Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 1 Mar 2016 12:09:54 -0500 (EST)
From: Vladis Dronov <vdronov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE request -- linux kernel: pipe: limit the per-user amount of
 pages allocated in pipes

Hello,

If possible, we would like to obtain a CVE-ID for the flaw currently
handled in the upstream commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=759c01142a5d0f364a462346168a56de28a80f52

The commit says: "Mitigates: CVE-2013-4312 (Linux 2.0+)", but it looks
like CVE-2013-4312 is for the different, though similar flaw which was
addressed recently:

"The Linux kernel before 4.4.1 allows local users to bypass file-
descriptor limits and cause a denial of service (memory consumption)
by sending each descriptor over a UNIX socket before closing it,
related to net/unix/af_unix.c and net/unix/garbage.c."
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4312

As the root cause of this flaw is different (unrestricted kernel memory
allocation for pipes) I believe another CVE id is needed.

Description:

On no-so-small systems, it is possible for a single process to cause an OOM condition
by filling large pipes with data that are never read. A typical process filling 4096
pipes with 1 MB of data will use 4 GB of memory. On small systems it may be tricky to
set the pipe max size to prevent this from happening. The result is an OOM condition
and oom-killer is not able to help much, as the memory for the pipe data is a kernel
memory and a memory footprint of offensive processes is small. 

Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=759c01142a5d0f364a462346168a56de28a80f52

Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1313428

Discussion threads:
https://www.spinics.net/lists/linux-fsdevel/msg92912.html | https://lkml.org/lkml/2015/12/28/150
https://www.spinics.net/lists/linux-fsdevel/msg93317.html | https://lkml.org/lkml/2016/1/11/310
https://www.spinics.net/lists/linux-fsdevel/msg93601.html | https://lkml.org/lkml/2016/1/18/171

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