[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 21/77] virtiofsd: stay below fs.file-max sysctl value (CVE-2020-1
From: |
Michael Roth |
Subject: |
[PATCH 21/77] virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717) |
Date: |
Thu, 3 Sep 2020 15:58:39 -0500 |
From: Stefan Hajnoczi <stefanha@redhat.com>
The system-wide fs.file-max sysctl value determines how many files can
be open. It defaults to a value calculated based on the machine's RAM
size. Previously virtiofsd would try to set RLIMIT_NOFILE to 1,000,000
and this allowed the FUSE client to exhaust the number of open files
system-wide on Linux hosts with less than 10 GB of RAM!
Take fs.file-max into account when choosing the default RLIMIT_NOFILE
value.
Fixes: CVE-2020-10717
Reported-by: Yuval Avrahami <yavrahami@paloaltonetworks.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Message-Id: <20200501140644.220940-3-stefanha@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
(cherry picked from commit 8c1d353d107b4fc344e27f2f08ea7fa25de2eea2)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
tools/virtiofsd/helper.c | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c
index dc59f38af0..00a1ef666a 100644
--- a/tools/virtiofsd/helper.c
+++ b/tools/virtiofsd/helper.c
@@ -176,7 +176,8 @@ void fuse_cmdline_help(void)
" default: no_xattr\n"
" --rlimit-nofile=<num> set maximum number of file
descriptors\n"
" (0 leaves rlimit unchanged)\n"
- " default: 1,000,000 if the current
rlimit is lower\n"
+ " default: min(1000000, fs.file-max -
16384)\n"
+ " if the current rlimit is
lower\n"
);
}
@@ -199,9 +200,32 @@ static int fuse_helper_opt_proc(void *data, const char
*arg, int key,
static unsigned long get_default_rlimit_nofile(void)
{
+ g_autofree gchar *file_max_str = NULL;
+ const rlim_t reserved_fds = 16384; /* leave at least this many fds free */
rlim_t max_fds = 1000000; /* our default RLIMIT_NOFILE target */
+ rlim_t file_max;
struct rlimit rlim;
+ /*
+ * Reduce max_fds below the system-wide maximum, if necessary. This
+ * ensures there are fds available for other processes so we don't
+ * cause resource exhaustion.
+ */
+ if (!g_file_get_contents("/proc/sys/fs/file-max", &file_max_str,
+ NULL, NULL)) {
+ fuse_log(FUSE_LOG_ERR, "can't read /proc/sys/fs/file-max\n");
+ exit(1);
+ }
+ file_max = g_ascii_strtoull(file_max_str, NULL, 10);
+ if (file_max < 2 * reserved_fds) {
+ fuse_log(FUSE_LOG_ERR,
+ "The fs.file-max sysctl is too low (%lu) to allow a "
+ "reasonable number of open files.\n",
+ (unsigned long)file_max);
+ exit(1);
+ }
+ max_fds = MIN(file_max - reserved_fds, max_fds);
+
if (getrlimit(RLIMIT_NOFILE, &rlim) < 0) {
fuse_log(FUSE_LOG_ERR, "getrlimit(RLIMIT_NOFILE): %m\n");
exit(1);
--
2.17.1
- [PATCH 12/77] 9pfs: include linux/limits.h for XATTR_SIZE_MAX, (continued)
- [PATCH 12/77] 9pfs: include linux/limits.h for XATTR_SIZE_MAX, Michael Roth, 2020/09/03
- [PATCH 15/77] xen/9pfs: yield when there isn't enough room on the ring, Michael Roth, 2020/09/03
- [PATCH 14/77] Revert "9p: init_in_iov_from_pdu can truncate the size", Michael Roth, 2020/09/03
- [PATCH 16/77] ati-vga: check mm_index before recursive call (CVE-2020-13800), Michael Roth, 2020/09/03
- [PATCH 18/77] Fix tulip breakage, Michael Roth, 2020/09/03
- [PATCH 17/77] es1370: check total frame count against current frame, Michael Roth, 2020/09/03
- [PATCH 19/77] iotests/283: Use consistent size for source and target, Michael Roth, 2020/09/03
- [PATCH 20/77] virtiofsd: add --rlimit-nofile=NUM option, Michael Roth, 2020/09/03
- [PATCH 01/77] hostmem: don't use mbind() if host-nodes is empty, Michael Roth, 2020/09/03
- [PATCH 21/77] virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717),
Michael Roth <=
- [PATCH 23/77] KVM: x86: believe what KVM says about WAITPKG, Michael Roth, 2020/09/03
- [PATCH 22/77] net: use peer when purging queue in qemu_flush_or_purge_queue_packets(), Michael Roth, 2020/09/03
- [PATCH 24/77] aio-posix: don't duplicate fd handler deletion in fdmon_io_uring_destroy(), Michael Roth, 2020/09/03
- [PATCH 25/77] aio-posix: disable fdmon-io_uring when GSource is used, Michael Roth, 2020/09/03
- [PATCH 26/77] linux-user/strace.list: fix epoll_create{, 1} -strace output, Michael Roth, 2020/09/03
- [PATCH 28/77] libqos: pci-pc: use 32-bit write for EJ register, Michael Roth, 2020/09/03
- [PATCH 27/77] libqos: usb-hcd-ehci: use 32-bit write for config register, Michael Roth, 2020/09/03
- [PATCH 29/77] memory: Revert "memory: accept mismatching sizes in memory_region_access_valid", Michael Roth, 2020/09/03
- [PATCH 02/77] target/arm: Clear tail in gvec_fmul_idx_*, gvec_fmla_idx_*, Michael Roth, 2020/09/03
- [PATCH 32/77] acpi: accept byte and word access to core ACPI registers, Michael Roth, 2020/09/03