github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-09 23:23:53 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
12987cd3a4
linux/net
History
Eric Dumazet 12987cd3a4 af_unix: limit recursion level 
[ Upstream commit 25888e3031 ]

Its easy to eat all kernel memory and trigger NMI watchdog, using an
exploit program that queues unix sockets on top of others.

lkml ref : http://lkml.org/lkml/2010/11/25/8

This mechanism is used in applications, one choice we have is to have a
recursion limit.

Other limits might be needed as well (if we queue other types of files),
since the passfd mechanism is currently limited by socket receive queue
sizes only.

Add a recursion_level to unix socket, allowing up to 4 levels.

Each time we send an unix socket through sendfd mechanism, we copy its
recursion level (plus one) to receiver. This recursion level is cleared
when socket receive queue is emptied.

Reported-by: Марк Коренберг <socketpair@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2011-01-07 13:58:26 -08:00
..
9p Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2010-09-28 12:01:26 -07:00
802 Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-04-11 14:53:53 -07:00
8021q vlan: Avoid hwaccel vlan packets when vid not used. 2010-12-09 13:33:29 -08:00
appletalk Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-04-11 14:53:53 -07:00
atm ATM: mpc, fix use after free 2010-10-11 11:05:42 -07:00
ax25 ax25: missplaced sock_put(sk) 2010-08-26 15:18:27 -07:00
bluetooth Bluetooth: fix oops in l2cap_connect_req 2010-11-22 11:03:01 -08:00
bridge bridge: Clear INET control block of SKBs passed into ip_fragment(). 2010-09-01 19:17:34 -07:00
caif caif: fix two caif_connect() bugs 2010-10-05 20:35:53 -07:00
can can-bcm: fix minor heap overflow 2010-12-09 13:33:30 -08:00
core filter: make sure filters dont read uninitialized memory 2010-12-09 13:33:30 -08:00
dcb include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
dccp net: dccp: fix sign bug 2010-07-18 15:07:14 -07:00
decnet DECnet: don't leak uninitialized stack byte 2010-12-09 13:33:19 -08:00
dns_resolver DNS: If the DNS server returns an error, allow that to be cached [ver #2] 2010-08-11 17:11:28 +00:00
dsa phylib: available for any speed ethernet 2010-08-11 23:03:50 -07:00
econet econet: fix CVE-2010-3848 2010-12-09 13:33:32 -08:00
ethernet Net: ethernet: pe2.c: fix EXPORT_SYMBOL macro code style issue 2010-07-14 18:27:09 -07:00
ieee802154 ieee802154: Fix possible NULL pointer dereference in wpan_phy_alloc 2010-05-23 23:11:07 -07:00
ipv4 tcp: protect sysctl_tcp_cookie_size reads 2011-01-07 13:58:26 -08:00
ipv6 net: Fix IPv6 PMTU disc. w/ asymmetric routes 2010-10-03 14:49:00 -07:00
ipx include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
irda irda: Fix heap memory corruption in iriap.c 2010-12-09 13:31:56 -08:00
iucv net: use __packed annotation 2010-06-03 03:21:52 -07:00
key pfkey: add severity to printk 2010-05-17 23:23:13 -07:00
l2tp l2tp: test for ethernet header in l2tp_eth_dev_recv() 2010-08-26 13:29:38 -07:00
lapb include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
llc llc: fix a device refcount imbalance 2011-01-07 13:58:20 -08:00
mac80211 mac80211: Fix BUG in pskb_expand_head when transmitting shared skbs 2011-01-07 13:58:22 -08:00
netfilter netfilter: nf_conntrack: allow nf_ct_alloc_hashtable() to get highmem pages 2010-12-09 13:32:51 -08:00
netlabel net: Remove unnecessary returns from void function()s 2010-05-17 23:23:14 -07:00
netlink netlink: Make NETLINK_USERSOCK work again. 2010-08-31 09:51:37 -07:00
netrom net: sk_sleep() helper 2010-04-20 16:37:13 -07:00
packet packet_mmap: expose hw packet timestamps to network packet capture utilities 2010-06-02 05:53:56 -07:00
phonet Phonet: Correct header retrieval after pskb_may_pull 2010-09-29 19:41:04 -07:00
rds rds: Integer overflow in RDS cmsg handling 2010-12-09 13:33:32 -08:00
rfkill Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2010-04-11 14:53:53 -07:00
rose rose: Fix signedness issues wrt. digi count. 2010-09-20 15:40:35 -07:00
rxrpc Add a dummy printk function for the maintenance of unused printks 2010-08-12 09:51:35 -07:00
sched cls_u32: signedness bug 2010-10-05 00:40:39 -07:00
sctp sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac() 2010-10-03 21:58:49 -07:00
sunrpc sunrpc: prevent use-after-free on clearing XPT_BUSY 2011-01-07 13:58:17 -08:00
tipc tipc: Reduce footprint by un-inlining tipc_msg_* routines 2010-05-12 23:02:29 -07:00
unix af_unix: limit recursion level 2011-01-07 13:58:26 -08:00
wanrouter net: autoconvert trivial BKL users to private mutex 2010-07-12 20:21:47 -07:00
wimax Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-05-20 21:04:44 -07:00
wireless cfg80211: fix extension channel checks to initiate communication 2010-12-09 13:33:33 -08:00
x25 x25: Prevent crashing when parsing bad X.25 facilities 2010-12-09 13:33:30 -08:00
xfrm xfrm: Allow different selector family in temporary state 2010-09-20 11:11:38 -07:00
compat.c net: Limit socket I/O iovec total length to INT_MAX. 2010-12-09 13:33:28 -08:00
Kconfig net: RPS needs to depend upon USE_GENERIC_SMP_HELPERS 2010-09-14 21:42:22 -07:00
Makefile DNS: Separate out CIFS DNS Resolver code 2010-08-05 17:17:51 +00:00
nonet.c
socket.c net: Truncate recvfrom and sendto length to INT_MAX. 2010-12-09 13:33:27 -08:00
sysctl_net.c net: Remove unnecessary returns from void function()s 2010-05-17 23:23:14 -07:00
TUNABLE