linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Local DoS on single_open?
@ 2003-09-11  4:42 Keith Owens
  2003-09-11  4:51 ` Nick Piggin
  2003-09-11  4:55 ` viro
  0 siblings, 2 replies; 7+ messages in thread
From: Keith Owens @ 2003-09-11  4:42 UTC (permalink / raw)
  To: linux-kernel

single_open() requires the kernel to kmalloc a buffer which lives until
the userspace caller closes the file.  What prevents a malicious user
opening the same /proc entry multiple times, allocating lots of kmalloc
space and causing a local DoS?


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Local DoS on single_open?
  2003-09-11  4:42 Local DoS on single_open? Keith Owens
@ 2003-09-11  4:51 ` Nick Piggin
  2003-09-11  7:04   ` Keith Owens
  2003-09-11  4:55 ` viro
  1 sibling, 1 reply; 7+ messages in thread
From: Nick Piggin @ 2003-09-11  4:51 UTC (permalink / raw)
  To: Keith Owens; +Cc: linux-kernel



Keith Owens wrote:

>single_open() requires the kernel to kmalloc a buffer which lives until
>the userspace caller closes the file.  What prevents a malicious user
>opening the same /proc entry multiple times, allocating lots of kmalloc
>space and causing a local DoS?
>  
>

ulimit?



^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Local DoS on single_open?
  2003-09-11  4:42 Local DoS on single_open? Keith Owens
  2003-09-11  4:51 ` Nick Piggin
@ 2003-09-11  4:55 ` viro
  2003-09-11  7:26   ` Keith Owens
  1 sibling, 1 reply; 7+ messages in thread
From: viro @ 2003-09-11  4:55 UTC (permalink / raw)
  To: Keith Owens; +Cc: linux-kernel

On Thu, Sep 11, 2003 at 02:42:13PM +1000, Keith Owens wrote:
> single_open() requires the kernel to kmalloc a buffer which lives until
> the userspace caller closes the file.  What prevents a malicious user
> opening the same /proc entry multiple times, allocating lots of kmalloc
> space and causing a local DoS?

Size of that buffer is limited.  IOW, it's not different from opening
e.g. a shitload of pipes or sockets.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Local DoS on single_open?
  2003-09-11  4:51 ` Nick Piggin
@ 2003-09-11  7:04   ` Keith Owens
  2003-09-11  7:29     ` viro
  0 siblings, 1 reply; 7+ messages in thread
From: Keith Owens @ 2003-09-11  7:04 UTC (permalink / raw)
  To: linux-kernel

On Thu, 11 Sep 2003 14:51:09 +1000, 
Nick Piggin <piggin@cyberone.com.au> wrote:
>Keith Owens wrote:
>
>>single_open() requires the kernel to kmalloc a buffer which lives until
>>the userspace caller closes the file.  What prevents a malicious user
>>opening the same /proc entry multiple times, allocating lots of kmalloc
>>space and causing a local DoS?
>>  
>>
>
>ulimit?

ulimit has no effect on kmalloc usage.


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Local DoS on single_open?
  2003-09-11  4:55 ` viro
@ 2003-09-11  7:26   ` Keith Owens
  2003-09-11  7:32     ` viro
  0 siblings, 1 reply; 7+ messages in thread
From: Keith Owens @ 2003-09-11  7:26 UTC (permalink / raw)
  To: linux-kernel

On Thu, 11 Sep 2003 05:55:07 +0100, 
viro@parcelfarce.linux.theplanet.co.uk wrote:
>On Thu, Sep 11, 2003 at 02:42:13PM +1000, Keith Owens wrote:
>> single_open() requires the kernel to kmalloc a buffer which lives until
>> the userspace caller closes the file.  What prevents a malicious user
>> opening the same /proc entry multiple times, allocating lots of kmalloc
>> space and causing a local DoS?
>
>Size of that buffer is limited.  IOW, it's not different from opening
>e.g. a shitload of pipes or sockets.

In some cases, the buffer size is set to hold _all_ of the output for
that particular /proc file and will be much larger than the data
reserved for files and sockets.  It is a difference in scale.

fs/proc/proc_misc.c		stat_open
fs/proc/proc_misc.c		interrupts_open
kernel/dma.c			proc_dma_open

All those functions will kmalloc a reasonably sized buffer then let the
user control the lifetime of that buffer.  Looks like a recipe for a
local DoS to me.


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Local DoS on single_open?
  2003-09-11  7:04   ` Keith Owens
@ 2003-09-11  7:29     ` viro
  0 siblings, 0 replies; 7+ messages in thread
From: viro @ 2003-09-11  7:29 UTC (permalink / raw)
  To: Keith Owens; +Cc: linux-kernel

On Thu, Sep 11, 2003 at 05:04:48PM +1000, Keith Owens wrote:
> On Thu, 11 Sep 2003 14:51:09 +1000, 
> Nick Piggin <piggin@cyberone.com.au> wrote:
> >Keith Owens wrote:
> >
> >>single_open() requires the kernel to kmalloc a buffer which lives until
> >>the userspace caller closes the file.  What prevents a malicious user
> >>opening the same /proc entry multiple times, allocating lots of kmalloc
> >>space and causing a local DoS?
> >>  
> >>
> >
> >ulimit?
> 
> ulimit has no effect on kmalloc usage.

You do realize that struct file is also kmalloc'ed?  So are dentries and
inodes, for that matter.  It's the same situation as with pipes and sockets.

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Local DoS on single_open?
  2003-09-11  7:26   ` Keith Owens
@ 2003-09-11  7:32     ` viro
  0 siblings, 0 replies; 7+ messages in thread
From: viro @ 2003-09-11  7:32 UTC (permalink / raw)
  To: Keith Owens; +Cc: linux-kernel

On Thu, Sep 11, 2003 at 05:26:54PM +1000, Keith Owens wrote:
> On Thu, 11 Sep 2003 05:55:07 +0100, 
> viro@parcelfarce.linux.theplanet.co.uk wrote:
> >On Thu, Sep 11, 2003 at 02:42:13PM +1000, Keith Owens wrote:
> >> single_open() requires the kernel to kmalloc a buffer which lives until
> >> the userspace caller closes the file.  What prevents a malicious user
> >> opening the same /proc entry multiple times, allocating lots of kmalloc
> >> space and causing a local DoS?
> >
> >Size of that buffer is limited.  IOW, it's not different from opening
> >e.g. a shitload of pipes or sockets.
> 
> In some cases, the buffer size is set to hold _all_ of the output for
> that particular /proc file and will be much larger than the data
> reserved for files and sockets.  It is a difference in scale.
> 
> fs/proc/proc_misc.c		stat_open
> fs/proc/proc_misc.c		interrupts_open
> kernel/dma.c			proc_dma_open
> 
> All those functions will kmalloc a reasonably sized buffer then let the
> user control the lifetime of that buffer.  Looks like a recipe for a
> local DoS to me.

struct file: 256 bytes due to cacheline alignment
struct dentry: 128 bytes, IIRC
struct inode: either 256 bytes or 512 bytes.
struct socket and struct sock: bugger if I remember, but it's not small.

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2003-09-11  7:32 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-09-11  4:42 Local DoS on single_open? Keith Owens
2003-09-11  4:51 ` Nick Piggin
2003-09-11  7:04   ` Keith Owens
2003-09-11  7:29     ` viro
2003-09-11  4:55 ` viro
2003-09-11  7:26   ` Keith Owens
2003-09-11  7:32     ` viro

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).