linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>,
	Philipp Hahn <pmhahn@pmhahn.de>,
	Hannes Frederic Sowa <hannes@stressinduktion.org>,
	Sasha Levin <sasha.levin@oracle.com>,
	"David S. Miller" <davem@davemloft.net>,
	linux-kernel@vger.kernel.org, Karolin Seeger <kseeger@samba.org>,
	Jason Baron <jbaron@akamai.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Arvid Requate <requate@univention.de>,
	Stefan Gohmann <gohmann@univention.de>,
	netdev@vger.kernel.org
Subject: Re: [PATCH net] af_unix: Guard against other == sk in unix_dgram_sendmsg
Date: Fri, 12 Feb 2016 20:17:31 +0000	[thread overview]
Message-ID: <87egchadk4.fsf@doppelsaurus.mobileactivedefense.com> (raw)
In-Reply-To: <1455306847.2801.45.camel@decadent.org.uk> (Ben Hutchings's message of "Fri, 12 Feb 2016 19:54:07 +0000")

Ben Hutchings <ben@decadent.org.uk> writes:
> On Fri, 2016-02-12 at 13:25 +0000, Rainer Weikusat wrote:
>> Philipp Hahn <pmhahn@pmhahn.de> writes:
>> > Hello Rainer,
>> > 
>> > Am 11.02.2016 um 20:37 schrieb Rainer Weikusat:
>> > > The unix_dgram_sendmsg routine use the following test
>> > > 
>> > > if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
>> 
>> [...]
>> 
>> > > This isn't correct as the> specified address could have been bound to
>> > > the sending socket itself
>> 
>> [...]
>> 
>> > After applying that patch at least my machine running the samba test no
>> > longer crashes.
>> 
>> There's a possible gotcha in there: Send-to-self used to be limited by
>> the queue limit. But the rationale for that (IIRC) was that someone
>> could keep using newly created sockets to queue ever more data to a
>> single, unrelated receiver. I don't think this should apply when
>> receiving and sending sockets are identical. But that's just my
>> opinion. The other option would be to avoid the unix_state_double_lock
>> for sk == other.
>
> Given that unix_state_double_lock() already handles sk == other, I'm
> not sure why you think it needs to be avoided.

Because the whole complication of restarting the operation after locking
both sk and other because other had to be unlocked before calling
unix_state_double_lock is useless for this case: As other == sk, there's
no reason to drop the lock on it which guarantees that the result of all
the earlier checks is still valid: If the -EAGAIN condition is not true,
execution can just continue.

>> I'd be willing to change this accordingly if someone
>> thinks the queue limit should apply to send-to-self.
>
> If we don't check the queue limit here, does anything else prevent the
> queue growing to the point it's a DoS?

The max_dgram_qlen limit exists specifically to prevent someone sending
'a lot' of messages to a socket unrelated to it by repeatedly creating a
socket, sending as many messages as the send buffer size will allow,
closing the socket, creating a new socket, ..., cf

http://netdev.vger.kernel.narkive.com/tcZIFJeC/get-rid-of-proc-sys-net-unix-max-dgram-qlen#post4
(first copy I found)

This 'attack' will obviously not work very well when sending and
receiving socket are identical.

  reply	other threads:[~2016-02-12 20:18 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-02 16:25 Bug 4.1.16: self-detected stall in net/unix/? Philipp Hahn
2016-02-03  1:43 ` Hannes Frederic Sowa
2016-02-05 15:28   ` Philipp Hahn
2016-02-11 13:47     ` Philipp Hahn
2016-02-11 15:55       ` Rainer Weikusat
2016-02-11 17:03         ` Ben Hutchings
2016-02-11 17:40           ` Rainer Weikusat
2016-02-11 17:54             ` Rainer Weikusat
2016-02-11 18:31             ` Rainer Weikusat
2016-02-11 19:37               ` [PATCH net] af_unix: Guard against other == sk in unix_dgram_sendmsg Rainer Weikusat
2016-02-12  9:19                 ` Philipp Hahn
2016-02-12 13:25                   ` Rainer Weikusat
2016-02-12 19:54                     ` Ben Hutchings
2016-02-12 20:17                       ` Rainer Weikusat [this message]
2016-02-12 20:47                         ` Ben Hutchings
2016-02-12 20:59                           ` Rainer Weikusat
2016-02-16 17:54                 ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87egchadk4.fsf@doppelsaurus.mobileactivedefense.com \
    --to=rweikusat@mobileactivedefense.com \
    --cc=ben@decadent.org.uk \
    --cc=davem@davemloft.net \
    --cc=gohmann@univention.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=hannes@stressinduktion.org \
    --cc=jbaron@akamai.com \
    --cc=kseeger@samba.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pmhahn@pmhahn.de \
    --cc=requate@univention.de \
    --cc=sasha.levin@oracle.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).