Date: Tue, 8 Apr 2014 15:38:27 +0300 From: Konstantin Belousov <kostikbel@gmail.com> To: Mateusz Guzik <mjguzik@gmail.com> Cc: freebsd-hackers@freebsd.org, Eduardo Morras <emorrasg@yahoo.es> Subject: Re: pipe() resource exhaustion Message-ID: <20140408123827.GW21331@kib.kiev.ua> In-Reply-To: <20140408121222.GB30326@dft-labs.eu> References: <lhu0jv$r6n$1@ger.gmane.org> <ab57e60fcc1c1438fcca500e3c594d35@mail.feld.me> <20140408130206.e75f3bf6c6df28b6e4839e70@yahoo.es> <20140408121222.GB30326@dft-labs.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
--xWiEbTquLUstXc+R Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 08, 2014 at 02:12:22PM +0200, Mateusz Guzik wrote: > On Tue, Apr 08, 2014 at 01:02:06PM +0200, Eduardo Morras wrote: > > On Mon, 7 Apr 2014 07:25:22 -0500 > > Mark Felder <feld@freebsd.org> wrote: > >=20 > > > On 2014-04-07 06:02, Ivan Voras wrote: > > > > Hello, > > > >=20 > > > > Last time I mentioned this it didn't get any attention, so I'll try > > > > again. By accident (via a buggy synergy server process) I found > > > > that a simple userland process can exhaust kernel pipe memory=20 > > > > (kern.ipc.pipekva > > > > sysctl) which as a consequence has that new processes which use pipe > > > > cannot be started, which includes "su", by which an administrator > > > > could kill such a process. > > > >=20 > > >=20 > > > That's a pretty painful local denial of service :( > >=20 > > Yes it is. Perhaps there should be 8% fd reserved for root, su and setu= id family syscalls like in filesystem space or postgresql reserved connecti= ons for db admin. > >=20 >=20 > There is an fd reserve already. Report talks about problems with > creating a new *pipe*, not any fd in general. >=20 > That said, supporting a reserve for this one sounds like a good idea and > not that hard to implement - one can either play with atomics and double > check or just place a mutex-protected check in pipespace_new (before > vm_map_find). >=20 > I implemented the second one, which turned out to be surprisingly ugly. > For now it abuses PRIV_MAXPROC and has a reserve taken out of the blue. >=20 > Thoughts? >=20 =2E.. I think more reasonable behaviour there is to just fall back to the buffered pipe if the direct buffer allocation fails. Look at the pipespace_new() calls in the pipe_create(); probably ignoring the error would do the trick. --xWiEbTquLUstXc+R Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBAgAGBQJTQ+3CAAoJEJDCuSvBvK1BqH0P+wQnsyeovvCZQzO4/YXTPpfH Y35lDNoBNwNVIoCopU6WjGQem5yjIURiIyqTcdtcE9Dlsxn9+Z+5ocJng/cCVXZV 5zySaqHnenKmQOlBo0GmQmutxa7++cwNaG4q3iFKhoLJtgmD9gTVzlja2S/oZt7h 9KImUdV2SQo0AljLfxMD2Egi064B0w4vyO8Yy3sjZ8XqooRaxPgIdKL+u0GKtshI EZ9o1JRnyljEJtSt948+scwclIx5EnNfbdn7P2+a4Mt1aBk2rvpZZyi6bpTJIxL8 xsKB1ZSxV3BkiQXWuWCgAofFamx8B4z/XA0JSxdsrO6K/OgaVyqHfxPpBakYMn1t HBxfW/Q8ea6RmF8c0QQMJVjf96eAxMK8pmoBdsYSDHrPGmS9f2G+pVpuGKvDrpnr mXlcymjcoANvz8AOOdNzpC5coMpCnpfaAoaKrIU0hW6i0rWQ1N3OB8nlPJdnk0xG z8TSD0E4Kh6LRUze92bhRrTHL5yo2dHF+dgf4DlTShATpT1b8Y9bhBk+s2adL8Kg xUsCaPPt9YjoSiMVhF69LeWnzHVkDJjfNSAY9JQPIvuqOSDpiDvYw9b2togA0/EO BctLgpp2eUOiPWEldQneBURGgHYGQK+QdwOinnIstcYR3NxqqDLxhbwl5+ugirDh T4T+rsFB0TUsjWUeKOhg =bAAf -----END PGP SIGNATURE----- --xWiEbTquLUstXc+R--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140408123827.GW21331>