[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87egchadk4.fsf@doppelsaurus.mobileactivedefense.com>
Date: Fri, 12 Feb 2016 20:17:31 +0000
From: Rainer Weikusat <rweikusat@...ileactivedefense.com>
To: Ben Hutchings <ben@...adent.org.uk>
Cc: Rainer Weikusat <rweikusat@...ileactivedefense.com>,
Philipp Hahn <pmhahn@...ahn.de>,
Hannes Frederic Sowa <hannes@...essinduktion.org>,
Sasha Levin <sasha.levin@...cle.com>,
"David S. Miller" <davem@...emloft.net>,
linux-kernel@...r.kernel.org, Karolin Seeger <kseeger@...ba.org>,
Jason Baron <jbaron@...mai.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Arvid Requate <requate@...vention.de>,
Stefan Gohmann <gohmann@...vention.de>, netdev@...r.kernel.org
Subject: Re: [PATCH net] af_unix: Guard against other == sk in unix_dgram_sendmsg
Ben Hutchings <ben@...adent.org.uk> writes:
> On Fri, 2016-02-12 at 13:25 +0000, Rainer Weikusat wrote:
>> Philipp Hahn <pmhahn@...ahn.de> writes:
>> > Hello Rainer,
>> >
>> > Am 11.02.2016 um 20:37 schrieb Rainer Weikusat:
>> > > The unix_dgram_sendmsg routine use the following test
>> > >
>> > > if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
>>
>> [...]
>>
>> > > This isn't correct as the> specified address could have been bound to
>> > > the sending socket itself
>>
>> [...]
>>
>> > After applying that patch at least my machine running the samba test no
>> > longer crashes.
>>
>> There's a possible gotcha in there: Send-to-self used to be limited by
>> the queue limit. But the rationale for that (IIRC) was that someone
>> could keep using newly created sockets to queue ever more data to a
>> single, unrelated receiver. I don't think this should apply when
>> receiving and sending sockets are identical. But that's just my
>> opinion. The other option would be to avoid the unix_state_double_lock
>> for sk == other.
>
> Given that unix_state_double_lock() already handles sk == other, I'm
> not sure why you think it needs to be avoided.
Because the whole complication of restarting the operation after locking
both sk and other because other had to be unlocked before calling
unix_state_double_lock is useless for this case: As other == sk, there's
no reason to drop the lock on it which guarantees that the result of all
the earlier checks is still valid: If the -EAGAIN condition is not true,
execution can just continue.
>> I'd be willing to change this accordingly if someone
>> thinks the queue limit should apply to send-to-self.
>
> If we don't check the queue limit here, does anything else prevent the
> queue growing to the point it's a DoS?
The max_dgram_qlen limit exists specifically to prevent someone sending
'a lot' of messages to a socket unrelated to it by repeatedly creating a
socket, sending as many messages as the send buffer size will allow,
closing the socket, creating a new socket, ..., cf
http://netdev.vger.kernel.narkive.com/tcZIFJeC/get-rid-of-proc-sys-net-unix-max-dgram-qlen#post4
(first copy I found)
This 'attack' will obviously not work very well when sending and
receiving socket are identical.
Powered by blists - more mailing lists