Bug 10878

Summary: [security] VFS: DoSsable by user by holding open many /proc/$pid directories
Product: File System Reporter: Sami Liedes (sami.liedes)
Component: VFSAssignee: fs_vfs
Status: CLOSED PATCH_ALREADY_AVAILABLE    
Severity: blocking CC: adobriyan, akpm, oleg
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.25.4 Subsystem:
Regression: Yes Bisected commit-id:
Attachments: Test case

Description Sami Liedes 2008-06-06 14:36:23 UTC 
Latest working kernel version: 2.6.18 possibly works, at least could not reproduce on one 2.6.18 machine
Earliest failing kernel version:
Distribution: Debian sid (unstable)
Hardware Environment: x86 qemu
Software Environment: Minimal Debian sid (unstable)
Problem Description:

A BUG() in the VFS code can be hit by a user, even with strict ulimits I believe, forking new processes, opening the /proc/$pid directories for them and then killing and wait()ing for the processes. A single process can only hold open 1021 or so such directories, so several need to be run in order to do this (15 seems to be enough). The attached program forks 15 processes that all do this.

I'm not actually sure this is anything very /proc related, but this is what I did to trigger the crash.

First, I get "VFS: file-max limit 11682 reached" in the dmesg. Then simply typing ls in /root directory gives me the BUG().

Here's dmesg output:

----------
VFS: file-max limit 11682 reached
------------[ cut here ]------------
kernel BUG at fs/inode.c:1156!
invalid opcode: 0000 [#1]

Pid: 661, comm: bash Not tainted (2.6.25.4 #3)
EIP: 0060:[<c026f4b1>] EFLAGS: 00000246 CPU: 0
EIP is at iput+0x67/0x6b
EAX: c054cca0 EBX: c7420000 ECX: 00000001 EDX: 00000000
ESI: c60a6ab0 EDI: ffffffe9 EBP: c7afff58 ESP: c7afff54
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process bash (pid: 661, ti=c7afe000 task=c7af2ea0 task.ti=c7afe000)
Stack: c7420000 c7afff7c c02631ae c054c880 00000000 00000000 c05c8aa5 080ee9ac
       c7afffa0 bfef1458 c7afff98 c02631e1 c7afffa0 00000000 080ee9ac c7afffa0
       bfef1458 c7afffb0 c0205bb3 c7afffb0 c0207d88 080ee9ac 00000000 c7afe000
Call Trace:
 [<c02631ae>] ? create_write_pipe+0x13d/0x15f
 [<c02631e1>] ? do_pipe+0x11/0xac
 [<c0205bb3>] ? sys_pipe+0x12/0x3b
 [<c0207d88>] ? do_syscall_trace+0x8c/0xf9
 [<c0202cd2>] ? syscall_call+0x7/0xb
 =======================
Code: 00 85 c0 74 23 8b 83 04 01 00 00 8b 40 20 ba 4b 03 27 c0 85 c0 74 0d 8b 50 14 85 d2 b8 4b 03 27 c0 0f 44 d0 89 d8 ff d2 5b 5d c3 <0f> 0b eb fe 55 89 e5 56 53 83 ec 1c 8d 88 0c 02 00 00 8b 15 00
EIP: [<c026f4b1>] iput+0x67/0x6b SS:ESP 0068:c7afff54
---[ end trace 17ba5b2f93203a5e ]---
----------

Steps to reproduce:

1. Compile the attached program dos2.c with gcc dos2.c -o dos2 -O2
2. Run the program on the target computer as a normal user
3. Wait several seconds or more, depending on the speed of your computer, until the VFS error appears in dmesg
4. Type "ls". You should get the BUG().
Comment 1 Sami Liedes 2008-06-06 14:37:34 UTC 
Created attachment 16418 [details]
Test case
Comment 2 Andrew Morton 2008-06-06 15:32:26 UTC 
hm, well that's pretty sad.

Alexey, Oleg: would one of you be able to take a look please?
Comment 3 Oleg Nesterov 2008-06-07 08:57:23 UTC 
On 06/06, bugme-daemon@bugzilla.kernel.org wrote:
>
> http://bugzilla.kernel.org/show_bug.cgi?id=10878

Can't reproduce on 2.6.26-rc2 ...

I doubt this is related to the proc management, looks like
the pipe inode was killed twice?

Sami, could you try to reproduce this BUG whith another test?
Say, just open "/dev/null" until "VFS: file-max limit %d reached",
and then ls.

For example,

	$ su -c 'echo 512 >> /proc/sys/fs/file-max'
	$ $ perl -le 'for (;;) { open my $fd, "</dev/null" or last; push @_, $fd; } print 0+@_," $!"; sleep;'

and, on another console

	$ ls

Oleg.
Comment 4 Oleg Nesterov 2008-06-07 09:17:53 UTC 
On 06/07, Oleg Nesterov wrote:
>
> On 06/06, bugme-daemon@bugzilla.kernel.org wrote:
> >
> > http://bugzilla.kernel.org/show_bug.cgi?id=10878
> 
> Can't reproduce on 2.6.26-rc2 ...
> 
> I doubt this is related to the proc management, looks like
> the pipe inode was killed twice?

Aha.

Could you re-test with this

	[PATCH] double-free of inode on alloc_file() failure exit in create_write_pipe()
	http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=ed1524371716466e9c762808b02601d0d0276a92

patch? it looks very promising...

Oleg.
Comment 5 Sami Liedes 2008-06-07 09:29:04 UTC 
Your perl script crashes too.

Now testing with that patch.
Comment 6 Sami Liedes 2008-06-07 09:34:44 UTC 
Yes, that patch fixes the issue.
Comment 7 Oleg Nesterov 2008-06-07 09:50:16 UTC 
On 06/07, bugme-daemon@bugzilla.kernel.org wrote:
>
> http://bugzilla.kernel.org/show_bug.cgi?id=10878
>
> ------- Comment #6 from sliedes@cc.hut.fi  2008-06-07 09:34 -------
> Yes, that patch fixes the issue.

Thanks a lot!

Please close this BUG. May I suggest you to send that patch to
stable@kernel.org ?

Oleg.
Comment 8 Sami Liedes 2008-06-07 10:23:38 UTC 
Ok, I'll do that.