39AF.6090605@cn.fujitsu.com> (raw)
In-Reply-To: <1290694299.2858.330.camel@edumazet-laptop>
Eric Dumazet wrote, at 11/25/2010 10:11 PM:
> Le jeudi 25 novembre 2010 à 13:35 +0500, Марк Коренберг a écrit :
>> quick and dirty fix will be not to allow to pass unix socket inside
>> unix socket. I think it would not break much applications.
>
> Really, if it was not needed, net/unix/garbage.c would not exist at
> all...
>
> It is needed by some apps.
>
>
> [PATCH] af_unix: limit recursion level
>
> Its easy to eat all kernel memory and trigger NMI watchdog, using an
> exploit program that queues unix sockets on top of others.
>
> lkml ref : http://lkml.org/lkml/2010/11/25/8
>
> This mechanism is used in applications, one choice we have is to have a
> recursion limit.
>
> Other limits might be needed as well (if we queue other types of files),
> since the passfd mechanism is currently limited by socket receive queue
> sizes only.
>
> Add a recursion_level to unix socket, allowing up to 4 levels.
>
> Each time we send an unix socket through sendfd mechanism, we copy its
> recursion level (plus one) to receiver. This recursion level is cleared
> when socket receive queue is emptied.
>
> Reported-by: Марк Коренберг <socketpair@gmail.com>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
This problem is same as that reported with title "Unix socket local DOS (OOM)", right?
After applied this patch, this program can be killed now. but still eat 100% cpu.
--
Best Regards
-----
Shan Wei
next prev parent reply other threads:[~2010-11-26 4:39 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-25 5:57 Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( Марк Коренберг
2010-11-25 6:28 ` Eric Dumazet
2010-11-25 6:52 ` Марк Коренберг
[not found] ` <1290668246.2798.93.camel@edumazet-laptop>
[not found] ` <AANLkTinQa8BCH-k0m=ndu4u8L-kCiD00jYjKvsvoxK2E@mail.gmail.com>
2010-11-25 7:52 ` Fwd: " Марк Коренберг
2010-11-25 8:16 ` Eric Dumazet
2010-11-25 8:35 ` Марк Коренберг
2010-11-25 14:11 ` Eric Dumazet
2010-11-26 4:38 ` Shan Wei [this message]
2010-11-26 6:23 ` Eric Dumazet
2010-11-26 7:52 ` Shan Wei
2010-11-26 7:41 ` Shan Wei
2010-11-26 8:22 ` Eric Dumazet
2010-11-26 8:59 ` Eric Dumazet
2010-11-29 17:46 ` David Miller
2010-11-29 18:01 ` Eric Dumazet
[not found] ` <AANLkTinRhmiVoVR5ibWOKe-OhY4fYUs_PHSATjxMGqg9@mail.gmail.com>
[not found] ` <1290670889.2798.127.camel@edumazet-laptop>
2010-11-25 8:05 ` Марк Коренберг
2010-11-25 7:14 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CEF39AF.6090605@cn.fujitsu.com \
--to=shanwei@cn.fujitsu.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=socketpair@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.