oss-sec mailing list archives
CVE request -- linux kernel: pipe: limit the per-user amount of pages allocated in pipes
From: Vladis Dronov <vdronov () redhat com>
Date: Tue, 1 Mar 2016 12:09:54 -0500 (EST)
Hello, If possible, we would like to obtain a CVE-ID for the flaw currently handled in the upstream commit: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=759c01142a5d0f364a462346168a56de28a80f52 The commit says: "Mitigates: CVE-2013-4312 (Linux 2.0+)", but it looks like CVE-2013-4312 is for the different, though similar flaw which was addressed recently: "The Linux kernel before 4.4.1 allows local users to bypass file- descriptor limits and cause a denial of service (memory consumption) by sending each descriptor over a UNIX socket before closing it, related to net/unix/af_unix.c and net/unix/garbage.c." https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4312 As the root cause of this flaw is different (unrestricted kernel memory allocation for pipes) I believe another CVE id is needed. Description: On no-so-small systems, it is possible for a single process to cause an OOM condition by filling large pipes with data that are never read. A typical process filling 4096 pipes with 1 MB of data will use 4 GB of memory. On small systems it may be tricky to set the pipe max size to prevent this from happening. The result is an OOM condition and oom-killer is not able to help much, as the memory for the pipe data is a kernel memory and a memory footprint of offensive processes is small. Upstream patch: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=759c01142a5d0f364a462346168a56de28a80f52 Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1313428 Discussion threads: https://www.spinics.net/lists/linux-fsdevel/msg92912.html | https://lkml.org/lkml/2015/12/28/150 https://www.spinics.net/lists/linux-fsdevel/msg93317.html | https://lkml.org/lkml/2016/1/11/310 https://www.spinics.net/lists/linux-fsdevel/msg93601.html | https://lkml.org/lkml/2016/1/18/171 Best regards, Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Current thread:
- CVE request -- linux kernel: pipe: limit the per-user amount of pages allocated in pipes Vladis Dronov (Mar 01)
- Re: CVE request -- linux kernel: pipe: limit the per-user amount of pages allocated in pipes cve-assign (Mar 02)
- Re: CVE request -- linux kernel: pipe: limit the per-user amount of pages allocated in pipes cve-assign (Mar 06)
- Re: CVE request -- linux kernel: pipe: limit the per-user amount of pages allocated in pipes Vladis Dronov (Mar 07)