git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Eric Dumazet <eric.dumazet@gmail.com>
	Thu, 25 Nov 2010 04:11:39 +0000 (04:11 +0000)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Mon, 9 May 2011 22:55:36 +0000 (15:55 -0700)
commit	6019f3837946cd5872ed473cd492d90c49228ee3
tree	c69c57146c7998045e02daed834e99546a106ee5	tree \| snapshot
parent	84daae5dc885913953823b1303e1fbbbb38a5a53	commit \| diff

af_unix: limit recursion level

commit 25888e30319f8896fc656fc68643e6a078263060 upstream.

Its easy to eat all kernel memory and trigger NMI watchdog, using an
exploit program that queues unix sockets on top of others.

lkml ref : http://lkml.org/lkml/2010/11/25/8

This mechanism is used in applications, one choice we have is to have a
recursion limit.

Other limits might be needed as well (if we queue other types of files),
since the passfd mechanism is currently limited by socket receive queue
sizes only.

Add a recursion_level to unix socket, allowing up to 4 levels.

Each time we send an unix socket through sendfd mechanism, we copy its
recursion level (plus one) to receiver. This recursion level is cleared
when socket receive queue is emptied.

Reported-by: Марк Коренберг <socketpair@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Adjust for 2.6.32]
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

include/net/af_unix.h		diff \| blob \| history
net/unix/af_unix.c		diff \| blob \| history
net/unix/garbage.c		diff \| blob \| history