From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754238AbbL3I6t (ORCPT ); Wed, 30 Dec 2015 03:58:49 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:55004 "EHLO out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752407AbbL3I6q (ORCPT ); Wed, 30 Dec 2015 03:58:46 -0500 X-Sasl-enc: 0cO0pueoVu3XzpUZWvKNd0TSajXdt/moVacg6gQ6oEkl 1451465925 Subject: Re: [PATCH] unix: properly account for FDs passed over unix sockets To: Willy Tarreau References: <20151228141435.GA13351@1wt.eu> <56829D4D.4090109@stressinduktion.org> <20151229203527.GA13826@1wt.eu> Cc: "David S. Miller" , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Linus Torvalds , Eric Dumazet , socketpair@gmail.com From: Hannes Frederic Sowa Message-ID: <56839CC2.9080000@stressinduktion.org> Date: Wed, 30 Dec 2015 09:58:42 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: <20151229203527.GA13826@1wt.eu> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 29.12.2015 21:35, Willy Tarreau wrote: > On Tue, Dec 29, 2015 at 03:48:45PM +0100, Hannes Frederic Sowa wrote: >> On 28.12.2015 15:14, Willy Tarreau wrote: >>> It is possible for a process to allocate and accumulate far more FDs than >>> the process' limit by sending them over a unix socket then closing them >>> to keep the process' fd count low. >>> >>> This change addresses this problem by keeping track of the number of FDs >>> in flight per user and preventing non-privileged processes from having >>> more FDs in flight than their configured FD limit. >>> >>> Reported-by: socketpair@gmail.com >>> Suggested-by: Linus Torvalds >>> Signed-off-by: Willy Tarreau >> >> Thanks for the patch! >> >> I think this does not close the DoS attack completely as we duplicate >> fds if the reader uses MSG_PEEK on the unix domain socket and thus >> clones the fd. Have I overlooked something? > > I didn't know this behaviour. However, then the fd remains in flight, right ? > So as long as it's not removed from the queue, the sender cannot add more > than its FD limit. I may be missing something obvious though :-/ Yes, it remains in flight. The MSG_PEEK code should not be harmful and the patch is good as is. I first understood from the published private thread, that it is possible for a program to exceed the rlimit of fds. But the DoS is only by keeping the fds in flight and not attaching them to any program. __alloc_fd, called on the receiver side, does check for the rlimit maximum anyway, so I don't see a loophole anymore: Acked-by: Hannes Frederic Sowa Another idea would be to add the amount of memory used to manage the fds to sock_rmem/wmem but I don't see any advantages or disadvantages. Thanks!