From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751276AbcBLJDh (ORCPT <rfc822;w@1wt.eu>);
	Fri, 12 Feb 2016 04:03:37 -0500
Received: from wtarreau.pck.nerim.net ([62.212.114.60]:9843 "EHLO 1wt.eu"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1750961AbcBLJDe (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Fri, 12 Feb 2016 04:03:34 -0500
Date: Fri, 12 Feb 2016 10:03:11 +0100
From: Willy Tarreau <w@1wt.eu>
To: Philipp Hahn <pmhahn@pmhahn.de>
Cc: Jiri Slaby <jslaby@suse.cz>, stable@vger.kernel.org,
        linux-kernel@vger.kernel.org, "David S . Miller" <davem@davemloft.net>,
        Hannes Frederic Sowa <hannes@stressinduktion.org>
Subject: Re: [PATCH 3.12 32/64] unix: properly account for FDs passed over unix sockets
Message-ID: <20160212090311.GA27978@1wt.eu>
References: <cover.1455198893.git.jslaby@suse.cz> <9065c7d8c8be841107dcd6711ab3779553c68fd7.1455198893.git.jslaby@suse.cz> <20160211173233.GA27734@1wt.eu> <56BD906B.9020904@suse.cz> <56BD9BA2.2060706@pmhahn.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <56BD9BA2.2060706@pmhahn.de>
User-Agent: Mutt/1.4.2.3i
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Feb 12, 2016 at 09:45:22AM +0100, Philipp Hahn wrote:
> Am 12.02.2016 um 08:57 schrieb Jiri Slaby:
> > On 02/11/2016, 06:32 PM, Willy Tarreau wrote:
> >> On Thu, Feb 11, 2016 at 02:59:08PM +0100, Jiri Slaby wrote:
> >>> From: willy tarreau <w@1wt.eu>
> >>>
> >>> 3.12-stable review patch.  If anyone has any objections, please let me know.
> >>>
> >>> ===============
> >>>
> >>> [ Upstream commit 712f4aad406bb1ed67f3f98d04c044191f0ff593 ]
> >>>
> >>> It is possible for a process to allocate and accumulate far more FDs than
> >>> the process' limit by sending them over a unix socket then closing them
> >>> to keep the process' fd count low.
> >>>
> >>> This change addresses this problem by keeping track of the number of FDs
> >>> in flight per user and preventing non-privileged processes from having
> >>> more FDs in flight than their configured FD limit.
> >>>
> >>> Reported-by: socketpair@gmail.com
> >>> Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> >>> Mitigates: CVE-2013-4312 (Linux 2.0+)
> >>> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> >>> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
> >>> Signed-off-by: Willy Tarreau <w@1wt.eu>
> >>> Signed-off-by: David S. Miller <davem@davemloft.net>
> >>> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
> >>
> >> A possible issue was reported regarding this patch, and Hannes
> >> implemented a fix that's not yet in mainline. I guess it's
> >> preferable to postpone this patch for now.
> > 
> > yes definitely. Thanks for noting.
> 
> Yes and no: the above mentioned patch looks innocent now after more
> bisecting, but there is <https://patchwork.ozlabs.org/patch/577653/> as
> a folow-up to the FD-accounting.

It was not the only issue reported, as I remember there is a possibility
that for processes having to pass FDs from one socket to another (eg:
dbus), the wrong user could be credited. I don't remember the exact
detail but since the fix is pending and the current patch fixes an
issue which is as old as kernel 2.0 or so, there's no need to rush it
into stable kernels.

Willy