| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Nov 2010 13:05:26 +0500 From: Марк Коренберг <socketpair@...il.com> To: Eric Dumazet <eric.dumazet@...il.com> Subject: Re: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( 2010/11/25 Eric Dumazet <eric.dumazet@...il.com>: > Le jeudi 25 novembre 2010 à 12:35 +0500, Марк Коренберг a écrit : >> 2010/11/25 Eric Dumazet <eric.dumazet@...il.com>: >> > Le jeudi 25 novembre 2010 à 11:52 +0500, Марк Коренберг a écrit : >> >> Well, It seems, that patch likely will fix 100% CPU usage. >> >> >> >> But what about eating all available descriptors in kernel ? vulnerability ? >> >> >> > >> > It doesnt fix cpu usage actually, your program eats 100% of one cpu, >> > like the following one : >> > >> > for (;;) ; >> >> No. You don't understand. I can't kill -KILL such program. CPU usage >> will be 100%. program hang in kernel, process is not in >> Uninterruptible sleep (in Running state). So I think some kernel loop >> like for(;;); exists. maybe looped recursion or so on. >> > > I understand very well, thanks. > > There is no recursion (stack usage) in kernel, this is why CPU eats so > much cycles to handle your workload. > > kill ... is not interrupting this loop in kernel, only when current > system call is finished. > > We'll have to add limits to forbid malicious programs to use too much > cpu in kernel. new ulimit constant ? how to detect, that user is malicious ? I think, it will be nice to count "reursion level" of file descriptors instances. recursion level increases if fd is put inside unix socket. If recursion level is bigger than some border (10 for example), do not to allow to put such file descriptor into unixsocket. I understand .. this is heavy. Fortunatelly I have idea :) : Do not allow to pass unix socket A into unixsocket B if A contains file descriptors. I think it would not break current applications. This will fix problem which illustrate my example. But, malicious user can insert descriptors into A _AFTER_ passing A into B, by using another A instance called C. Kernel should not allow do that -- if kernel see, that unix socket A=C already inside some other unix socket, it should return error. -- Segmentation fault -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists