From: Eric Dumazet <eric.dumazet@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: socketpair@gmail.com, netdev@vger.kernel.org
Subject: Re: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :(
Date: Mon, 29 Nov 2010 19:01:58 +0100 [thread overview]
Message-ID: <1291053718.3435.1275.camel@edumazet-laptop> (raw)
In-Reply-To: <20101129.094628.39176431.davem@davemloft.net>
Le lundi 29 novembre 2010 à 09:46 -0800, David Miller a écrit :
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Thu, 25 Nov 2010 15:11:39 +0100
>
> > [PATCH] af_unix: limit recursion level
> >
> > Its easy to eat all kernel memory and trigger NMI watchdog, using an
> > exploit program that queues unix sockets on top of others.
> >
> > lkml ref : http://lkml.org/lkml/2010/11/25/8
> >
> > This mechanism is used in applications, one choice we have is to have a
> > recursion limit.
> >
> > Other limits might be needed as well (if we queue other types of files),
> > since the passfd mechanism is currently limited by socket receive queue
> > sizes only.
> >
> > Add a recursion_level to unix socket, allowing up to 4 levels.
> >
> > Each time we send an unix socket through sendfd mechanism, we copy its
> > recursion level (plus one) to receiver. This recursion level is cleared
> > when socket receive queue is emptied.
> >
> > Reported-by: Марк Коренберг <socketpair@gmail.com>
> > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
>
> Ok, since such deep recursive AF_UNIX fd sends is pretty
> rediculious, it seems this is not likely to hit legitimate
> use cases and thus I've applied this.
>
> Also queued up for -stable.
>
> Thanks!
I tested FreeBSD (latest) and got a kernel freeze as well with exploit
program.
I dont know yet how to fully fix this problem.
next prev parent reply other threads:[~2010-11-29 18:02 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <AANLkTikCeddPFRGojPGuB6oq3xGYgovtm8r4=WhjEDpe@mail.gmail.com>
2010-11-25 6:28 ` Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( Eric Dumazet
2010-11-25 6:52 ` Марк Коренберг
[not found] ` <1290668246.2798.93.camel@edumazet-laptop>
[not found] ` <AANLkTinQa8BCH-k0m=ndu4u8L-kCiD00jYjKvsvoxK2E@mail.gmail.com>
2010-11-25 7:52 ` Fwd: " Марк Коренберг
2010-11-25 8:16 ` Eric Dumazet
2010-11-25 8:35 ` Марк Коренберг
2010-11-25 14:11 ` Eric Dumazet
2010-11-26 4:38 ` Shan Wei
2010-11-26 6:23 ` Eric Dumazet
2010-11-26 7:52 ` Shan Wei
2010-11-26 7:41 ` Shan Wei
2010-11-26 8:22 ` Eric Dumazet
2010-11-26 8:59 ` Eric Dumazet
2010-11-29 17:46 ` David Miller
2010-11-29 18:01 ` Eric Dumazet [this message]
[not found] ` <AANLkTinRhmiVoVR5ibWOKe-OhY4fYUs_PHSATjxMGqg9@mail.gmail.com>
[not found] ` <1290670889.2798.127.camel@edumazet-laptop>
2010-11-25 8:05 ` Марк Коренберг
2010-11-25 7:14 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1291053718.3435.1275.camel@edumazet-laptop \
--to=eric.dumazet@gmail.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=socketpair@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox