From patchwork Sat Sep 4 06:58:59 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tetsuo Handa X-Patchwork-Id: 63757 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id A4CE4B7143 for ; Sat, 4 Sep 2010 16:59:31 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753107Ab0IDG7E (ORCPT ); Sat, 4 Sep 2010 02:59:04 -0400 Received: from www262.sakura.ne.jp ([202.181.97.72]:65477 "EHLO www262.sakura.ne.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751750Ab0IDG7D (ORCPT ); Sat, 4 Sep 2010 02:59:03 -0400 Received: from www262.sakura.ne.jp (ksav52.sakura.ne.jp [219.94.192.132]) by www262.sakura.ne.jp (8.14.3/8.14.3) with ESMTP id o846x0uw028780; Sat, 4 Sep 2010 15:59:00 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) X-Nat-Received: from [202.181.97.72]:50040 [ident-empty] by smtp-proxy.isp with TPROXY id 1283583540.31997 Received: from www262.sakura.ne.jp (localhost [127.0.0.1]) by www262.sakura.ne.jp (8.14.3/8.14.3) with ESMTP id o846wx0r028777; Sat, 4 Sep 2010 15:58:59 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Received: (from i-love@localhost) by www262.sakura.ne.jp (8.14.3/8.14.3/Submit) id o846wxnU028775; Sat, 4 Sep 2010 15:58:59 +0900 (JST) (envelope-from penguin-kernel@i-love.sakura.ne.jp) Message-Id: <201009040658.o846wxnU028775@www262.sakura.ne.jp> X-Authentication-Warning: www262.sakura.ne.jp: i-love set sender to penguin-kernel@i-love.sakura.ne.jp using -f Subject: [PATCH] UNIX: Do not loop forever at unix_autobind(). From: Tetsuo Handa To: eric.dumazet@gmail.com Cc: netdev@vger.kernel.org MIME-Version: 1.0 Date: Sat, 04 Sep 2010 15:58:59 +0900 References: <201008212101.IJG87048.QMOHFtSOVOLFFJ@I-love.SAKURA.ne.jp> <201008302227.DJH30258.OQFMFtFJOOVSHL@I-love.SAKURA.ne.jp> <1283370450.2484.19.camel@edumazet-laptop> In-Reply-To: <1283370450.2484.19.camel@edumazet-laptop> X-Anti-Virus: Kaspersky Anti-Virus for Linux Mail Server 5.6.44/RELEASE, bases: 04092010 #4190005, status: clean Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From a67ccbb8033993df29f26bde9944e37bffe4fc1b Mon Sep 17 00:00:00 2001 From: Tetsuo Handa Date: Sat, 4 Sep 2010 15:22:22 +0900 Subject: [PATCH] UNIX: Do not loop forever at unix_autobind(). We assumed that unix_autobind() never fails if kzalloc() succeeded. But unix_autobind() allows only 1048576 names. If /proc/sys/fs/file-max is larger than 1048576 (e.g. systems with more than 10GB of RAM), a local user can consume all names using fork()/socket()/bind(). If all names are in use, those who call bind() with addr_len == sizeof(short) or connect()/sendmsg() with setsockopt(SO_PASSCRED) will continue while (1) yield(); loop at unix_autobind() till a name becomes available. This patch changes unix_autobind() to fail if all names are in use. Note that currently a local user can consume 2GB of kernel memory if the user is allowed to create and autobind 1048576 UNIX domain sockets. We should consider adding some restriction for autobind operation. Signed-off-by: Tetsuo Handa --- net/unix/af_unix.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 4414a18..46fc6b2 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -692,6 +692,7 @@ static int unix_autobind(struct socket *sock) static u32 ordernum = 1; struct unix_address *addr; int err; + u32 stop_ordernum; mutex_lock(&u->readlock); @@ -706,6 +707,7 @@ static int unix_autobind(struct socket *sock) addr->name->sun_family = AF_UNIX; atomic_set(&addr->refcnt, 1); + stop_ordernum = ordernum; retry: addr->len = sprintf(addr->name->sun_path+1, "%05x", ordernum) + 1 + sizeof(short); @@ -720,6 +722,12 @@ retry: /* Sanity yield. It is unusual case, but yet... */ if (!(ordernum&0xFF)) yield(); + /* Give up if all names are in use. */ + if (ordernum == stop_ordernum) { + err = -ENOMEM; + kfree(addr); + goto out; + } goto retry; } addr->hash ^= sk->sk_type;