Re: Fwd: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :(
From: Shan Wei <hidden>
Date: 2010-11-26 07:54:28
Possibly related (same subject, not in this thread)
- 2010-11-25 · Re: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( · Марк Коренберг <hidden>
- 2010-11-25 · Re: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( · Eric Dumazet <hidden>
- 2010-11-25 · Re: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( · Марк Коренберг <hidden>
- 2010-11-25 · Re: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( · Eric Dumazet <hidden>
Eric Dumazet wrote, at 11/26/2010 02:23 PM:
Le vendredi 26 novembre 2010 à 12:38 +0800, Shan Wei a écrit :quoted
Eric Dumazet wrote, at 11/25/2010 10:11 PM:quoted
Le jeudi 25 novembre 2010 à 13:35 +0500, Марк Коренберг a écrit :quoted
quick and dirty fix will be not to allow to pass unix socket inside unix socket. I think it would not break much applications.Really, if it was not needed, net/unix/garbage.c would not exist at all... It is needed by some apps. [PATCH] af_unix: limit recursion level Its easy to eat all kernel memory and trigger NMI watchdog, using an exploit program that queues unix sockets on top of others. lkml ref : http://lkml.org/lkml/2010/11/25/8 This mechanism is used in applications, one choice we have is to have a recursion limit. Other limits might be needed as well (if we queue other types of files), since the passfd mechanism is currently limited by socket receive queue sizes only. Add a recursion_level to unix socket, allowing up to 4 levels. Each time we send an unix socket through sendfd mechanism, we copy its recursion level (plus one) to receiver. This recursion level is cleared when socket receive queue is emptied. Reported-by: Марк Коренберг <redacted> Signed-off-by: Eric Dumazet <redacted>This problem is same as that reported with title "Unix socket local DOS (OOM)", right? After applied this patch, this program can be killed now. but still eat 100% cpu.Not the same problem, but a different one. In this case, we queue files on top of another and never give a chance to free them, unless the program dies (and full memory eaten) And yes, its eating 100% cpu, since it has no sleep inside, like for (;;) ;
Got it. Thanks. Have a out of topic question. There is some difficulty for me to understand this issue. :-( why can't we kill this program? When send fd[0] to ff[0] socket, fd[0] is in flight and will be add reference value. Athough we close fd[0], their references is still exist. The reason that can't be killed is about the references or about the latest sockets created by socketpair() but never be freeed. -- Best Regards ----- Shan Wei