review.tizen.org Git - profile/mobile/platform/kernel/linux-3.10-sc7730.git/commit

unix: correctly track in-flight fds in sending process user_struct

commit 415e3d3e90ce9e18727e8843ae343eda5a58fad6 upstream.

The commit referenced in the Fixes tag incorrectly accounted the number
of in-flight fds over a unix domain socket to the original opener
of the file-descriptor. This allows another process to arbitrary
deplete the original file-openers resource limit for the maximum of
open files. Instead the sending processes and its struct cred should
be credited.

To do so, we add a reference counted struct user_struct pointer to the
scm_fp_list and use it to account for the number of inflight unix fds.

Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
Reported-by: David Herrmann <dh.herrmann@gmail.com>
Cc: David Herrmann <dh.herrmann@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2016-2550]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ie910123cbb56fe4558c2e7ca1cbc0302e9ba07ea

author	Hannes Frederic Sowa <hannes@stressinduktion.org>
	Wed, 3 Feb 2016 01:11:03 +0000 (02:11 +0100)
committer	Seung-Woo Kim <sw0312.kim@samsung.com>
	Wed, 11 Oct 2017 10:53:39 +0000 (19:53 +0900)
commit	0dafb60f4bab3162366bd2a67a9dfac4adddf65e
tree	5bd35a8d8ff4ef67e5d5b7d10a440a1024fbefa8	tree \| snapshot
parent	93bb3b023e9b420b7e3c13956c24a2aaea5e79f2	commit \| diff

include/net/af_unix.h		diff \| blob \| history
include/net/scm.h		diff \| blob \| history
net/core/scm.c		diff \| blob \| history
net/unix/af_unix.c		diff \| blob \| history
net/unix/garbage.c		diff \| blob \| history