Re: Local DoS on single_open?

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: viro@parcelfarce.linux.theplanet.co.uk
To: Keith Owens <kaos@ocs.com.au>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Local DoS on single_open?
Date: Thu, 11 Sep 2003 08:32:39 +0100	[thread overview]
Message-ID: <20030911073239.GU454@parcelfarce.linux.theplanet.co.uk> (raw)
In-Reply-To: <5311.1063265214@kao2.melbourne.sgi.com>

On Thu, Sep 11, 2003 at 05:26:54PM +1000, Keith Owens wrote:
> On Thu, 11 Sep 2003 05:55:07 +0100, 
> viro@parcelfarce.linux.theplanet.co.uk wrote:
> >On Thu, Sep 11, 2003 at 02:42:13PM +1000, Keith Owens wrote:
> >> single_open() requires the kernel to kmalloc a buffer which lives until
> >> the userspace caller closes the file.  What prevents a malicious user
> >> opening the same /proc entry multiple times, allocating lots of kmalloc
> >> space and causing a local DoS?
> >
> >Size of that buffer is limited.  IOW, it's not different from opening
> >e.g. a shitload of pipes or sockets.
> 
> In some cases, the buffer size is set to hold _all_ of the output for
> that particular /proc file and will be much larger than the data
> reserved for files and sockets.  It is a difference in scale.
> 
> fs/proc/proc_misc.c		stat_open
> fs/proc/proc_misc.c		interrupts_open
> kernel/dma.c			proc_dma_open
> 
> All those functions will kmalloc a reasonably sized buffer then let the
> user control the lifetime of that buffer.  Looks like a recipe for a
> local DoS to me.

struct file: 256 bytes due to cacheline alignment
struct dentry: 128 bytes, IIRC
struct inode: either 256 bytes or 512 bytes.
struct socket and struct sock: bugger if I remember, but it's not small.

     prev parent reply	other threads:[~2003-09-11  7:32 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-09-11  4:42 Local DoS on single_open? Keith Owens
2003-09-11  4:51 ` Nick Piggin
2003-09-11  7:04   ` Keith Owens
2003-09-11  7:29     ` viro
2003-09-11  4:55 ` viro
2003-09-11  7:26   ` Keith Owens
2003-09-11  7:32     ` viro [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030911073239.GU454@parcelfarce.linux.theplanet.co.uk \
    --to=viro@parcelfarce.linux.theplanet.co.uk \
    --cc=kaos@ocs.com.au \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox