Re: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :(
From: Eric Dumazet <hidden>
Date: 2010-11-25 07:14:11
Also in:
lkml
Possibly related (same subject, not in this thread)
- 2010-11-29 · Re: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( · Eric Dumazet <hidden>
- 2010-11-29 · Re: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( · David Miller <davem@davemloft.net>
- 2010-11-26 · Re: Fwd: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( · Eric Dumazet <hidden>
- 2010-11-26 · Re: Fwd: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( · Eric Dumazet <hidden>
- 2010-11-26 · Re: Fwd: Simple kernel attack using socketpair. easy, 100% reproductiblle, works under guest. no way to protect :( · Shan Wei <hidden>
Le jeudi 25 novembre 2010 à 07:28 +0100, Eric Dumazet a écrit :
quoted hunk ↗ jump to hunk
Since you obviously read recent mails on this subject yesterday, why dont you Cc netdev ? There is a very easy way to protect against this actually. A patch was posted yesterday, and need some adjustements.diff --git a/net/unix/garbage.c b/net/unix/garbage.c index c8df6fd..40df93d 100644 --- a/net/unix/garbage.c +++ b/net/unix/garbage.c@@ -259,9 +259,16 @@ static void inc_inflight_move_tail(struct unix_sock *u) } static bool gc_in_progress = false; +#define UNIX_INFLIGHT_TRIGGER_GC 2000 void wait_for_unix_gc(void) { + /* + * If number of inflight sockets is insane, + * force a garbage collect right now. + */ + if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress) + unix_gc(); wait_event(unix_gc_wait, gc_in_progress == false); }
Hmm... it seems its another problem, chains are very long so we hit a NMI watchdog. I guess we should limit to a very small number, like 64, or rewrite the garbage collector to a better algo.