Re: Fwd: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :(

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: Shan Wei <shanwei@cn•fujitsu.com>
To: Eric Dumazet <eric.dumazet@gmail•com>
Cc: "Марк Коренберг" <socketpair@gmail•com>,
	"David Miller" <davem@davemloft•net>,
	netdev@vger•kernel.org
Subject: Re: Fwd: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :(
Date: Fri, 26 Nov 2010 15:52:43 +0800	[thread overview]
Message-ID: <4CEF674B.1070504@cn.fujitsu.com> (raw)
In-Reply-To: <1290752611.2678.3.camel@edumazet-laptop>

Eric Dumazet wrote, at 11/26/2010 02:23 PM:
> Le vendredi 26 novembre 2010 à 12:38 +0800, Shan Wei a écrit :
>> Eric Dumazet wrote, at 11/25/2010 10:11 PM:
>>> Le jeudi 25 novembre 2010 à 13:35 +0500, Марк Коренберг a écrit :
>>>> quick and dirty fix will be not to allow to pass unix socket inside
>>>> unix socket. I think it would not break much applications.
>>>
>>> Really, if it was not needed, net/unix/garbage.c would not exist at
>>> all...
>>>
>>> It is needed by some apps.
>>>
>>>
>>> [PATCH] af_unix: limit recursion level
>>>
>>> Its easy to eat all kernel memory and trigger NMI watchdog, using an
>>> exploit program that queues unix sockets on top of others.
>>>
>>> lkml ref : http://lkml.org/lkml/2010/11/25/8
>>>
>>> This mechanism is used in applications, one choice we have is to have a
>>> recursion limit.
>>>
>>> Other limits might be needed as well (if we queue other types of files),
>>> since the passfd mechanism is currently limited by socket receive queue
>>> sizes only.
>>>
>>> Add a recursion_level to unix socket, allowing up to 4 levels.
>>>
>>> Each time we send an unix socket through sendfd mechanism, we copy its
>>> recursion level (plus one) to receiver. This recursion level is cleared
>>> when socket receive queue is emptied.
>>>
>>> Reported-by: Марк Коренберг <socketpair@gmail•com>
>>> Signed-off-by: Eric Dumazet <eric.dumazet@gmail•com>
>>
>> This problem is same as that reported with title "Unix socket local DOS (OOM)", right?
>> After applied this patch, this program can be killed now. but still eat 100% cpu. 
>>
> 
> Not the same problem, but a different one. 
> 
> In this case, we queue files on top of another and never give a chance
> to free them, unless the program dies (and full memory eaten)
> 
> And yes, its eating 100% cpu, since it has no sleep inside, like
> 
> for (;;) ;

Got it. Thanks.

Have a out of topic question. 
There is some difficulty for me to understand this issue. :-(
why can't we kill this program?

When send fd[0] to ff[0] socket, fd[0] is in flight and will be add reference value.
Athough we close fd[0], their references is still exist.

The reason that can't be killed is about the references or about the latest sockets
created by socketpair() but never be freeed.

-- 
Best Regards
-----
Shan Wei

next prev parent reply	other threads:[~2010-11-26  7:54 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <AANLkTikCeddPFRGojPGuB6oq3xGYgovtm8r4=WhjEDpe@mail.gmail.com>
2010-11-25  6:28 ` Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( Eric Dumazet
2010-11-25  6:52   ` Марк Коренберг
     [not found]     ` <1290668246.2798.93.camel@edumazet-laptop>
     [not found]       ` <AANLkTinQa8BCH-k0m=ndu4u8L-kCiD00jYjKvsvoxK2E@mail.gmail.com>
2010-11-25  7:52         ` Fwd: " Марк Коренберг
2010-11-25  8:16           ` Eric Dumazet
2010-11-25  8:35             ` Марк Коренберг
2010-11-25 14:11               ` Eric Dumazet
2010-11-26  4:38                 ` Shan Wei
2010-11-26  6:23                   ` Eric Dumazet
2010-11-26  7:52                     ` Shan Wei [this message]
2010-11-26  7:41                 ` Shan Wei
2010-11-26  8:22                   ` Eric Dumazet
2010-11-26  8:59                     ` Eric Dumazet
2010-11-29 17:46                 ` David Miller
2010-11-29 18:01                   ` Eric Dumazet
     [not found]       ` <AANLkTinRhmiVoVR5ibWOKe-OhY4fYUs_PHSATjxMGqg9@mail.gmail.com>
     [not found]         ` <1290670889.2798.127.camel@edumazet-laptop>
2010-11-25  8:05           ` Марк Коренберг
2010-11-25  7:14   ` Eric Dumazet

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4CEF674B.1070504@cn.fujitsu.com \
    --to=shanwei@cn$(echo .)fujitsu.com \
    --cc=davem@davemloft$(echo .)net \
    --cc=eric.dumazet@gmail$(echo .)com \
    --cc=netdev@vger$(echo .)kernel.org \
    --cc=socketpair@gmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox