From: Philipp Hahn <pmhahn@pmhahn.de>
To: Jiri Slaby <jslaby@suse.cz>, Willy Tarreau <w@1wt.eu>
Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org,
"David S . Miller" <davem@davemloft.net>,
Hannes Frederic Sowa <hannes@stressinduktion.org>
Subject: Re: [PATCH 3.12 32/64] unix: properly account for FDs passed over unix sockets
Date: Fri, 12 Feb 2016 09:45:22 +0100 [thread overview]
Message-ID: <56BD9BA2.2060706@pmhahn.de> (raw)
In-Reply-To: <56BD906B.9020904@suse.cz>
Am 12.02.2016 um 08:57 schrieb Jiri Slaby:
> On 02/11/2016, 06:32 PM, Willy Tarreau wrote:
>> On Thu, Feb 11, 2016 at 02:59:08PM +0100, Jiri Slaby wrote:
>>> From: willy tarreau <w@1wt.eu>
>>>
>>> 3.12-stable review patch. If anyone has any objections, please let me know.
>>>
>>> ===============
>>>
>>> [ Upstream commit 712f4aad406bb1ed67f3f98d04c044191f0ff593 ]
>>>
>>> It is possible for a process to allocate and accumulate far more FDs than
>>> the process' limit by sending them over a unix socket then closing them
>>> to keep the process' fd count low.
>>>
>>> This change addresses this problem by keeping track of the number of FDs
>>> in flight per user and preventing non-privileged processes from having
>>> more FDs in flight than their configured FD limit.
>>>
>>> Reported-by: socketpair@gmail.com
>>> Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
>>> Mitigates: CVE-2013-4312 (Linux 2.0+)
>>> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
>>> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
>>> Signed-off-by: Willy Tarreau <w@1wt.eu>
>>> Signed-off-by: David S. Miller <davem@davemloft.net>
>>> Signed-off-by: Jiri Slaby <jslaby@suse.cz>
>>
>> A possible issue was reported regarding this patch, and Hannes
>> implemented a fix that's not yet in mainline. I guess it's
>> preferable to postpone this patch for now.
>
> yes definitely. Thanks for noting.
Yes and no: the above mentioned patch looks innocent now after more
bisecting, but there is <https://patchwork.ozlabs.org/patch/577653/> as
a folow-up to the FD-accounting.
> For reference:
> http://article.gmane.org/gmane.linux.kernel/2142236
Better read the full thread:
<http://thread.gmane.org/gmane.linux.kernel/2142236>; the suspected bad
patch is
unix: avoid use-after-free in ep_remove_wait_queue
Philipp
next prev parent reply other threads:[~2016-02-12 8:45 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-11 13:59 [PATCH 3.12 00/64] 3.12.54-stable review Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 01/64] ALSA: rme96: Fix unexpected volume reset after rate changes Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 02/64] ALSA: hda - Add inverted dmic for Packard Bell DOTS Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 03/64] ALSA: hda - Set SKL+ hda controller power at freeze() and thaw() Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 04/64] ALSA: hda/realtek - Fix silent headphone output on MacPro 4,1 (v2) Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 05/64] ALSA: seq: Fix missing NULL check at remove_events ioctl Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 06/64] ALSA: seq: Fix race at timer setup and close Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 07/64] ALSA: timer: Harden slave timer list handling Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 08/64] ALSA: timer: Fix race among timer ioctls Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 09/64] ALSA: timer: Fix double unlink of active_list Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 10/64] ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 11/64] ALSA: pcm: Fix snd_pcm_hw_params struct copy " Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 12/64] ALSA: hrtimer: Fix stall by hrtimer_cancel() Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 13/64] ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0 Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 14/64] ASoC: wm8962: correct addresses for HPF_C_0/1 Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 15/64] ASoC: arizona: Fix bclk for sample rates that are multiple of 4kHz Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 16/64] ASoC: compress: Fix compress device direction check Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 17/64] usb: xhci: fix config fail of FS hub behind a HS hub with MTT Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 18/64] USB: ipaq.c: fix a timeout loop Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 19/64] USB: cp210x: add ID for ELV Marble Sound Board 1 Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 20/64] xhci: refuse loading if nousb is used Jiri Slaby
2016-02-16 3:06 ` Ben Hutchings
2016-02-16 8:49 ` Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 21/64] ARM: 8158/1: LLVMLinux: use static inline in ARM ftrace.h Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 22/64] ARM: 8160/1: drop warning about return_address not using unwind tables Jiri Slaby
