diff options
| author | Hannes Frederic Sowa <hannes@stressinduktion.org> | 2016-02-02 20:11:03 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-02-08 10:30:42 -0500 |
| commit | 415e3d3e90ce9e18727e8843ae343eda5a58fad6 (patch) | |
| tree | 529751765d40af6f6cfcafdc1c92b1dcafb5c8da /net | |
| parent | aa7b45378059a3eba1529d76f6d0b367ba614646 (diff) | |
unix: correctly track in-flight fds in sending process user_struct
The commit referenced in the Fixes tag incorrectly accounted the number
of in-flight fds over a unix domain socket to the original opener
of the file-descriptor. This allows another process to arbitrary
deplete the original file-openers resource limit for the maximum of
open files. Instead the sending processes and its struct cred should
be credited.
To do so, we add a reference counted struct user_struct pointer to the
scm_fp_list and use it to account for the number of inflight unix fds.
Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
Reported-by: David Herrmann <dh.herrmann@gmail.com>
Cc: David Herrmann <dh.herrmann@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/core/scm.c | 7 | ||||
| -rw-r--r-- | net/unix/af_unix.c | 4 | ||||
| -rw-r--r-- | net/unix/garbage.c | 8 |
3 files changed, 13 insertions, 6 deletions
diff --git a/net/core/scm.c b/net/core/scm.c index 14596fb37172..2696aefdc148 100644 --- a/net/core/scm.c +++ b/net/core/scm.c | |||
| @@ -87,6 +87,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) | |||
| 87 | *fplp = fpl; | 87 | *fplp = fpl; |
| 88 | fpl->count = 0; | 88 | fpl->count = 0; |
| 89 | fpl->max = SCM_MAX_FD; | 89 | fpl->max = SCM_MAX_FD; |
| 90 | fpl->user = NULL; | ||
| 90 | } | 91 | } |
| 91 | fpp = &fpl->fp[fpl->count]; | 92 | fpp = &fpl->fp[fpl->count]; |
| 92 | 93 | ||
| @@ -107,6 +108,10 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) | |||
| 107 | *fpp++ = file; | 108 | *fpp++ = file; |
| 108 | fpl->count++; | 109 | fpl->count++; |
| 109 | } | 110 | } |
| 111 | |||
| 112 | if (!fpl->user) | ||
| 113 | fpl->user = get_uid(current_user()); | ||
| 114 | |||
| 110 | return num; | 115 | return num; |
| 111 | } | 116 | } |
| 112 | 117 | ||
| @@ -119,6 +124,7 @@ void __scm_destroy(struct scm_cookie *scm) | |||
| 119 | scm->fp = NULL; | 124 | scm->fp = NULL; |
| 120 | for (i=fpl->count-1; i>=0; i--) | 125 | for (i=fpl->count-1; i>=0; i--) |
| 121 | fput(fpl->fp[i]); | 126 | fput(fpl->fp[i]); |
| 127 | free_uid(fpl->user); | ||
| 122 | kfree(fpl); | 128 | kfree(fpl); |
| 123 | } | 129 | } |
| 124 | } | 130 | } |
| @@ -336,6 +342,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl) | |||
| 336 | for (i = 0; i < fpl->count; i++) | 342 | for (i = 0; i < fpl->count; i++) |
| 337 | get_file(fpl->fp[i]); | 343 | get_file(fpl->fp[i]); |
| 338 | new_fpl->max = new_fpl->count; | 344 | new_fpl->max = new_fpl->count; |
| 345 | new_fpl->user = get_uid(fpl->user); | ||
| 339 | } | 346 | } |
| 340 | return new_fpl; | 347 | return new_fpl; |
| 341 | } | 348 | } |
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 49d5093eb055..29be035f9c65 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c | |||
| @@ -1496,7 +1496,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb) | |||
| 1496 | UNIXCB(skb).fp = NULL; | 1496 | UNIXCB(skb).fp = NULL; |
| 1497 | 1497 | ||
| 1498 | for (i = scm->fp->count-1; i >= 0; i--) | 1498 | for (i = scm->fp->count-1; i >= 0; i--) |
| 1499 | unix_notinflight(scm->fp->fp[i]); | 1499 | unix_notinflight(scm->fp->user, scm->fp->fp[i]); |
| 1500 | } | 1500 | } |
| 1501 | 1501 | ||
| 1502 | static void unix_destruct_scm(struct sk_buff *skb) | 1502 | static void unix_destruct_scm(struct sk_buff *skb) |
| @@ -1561,7 +1561,7 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) | |||
| 1561 | return -ENOMEM; | 1561 | return -ENOMEM; |
| 1562 | 1562 | ||
| 1563 | for (i = scm->fp->count - 1; i >= 0; i--) | 1563 | for (i = scm->fp->count - 1; i >= 0; i--) |
| 1564 | unix_inflight(scm->fp->fp[i]); | 1564 | unix_inflight(scm->fp->user, scm->fp->fp[i]); |
| 1565 | return max_level; | 1565 | return max_level; |
| 1566 | } | 1566 | } |
| 1567 | 1567 | ||
diff --git a/net/unix/garbage.c b/net/unix/garbage.c index 8fcdc2283af5..6a0d48525fcf 100644 --- a/net/unix/garbage.c +++ b/net/unix/garbage.c | |||
| @@ -116,7 +116,7 @@ struct sock *unix_get_socket(struct file *filp) | |||
| 116 | * descriptor if it is for an AF_UNIX socket. | 116 | * descriptor if it is for an AF_UNIX socket. |
| 117 | */ | 117 | */ |
| 118 | 118 | ||
| 119 | void unix_inflight(struct file *fp) | 119 | void unix_inflight(struct user_struct *user, struct file *fp) |
| 120 | { | 120 | { |
| 121 | struct sock *s = unix_get_socket(fp); | 121 | struct sock *s = unix_get_socket(fp); |
| 122 | 122 | ||
| @@ -133,11 +133,11 @@ void unix_inflight(struct file *fp) | |||
| 133 | } | 133 | } |
| 134 | unix_tot_inflight++; | 134 | unix_tot_inflight++; |
| 135 | } | 135 | } |
| 136 | fp->f_cred->user->unix_inflight++; | 136 | user->unix_inflight++; |
| 137 | spin_unlock(&unix_gc_lock); | 137 | spin_unlock(&unix_gc_lock); |
| 138 | } | 138 | } |
| 139 | 139 | ||
| 140 | void unix_notinflight(struct file *fp) | 140 | void unix_notinflight(struct user_struct *user, struct file *fp) |
| 141 | { | 141 | { |
| 142 | struct sock *s = unix_get_socket(fp); | 142 | struct sock *s = unix_get_socket(fp); |
| 143 | 143 | ||
| @@ -152,7 +152,7 @@ void unix_notinflight(struct file *fp) | |||
| 152 | list_del_init(&u->link); | 152 | list_del_init(&u->link); |
| 153 | unix_tot_inflight--; | 153 | unix_tot_inflight--; |
| 154 | } | 154 | } |
| 155 | fp->f_cred->user->unix_inflight--; | 155 | user->unix_inflight--; |
| 156 | spin_unlock(&unix_gc_lock); | 156 | spin_unlock(&unix_gc_lock); |
| 157 | } | 157 | } |
| 158 | 158 | ||