Re: Local DoS on single_open?

From: Keith Owens
Date: Thu Sep 11 2003 - 02:28:14 EST

Next message: viro: "Re: Local DoS on single_open?"
Previous message: Wiktor Wodecki: "Re: 2.6.0-test5-mm1"
In reply to: viro: "Re: Local DoS on single_open?"
Next in thread: viro: "Re: Local DoS on single_open?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 11 Sep 2003 05:55:07 +0100,
viro@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx wrote:
>On Thu, Sep 11, 2003 at 02:42:13PM +1000, Keith Owens wrote:
>> single_open() requires the kernel to kmalloc a buffer which lives until
>> the userspace caller closes the file. What prevents a malicious user
>> opening the same /proc entry multiple times, allocating lots of kmalloc
>> space and causing a local DoS?
>
>Size of that buffer is limited. IOW, it's not different from opening
>e.g. a shitload of pipes or sockets.

In some cases, the buffer size is set to hold _all_ of the output for
that particular /proc file and will be much larger than the data
reserved for files and sockets. It is a difference in scale.

fs/proc/proc_misc.c stat_open
fs/proc/proc_misc.c interrupts_open
kernel/dma.c proc_dma_open

All those functions will kmalloc a reasonably sized buffer then let the
user control the lifetime of that buffer. Looks like a recipe for a
local DoS to me.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: viro: "Re: Local DoS on single_open?"
Previous message: Wiktor Wodecki: "Re: 2.6.0-test5-mm1"
In reply to: viro: "Re: Local DoS on single_open?"
Next in thread: viro: "Re: Local DoS on single_open?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]