2016-02-11 13:58 ` [PATCH 3.12 23/64] drm/radeon: cypress_dpm: Fix unused variable warning when CONFIG_ACPI=n Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 24/64] drm: radeon: ni_dpm: " Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 25/64] lkdtm: adjust recursion size to avoid warnings Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 26/64] RDMA/cxgb4: Fix gcc warning on 32-bit arch Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 27/64] mISDN: avoid arch specific __builtin_return_address call Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 28/64] veth: don’t modify ip_summed; doing so treats packets with bad checksums as good Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 29/64] ipv6/addrlabel: fix ip6addrlbl_get() Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 30/64] sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 31/64] connector: bump skb->users before callback invocation Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 32/64] unix: properly account for FDs passed over unix sockets Jiri Slaby
2016-02-11 17:32 ` Willy Tarreau
2016-02-12 7:57 ` Jiri Slaby
2016-02-12 8:45 ` Philipp Hahn [this message]
2016-02-12 9:03 ` Willy Tarreau
2016-02-11 13:59 ` [PATCH 3.12 33/64] bridge: Only call /sbin/bridge-stp for the initial network namespace Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 34/64] net: sctp: prevent writes to cookie_hmac_alg from accessing invalid memory Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 35/64] ipv6: tcp: add rcu locking in tcp_v6_send_synack() Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 36/64] tcp_yeah: don't set ssthresh below 2 Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 37/64] phonet: properly unshare skbs in phonet_rcv() Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 38/64] ipv6: update skb->csum when CE mark is propagated Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 39/64] team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 40/64] xfrm: dst_entries_init() per-net dst_ops Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 41/64] powerpc/tm: Block signal return setting invalid MSR state Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 42/64] powerpc: Make value-returning atomics fully ordered Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 43/64] powerpc: Make {cmp}xchg* and their atomic_ versions " Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 44/64] scripts/recordmcount.pl: support data in text section on powerpc Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 45/64] arm64: KVM: Fix AArch32 to AArch64 register mapping Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 46/64] arm64: fix building without CONFIG_UID16 Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 47/64] arm64: Clear out any singlestep state on a ptrace detach operation Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 48/64] arm64: mm: ensure that the zero page is visible to the page table walker Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 49/64] parisc iommu: fix panic due to trying to allocate too large region Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 50/64] HID: core: Avoid uninitialized buffer access Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 51/64] mn10300: Select CONFIG_HAVE_UID16 to fix build failure Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 52/64] arm64: restore bogomips information in /proc/cpuinfo Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 53/64] compiler/gcc4+: Remove inaccurate comment about 'asm goto' miscompiles Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 54/64] compiler-gcc: integrate the various compiler-gcc[345].h files Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 55/64] x86: vvar, fix excessive gcc-6 DECLARE_VVAR warnings Jiri Slaby
2016-02-12 16:42 ` Andy Lutomirski
2016-02-11 13:59 ` [PATCH 3.12 56/64] openrisc: fix CONFIG_UID16 setting Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 57/64] vmstat: explicitly schedule per-cpu work on the CPU we need it to run on Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 58/64] Revert "workqueue: make sure delayed work run in local cpu" Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 59/64] xhci: fix placement of call to usb_disabled() Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 60/64] recordmcount: Fix endianness handling bug for nop_mcount Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 61/64] crypto: algif_hash - Only export and import on sockets with data Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 62/64] dm btree: fix leak of bufio-backed block in btree_split_sibling error path Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 63/64] drivers/base/memory.c: prohibit offlining of memory blocks with missing sections Jiri Slaby
2016-02-11 13:59 ` [PATCH 3.12 64/64] HID: usbhid: fix recursive deadlock Jiri Slaby
2016-02-11 14:09 ` [PATCH 3.12 00/64] 3.12.54-stable review Nikolay Borisov
2016-02-11 14:10 ` Jiri Slaby
2016-02-11 14:12 ` Jiri Slaby
2016-02-11 14:17 ` [PATCH 3.12 65/65] dm thin: fix race condition when destroying thin pool workqueue Jiri Slaby
2016-02-11 18:17 ` [PATCH 3.12 00/64] 3.12.54-stable review Guenter Roeck
2016-02-11 19:26 ` Shuah Khan
2016-02-15 15:20 ` Jiri Slaby
2016-02-15 16:10 ` Winkler, Tomas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56BD9BA2.2060706@pmhahn.de \
--to=pmhahn@pmhahn.de \
--cc=davem@davemloft.net \
--cc=hannes@stressinduktion.org \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.