| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Nov 2010 09:46:28 -0800 (PST) From: David Miller <davem@...emloft.net> To: eric.dumazet@...il.com Cc: socketpair@...il.com, netdev@...r.kernel.org Subject: Re: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( From: Eric Dumazet <eric.dumazet@...il.com> Date: Thu, 25 Nov 2010 15:11:39 +0100 > [PATCH] af_unix: limit recursion level > > Its easy to eat all kernel memory and trigger NMI watchdog, using an > exploit program that queues unix sockets on top of others. > > lkml ref : http://lkml.org/lkml/2010/11/25/8 > > This mechanism is used in applications, one choice we have is to have a > recursion limit. > > Other limits might be needed as well (if we queue other types of files), > since the passfd mechanism is currently limited by socket receive queue > sizes only. > > Add a recursion_level to unix socket, allowing up to 4 levels. > > Each time we send an unix socket through sendfd mechanism, we copy its > recursion level (plus one) to receiver. This recursion level is cleared > when socket receive queue is emptied. > > Reported-by: Марк Коренберг <socketpair@...il.com> > Signed-off-by: Eric Dumazet <eric.dumazet@...il.com> Ok, since such deep recursive AF_UNIX fd sends is pretty rediculious, it seems this is not likely to hit legitimate use cases and thus I've applied this. Also queued up for -stable. Thanks! -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists