From: Jiri Slaby <jslaby@suse.cz>
To: stable@vger.kernel.org
Cc: willy tarreau <w@1wt.eu>,
"David S . Miller" <davem@davemloft.net>,
Jiri Slaby <jslaby@suse.cz>
Subject: [patch added to 3.12-stable] unix: properly account for FDs passed over unix sockets
Date: Thu, 28 Jan 2016 11:52:03 +0100 [thread overview]
Message-ID: <1453978346-20237-12-git-send-email-jslaby@suse.cz> (raw)
In-Reply-To: <1453978346-20237-1-git-send-email-jslaby@suse.cz>
From: willy tarreau <w@1wt.eu>
This patch has been added to the 3.12 stable tree. If you have any
objections, please let us know.
===============
[ Upstream commit 712f4aad406bb1ed67f3f98d04c044191f0ff593 ]
It is possible for a process to allocate and accumulate far more FDs than
the process' limit by sending them over a unix socket then closing them
to keep the process' fd count low.
This change addresses this problem by keeping track of the number of FDs
in flight per user and preventing non-privileged processes from having
more FDs in flight than their configured FD limit.
Reported-by: socketpair@gmail.com
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Mitigates: CVE-2013-4312 (Linux 2.0+)
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
include/linux/sched.h | 1 +
net/unix/af_unix.c | 24 ++++++++++++++++++++----
net/unix/garbage.c | 16 ++++++++++++----
3 files changed, 33 insertions(+), 8 deletions(-)
diff --git a/include/linux/sched.h b/include/linux/sched.h
index a4d7d19fc338..3ecea51ea060 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -664,6 +664,7 @@ struct user_struct {
unsigned long mq_bytes; /* How many bytes can be allocated to mqueue? */
#endif
unsigned long locked_shm; /* How many pages of mlocked shm ? */
+ unsigned long unix_inflight; /* How many files in flight in unix sockets */
#ifdef CONFIG_KEYS
struct key *uid_keyring; /* UID specific keyring */
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 31b88dcb0f01..e6b021327c3a 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1484,6 +1484,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
sock_wfree(skb);
}
+/*
+ * The "user->unix_inflight" variable is protected by the garbage
+ * collection lock, and we just read it locklessly here. If you go
+ * over the limit, there might be a tiny race in actually noticing
+ * it across threads. Tough.
+ */
+static inline bool too_many_unix_fds(struct task_struct *p)
+{
+ struct user_struct *user = current_user();
+
+ if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
+ return false;
+}
+
#define MAX_RECURSION_LEVEL 4
static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
@@ -1492,6 +1507,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
unsigned char max_level = 0;
int unix_sock_count = 0;
+ if (too_many_unix_fds(current))
+ return -ETOOMANYREFS;
+
for (i = scm->fp->count - 1; i >= 0; i--) {
struct sock *sk = unix_get_socket(scm->fp->fp[i]);
@@ -1513,10 +1531,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
if (!UNIXCB(skb).fp)
return -ENOMEM;
- if (unix_sock_count) {
- for (i = scm->fp->count - 1; i >= 0; i--)
- unix_inflight(scm->fp->fp[i]);
- }
+ for (i = scm->fp->count - 1; i >= 0; i--)
+ unix_inflight(scm->fp->fp[i]);
return max_level;
}
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index 9bc73f87f64a..06730fe6ad9d 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -125,9 +125,12 @@ struct sock *unix_get_socket(struct file *filp)
void unix_inflight(struct file *fp)
{
struct sock *s = unix_get_socket(fp);
+
+ spin_lock(&unix_gc_lock);
+
if (s) {
struct unix_sock *u = unix_sk(s);
- spin_lock(&unix_gc_lock);
+
if (atomic_long_inc_return(&u->inflight) == 1) {
BUG_ON(!list_empty(&u->link));
list_add_tail(&u->link, &gc_inflight_list);
@@ -135,22 +138,27 @@ void unix_inflight(struct file *fp)
BUG_ON(list_empty(&u->link));
}
unix_tot_inflight++;
- spin_unlock(&unix_gc_lock);
}
+ fp->f_cred->user->unix_inflight++;
+ spin_unlock(&unix_gc_lock);
}
void unix_notinflight(struct file *fp)
{
struct sock *s = unix_get_socket(fp);
+
+ spin_lock(&unix_gc_lock);
+
if (s) {
struct unix_sock *u = unix_sk(s);
- spin_lock(&unix_gc_lock);
+
BUG_ON(list_empty(&u->link));
if (atomic_long_dec_and_test(&u->inflight))
list_del_init(&u->link);
unix_tot_inflight--;
- spin_unlock(&unix_gc_lock);
}
+ fp->f_cred->user->unix_inflight--;
+ spin_unlock(&unix_gc_lock);
}
static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
--
2.7.0
next prev parent reply other threads:[~2016-01-28 10:52 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-28 10:51 [patch added to 3.12-stable] ARM: 8158/1: LLVMLinux: use static inline in ARM ftrace.h Jiri Slaby
2016-01-28 10:51 ` [patch added to 3.12-stable] ARM: 8160/1: drop warning about return_address not using unwind tables Jiri Slaby
2016-01-28 11:07 ` Uwe Kleine-König
2016-01-28 10:51 ` [patch added to 3.12-stable] drm/radeon: cypress_dpm: Fix unused variable warning when CONFIG_ACPI=n Jiri Slaby
2016-01-28 10:51 ` [patch added to 3.12-stable] drm: radeon: ni_dpm: " Jiri Slaby
2016-01-28 10:51 ` [patch added to 3.12-stable] lkdtm: adjust recursion size to avoid warnings Jiri Slaby
2016-01-28 10:51 ` [patch added to 3.12-stable] RDMA/cxgb4: Fix gcc warning on 32-bit arch Jiri Slaby
2016-01-28 10:51 ` [patch added to 3.12-stable] mISDN: avoid arch specific __builtin_return_address call Jiri Slaby
2016-01-28 10:51 ` [patch added to 3.12-stable] veth: don’t modify ip_summed; doing so treats packets with bad checksums as good Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] ipv6/addrlabel: fix ip6addrlbl_get() Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] connector: bump skb->users before callback invocation Jiri Slaby
2016-01-28 10:52 ` Jiri Slaby [this message]
2016-01-28 10:52 ` [patch added to 3.12-stable] bridge: Only call /sbin/bridge-stp for the initial network namespace Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] ipv6: tcp: add rcu locking in tcp_v6_send_synack() Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] tcp_yeah: don't set ssthresh below 2 Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] phonet: properly unshare skbs in phonet_rcv() Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] ipv6: update skb->csum when CE mark is propagated Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] xfrm: dst_entries_init() per-net dst_ops Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] powerpc/tm: Block signal return setting invalid MSR state Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] powerpc: Make value-returning atomics fully ordered Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] powerpc: Make {cmp}xchg* and their atomic_ versions " Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] scripts/recordmcount.pl: support data in text section on powerpc Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] arm64: KVM: Fix AArch32 to AArch64 register mapping Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] arm64: fix building without CONFIG_UID16 Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] arm64: Clear out any singlestep state on a ptrace detach operation Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] arm64: mm: ensure that the zero page is visible to the page table walker Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] parisc iommu: fix panic due to trying to allocate too large region Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] HID: core: Avoid uninitialized buffer access Jiri Slaby
2016-01-28 10:52 ` [patch added to 3.12-stable] mn10300: Select CONFIG_HAVE_UID16 to fix build failure Jiri Slaby
2016-03-07 13:35 [patch added to 3.12-stable] unix: properly account for FDs passed over unix sockets Jiri Slaby
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1453978346-20237-12-git-send-email-jslaby@suse.cz \
--to=jslaby@suse.cz \
--cc=davem@davemloft.net \
--cc=stable@vger.kernel.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.