[PATCH 1/6] af_unix: limit unix_tot_inflight CVE-2010-4249
Stefan Bader
stefan.bader at canonical.com
Mon Jul 4 14:48:23 UTC 2011
On 04.07.2011 16:08, paolo.pisati at canonical.com wrote:
> From: Eric Dumazet <eric.dumazet at gmail.com>
>
> CVE-2010-4249
>
> BugLink: http://bugs.launchpad.net/bugs/769182
>
> commit upstream 9915672d41273f5b77f1b3c29b391ffb7732b84b
>
> Vegard Nossum found a unix socket OOM was possible, posting an exploit
> program.
>
> My analysis is we can eat all LOWMEM memory before unix_gc() being
> called from unix_release_sock(). Moreover, the thread blocked in
> unix_gc() can consume huge amount of time to perform cleanup because of
> huge working set.
>
> One way to handle this is to have a sensible limit on unix_tot_inflight,
> tested from wait_for_unix_gc() and to force a call to unix_gc() if this
> limit is hit.
>
> This solves the OOM and also reduce overall latencies, and should not
> slowdown normal workloads.
>
> Reported-by: Vegard Nossum <vegard.nossum at gmail.com>
> Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
Only adding this as there was another comment on another patch. Below this would
look like Brad did something before and you applied it. Or did you pick it up
from a later ubuntu branch and not from upstream?
> Signed-off-by: Brad Figg <brad.figg at canonical.com>
> Signed-off-by: Paolo Pisati <paolo.pisati at canonical.com>
> ---
> net/unix/garbage.c | 7 +++++++
> 1 files changed, 7 insertions(+), 0 deletions(-)
>
> diff --git a/net/unix/garbage.c b/net/unix/garbage.c
> index 07499a5..dc2cb61 100644
> --- a/net/unix/garbage.c
> +++ b/net/unix/garbage.c
> @@ -269,9 +269,16 @@ static void inc_inflight_move_tail(struct unix_sock *u)
> }
>
> static bool gc_in_progress = false;
> +#define UNIX_INFLIGHT_TRIGGER_GC 16000
>
> void wait_for_unix_gc(void)
> {
> + /*
> + * If number of inflight sockets is insane,
> + * force a garbage collect right now.
> + */
> + if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
> + unix_gc();
> wait_event(unix_gc_wait, gc_in_progress == false);
> }
>
More information about the kernel-team
mailing list