quick and dirty fix will be not to allow to pass unix socket inside
unix socket. I think it would not break much applications.

2010/11/25 Eric Dumazet [off-list ref]:

Le jeudi 25 novembre 2010 à 12:52 +0500, Марк Коренберг a écrit :

quoted

---------- Forwarded message ----------
From: Марк Коренберг <redacted>
Date: 2010/11/25
Subject: Re: Simple kernel attack using socketpair. easy, 100%
reproductiblle, works under guest. no way to protect :(
To: Eric Dumazet <redacted>


2010/11/25 Eric Dumazet [off-list ref]:

quoted

Le jeudi 25 novembre 2010 à 11:52 +0500, Марк Коренберг a écrit :

quoted

Well, It seems, that patch likely will fix 100% CPU usage.

But what about eating all available descriptors in kernel ? vulnerability ?

It doesnt fix cpu usage actually, your program eats 100% of one cpu,
like the following one :

for (;;) ;

If you want not eat 100% cpu, I suggest you add some blocking calls,
like usleep(10000)

for (;;) usleep(10000);

Patch only makes sure kernel wont eat too much memory to store inflight
unix sockets.

I have attached source which proove, that loop not inside this
program, but inside kernel.

--

Better send a fix, now that thousand of people know how to kill a linux
machine.

Congrats.

-- 
Segmentation fault