From: Shan Wei <shanwei@cn•fujitsu.com>
To: Eric Dumazet <eric.dumazet@gmail•com>
Cc: "Марк Коренберг" <socketpair@gmail•com>,
"David Miller" <davem@davemloft•net>,
netdev@vger•kernel.org
Subject: Re: Fwd: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :(
Date: Fri, 26 Nov 2010 12:38:07 +0800 [thread overview]
Message-ID: <4CEF39AF.6090605@cn.fujitsu.com> (raw)
In-Reply-To: <1290694299.2858.330.camel@edumazet-laptop>
Eric Dumazet wrote, at 11/25/2010 10:11 PM:
> Le jeudi 25 novembre 2010 à 13:35 +0500, Марк Коренберг a écrit :
>> quick and dirty fix will be not to allow to pass unix socket inside
>> unix socket. I think it would not break much applications.
>
> Really, if it was not needed, net/unix/garbage.c would not exist at
> all...
>
> It is needed by some apps.
>
>
> [PATCH] af_unix: limit recursion level
>
> Its easy to eat all kernel memory and trigger NMI watchdog, using an
> exploit program that queues unix sockets on top of others.
>
> lkml ref : http://lkml.org/lkml/2010/11/25/8
>
> This mechanism is used in applications, one choice we have is to have a
> recursion limit.
>
> Other limits might be needed as well (if we queue other types of files),
> since the passfd mechanism is currently limited by socket receive queue
> sizes only.
>
> Add a recursion_level to unix socket, allowing up to 4 levels.
>
> Each time we send an unix socket through sendfd mechanism, we copy its
> recursion level (plus one) to receiver. This recursion level is cleared
> when socket receive queue is emptied.
>
> Reported-by: Марк Коренберг <socketpair@gmail•com>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail•com>
This problem is same as that reported with title "Unix socket local DOS (OOM)", right?
After applied this patch, this program can be killed now. but still eat 100% cpu.
--
Best Regards
-----
Shan Wei
next prev parent reply other threads:[~2010-11-26 4:39 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <AANLkTikCeddPFRGojPGuB6oq3xGYgovtm8r4=WhjEDpe@mail.gmail.com>
2010-11-25 6:28 ` Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( Eric Dumazet
2010-11-25 6:52 ` Марк Коренберг
[not found] ` <1290668246.2798.93.camel@edumazet-laptop>
[not found] ` <AANLkTinQa8BCH-k0m=ndu4u8L-kCiD00jYjKvsvoxK2E@mail.gmail.com>
2010-11-25 7:52 ` Fwd: " Марк Коренберг
2010-11-25 8:16 ` Eric Dumazet
2010-11-25 8:35 ` Марк Коренберг
2010-11-25 14:11 ` Eric Dumazet
2010-11-26 4:38 ` Shan Wei [this message]
2010-11-26 6:23 ` Eric Dumazet
2010-11-26 7:52 ` Shan Wei
2010-11-26 7:41 ` Shan Wei
2010-11-26 8:22 ` Eric Dumazet
2010-11-26 8:59 ` Eric Dumazet
2010-11-29 17:46 ` David Miller
2010-11-29 18:01 ` Eric Dumazet
[not found] ` <AANLkTinRhmiVoVR5ibWOKe-OhY4fYUs_PHSATjxMGqg9@mail.gmail.com>
[not found] ` <1290670889.2798.127.camel@edumazet-laptop>
2010-11-25 8:05 ` Марк Коренберг
2010-11-25 7:14 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CEF39AF.6090605@cn.fujitsu.com \
--to=shanwei@cn$(echo .)fujitsu.com \
--cc=davem@davemloft$(echo .)net \
--cc=eric.dumazet@gmail$(echo .)com \
--cc=netdev@vger$(echo .)kernel.org \
--cc=socketpair@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox