[systemd-devel] [PATCH] [RFC] [WIP] [kdbus] Attempt to recursively pass fd

Daniel Mack daniel at zonque.org
Mon Sep 15 14:53:56 PDT 2014


Hi Alban,

Sorry for the long delay on this.

On 08/14/2014 01:21 PM, Alban Crequy wrote:
> Before Linux commit 25888e (from 2.6.37-rc4, Nov 2010), fd-passing on Unix
> sockets could recursively be stacked, allowing a process to exhaust the open
> files limit (/proc/sys/fs/file-max) on the system without restriction from
> ulimit -n.
> 
> This DoS on Unix sockets was fixed by commit:
> 
>> commit 25888e30319f8896fc656fc68643e6a078263060
>> Author: Eric Dumazet <eric.dumazet at gmail.com>
>> Date:   Thu Nov 25 04:11:39 2010 +0000
>>
>>     af_unix: limit recursion level
> 
> But that commit introduced a bug in dbus:
> https://bugs.freedesktop.org/show_bug.cgi?id=80163
> 
> kdbus does not use fd-passing on Unix sockets so it is not affected by this.
> 
> However, it allows fd-passing similarly. This patch shows it is possible to
> recursively pass file descriptors in kdbus and stack them without keeping them
> attached to the initial process. I could stack passed fds 256 times, probably
> because of the limit KDBUS_USER_MAX_CONN:

I finally found some time to look into this, and added a patch that
disallows passing kdbus handles over kdbus handles. Such an attempt now
returns -ELOOP.

We might eventually allow this once we have a generic GC implementation
for file descriptors (currently, there's only one, and that one only
works for unix domain sockets). For now, we'll also need something that
disallows passing kdbus handles over UDS.

I also added a test to the suite to check for this behaviour. I borrowed
some code from you test case for this. Care to check wheter that seems
alright to you?

Many thanks for the heads-up!


Daniel


More information about the systemd-devel mailing list