From: David Miller <davem@davemloft.net>
To: eric.dumazet@gmail.com
Cc: socketpair@gmail.com, netdev@vger.kernel.org
Subject: Re: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :(
Date: Mon, 29 Nov 2010 09:46:28 -0800 (PST) [thread overview]
Message-ID: <20101129.094628.39176431.davem@davemloft.net> (raw)
In-Reply-To: <1290694299.2858.330.camel@edumazet-laptop>
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Thu, 25 Nov 2010 15:11:39 +0100
> [PATCH] af_unix: limit recursion level
>
> Its easy to eat all kernel memory and trigger NMI watchdog, using an
> exploit program that queues unix sockets on top of others.
>
> lkml ref : http://lkml.org/lkml/2010/11/25/8
>
> This mechanism is used in applications, one choice we have is to have a
> recursion limit.
>
> Other limits might be needed as well (if we queue other types of files),
> since the passfd mechanism is currently limited by socket receive queue
> sizes only.
>
> Add a recursion_level to unix socket, allowing up to 4 levels.
>
> Each time we send an unix socket through sendfd mechanism, we copy its
> recursion level (plus one) to receiver. This recursion level is cleared
> when socket receive queue is emptied.
>
> Reported-by: Марк Коренберг <socketpair@gmail.com>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Ok, since such deep recursive AF_UNIX fd sends is pretty
rediculious, it seems this is not likely to hit legitimate
use cases and thus I've applied this.
Also queued up for -stable.
Thanks!
next prev parent reply other threads:[~2010-11-29 17:46 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <AANLkTikCeddPFRGojPGuB6oq3xGYgovtm8r4=WhjEDpe@mail.gmail.com>
2010-11-25 6:28 ` Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( Eric Dumazet
2010-11-25 6:52 ` Марк Коренберг
[not found] ` <1290668246.2798.93.camel@edumazet-laptop>
[not found] ` <AANLkTinQa8BCH-k0m=ndu4u8L-kCiD00jYjKvsvoxK2E@mail.gmail.com>
2010-11-25 7:52 ` Fwd: " Марк Коренберг
2010-11-25 8:16 ` Eric Dumazet
2010-11-25 8:35 ` Марк Коренберг
2010-11-25 14:11 ` Eric Dumazet
2010-11-26 4:38 ` Shan Wei
2010-11-26 6:23 ` Eric Dumazet
2010-11-26 7:52 ` Shan Wei
2010-11-26 7:41 ` Shan Wei
2010-11-26 8:22 ` Eric Dumazet
2010-11-26 8:59 ` Eric Dumazet
2010-11-29 17:46 ` David Miller [this message]
2010-11-29 18:01 ` Eric Dumazet
[not found] ` <AANLkTinRhmiVoVR5ibWOKe-OhY4fYUs_PHSATjxMGqg9@mail.gmail.com>
[not found] ` <1290670889.2798.127.camel@edumazet-laptop>
2010-11-25 8:05 ` Марк Коренберг
2010-11-25 7:14 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101129.094628.39176431.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=socketpair@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).