| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4CEF674B.1070504@cn.fujitsu.com> Date: Fri, 26 Nov 2010 15:52:43 +0800 From: Shan Wei <shanwei@...fujitsu.com> To: Eric Dumazet <eric.dumazet@...il.com> CC: Марк Коренберг <socketpair@...il.com>, David Miller <davem@...emloft.net>, netdev@...r.kernel.org Subject: Re: Fwd: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( Eric Dumazet wrote, at 11/26/2010 02:23 PM: > Le vendredi 26 novembre 2010 à 12:38 +0800, Shan Wei a écrit : >> Eric Dumazet wrote, at 11/25/2010 10:11 PM: >>> Le jeudi 25 novembre 2010 à 13:35 +0500, Марк Коренберг a écrit : >>>> quick and dirty fix will be not to allow to pass unix socket inside >>>> unix socket. I think it would not break much applications. >>> >>> Really, if it was not needed, net/unix/garbage.c would not exist at >>> all... >>> >>> It is needed by some apps. >>> >>> >>> [PATCH] af_unix: limit recursion level >>> >>> Its easy to eat all kernel memory and trigger NMI watchdog, using an >>> exploit program that queues unix sockets on top of others. >>> >>> lkml ref : http://lkml.org/lkml/2010/11/25/8 >>> >>> This mechanism is used in applications, one choice we have is to have a >>> recursion limit. >>> >>> Other limits might be needed as well (if we queue other types of files), >>> since the passfd mechanism is currently limited by socket receive queue >>> sizes only. >>> >>> Add a recursion_level to unix socket, allowing up to 4 levels. >>> >>> Each time we send an unix socket through sendfd mechanism, we copy its >>> recursion level (plus one) to receiver. This recursion level is cleared >>> when socket receive queue is emptied. >>> >>> Reported-by: Марк Коренберг <socketpair@...il.com> >>> Signed-off-by: Eric Dumazet <eric.dumazet@...il.com> >> >> This problem is same as that reported with title "Unix socket local DOS (OOM)", right? >> After applied this patch, this program can be killed now. but still eat 100% cpu. >> > > Not the same problem, but a different one. > > In this case, we queue files on top of another and never give a chance > to free them, unless the program dies (and full memory eaten) > > And yes, its eating 100% cpu, since it has no sleep inside, like > > for (;;) ; Got it. Thanks. Have a out of topic question. There is some difficulty for me to understand this issue. :-( why can't we kill this program? When send fd[0] to ff[0] socket, fd[0] is in flight and will be add reference value. Athough we close fd[0], their references is still exist. The reason that can't be killed is about the references or about the latest sockets created by socketpair() but never be freeed. -- Best Regards ----- Shan Wei -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists