From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751189AbcBLUSE (ORCPT ); Fri, 12 Feb 2016 15:18:04 -0500 Received: from tiger.mobileactivedefense.com ([217.174.251.109]:34796 "EHLO tiger.mobileactivedefense.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750714AbcBLUSC (ORCPT ); Fri, 12 Feb 2016 15:18:02 -0500 From: Rainer Weikusat To: Ben Hutchings Cc: Rainer Weikusat , Philipp Hahn , Hannes Frederic Sowa , Sasha Levin , "David S. Miller" , linux-kernel@vger.kernel.org, Karolin Seeger , Jason Baron , Greg Kroah-Hartman , Arvid Requate , Stefan Gohmann , netdev@vger.kernel.org Subject: Re: [PATCH net] af_unix: Guard against other == sk in unix_dgram_sendmsg In-Reply-To: <1455306847.2801.45.camel@decadent.org.uk> (Ben Hutchings's message of "Fri, 12 Feb 2016 19:54:07 +0000") References: <56B4BF9D.9070609@pmhahn.de> <56BC90E7.7040007@pmhahn.de> <87fuwzkzr5.fsf@doppelsaurus.mobileactivedefense.com> <1455210224.2801.21.camel@decadent.org.uk> <87r3gjjgbu.fsf@doppelsaurus.mobileactivedefense.com> <87egcjcd5j.fsf@doppelsaurus.mobileactivedefense.com> <87r3gj11jc.fsf_-_@doppelsaurus.mobileactivedefense.com> <56BDA3A8.6070807@pmhahn.de> <8760xuvz5w.fsf@doppelsaurus.mobileactivedefense.com> <1455306847.2801.45.camel@decadent.org.uk> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux) Date: Fri, 12 Feb 2016 20:17:31 +0000 Message-ID: <87egchadk4.fsf@doppelsaurus.mobileactivedefense.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (tiger.mobileactivedefense.com [217.174.251.109]); Fri, 12 Feb 2016 20:17:39 +0000 (GMT) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Ben Hutchings writes: > On Fri, 2016-02-12 at 13:25 +0000, Rainer Weikusat wrote: >> Philipp Hahn writes: >> > Hello Rainer, >> > >> > Am 11.02.2016 um 20:37 schrieb Rainer Weikusat: >> > > The unix_dgram_sendmsg routine use the following test >> > > >> > > if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { >> >> [...] >> >> > > This isn't correct as the> specified address could have been bound to >> > > the sending socket itself >> >> [...] >> >> > After applying that patch at least my machine running the samba test no >> > longer crashes. >> >> There's a possible gotcha in there: Send-to-self used to be limited by >> the queue limit. But the rationale for that (IIRC) was that someone >> could keep using newly created sockets to queue ever more data to a >> single, unrelated receiver. I don't think this should apply when >> receiving and sending sockets are identical. But that's just my >> opinion. The other option would be to avoid the unix_state_double_lock >> for sk == other. > > Given that unix_state_double_lock() already handles sk == other, I'm > not sure why you think it needs to be avoided. Because the whole complication of restarting the operation after locking both sk and other because other had to be unlocked before calling unix_state_double_lock is useless for this case: As other == sk, there's no reason to drop the lock on it which guarantees that the result of all the earlier checks is still valid: If the -EAGAIN condition is not true, execution can just continue. >> I'd be willing to change this accordingly if someone >> thinks the queue limit should apply to send-to-self. > > If we don't check the queue limit here, does anything else prevent the > queue growing to the point it's a DoS? The max_dgram_qlen limit exists specifically to prevent someone sending 'a lot' of messages to a socket unrelated to it by repeatedly creating a socket, sending as many messages as the send buffer size will allow, closing the socket, creating a new socket, ..., cf http://netdev.vger.kernel.narkive.com/tcZIFJeC/get-rid-of-proc-sys-net-unix-max-dgram-qlen#post4 (first copy I found) This 'attack' will obviously not work very well when sending and receiving socket are identical.