Re: [PATCH 1/3] epoll: increase default max_user_instances to 1024

From: Alan Cox
Date: Wed Jan 28 2009 - 06:36:42 EST


> > "A kernel upgrade in a -stable series point release fixed a security DoS"
>
> Alan, that's a complete load of bollocks. It broke common configurations
> of java, postfix and apache on real-world machines, causing significant
> actual denials of service in previously reliable configurations.

It fixed a security DoS. I was merely pointing out that the description
provided before was bogus, incomplete and loaded.

> viable within the code. The DoS works by creating epoll descriptors
> watching other epoll descriptors, which strikes me as a much less
> real-world actual use pattern than a bunch of separate daemons with an
> epoll watcher each.

Deliberate attackers don't have to follow typical usage patterns.

> If it's possible to count watches only if they're added to another epoll
> instance, then we'd have a metric that still catches the N^2 attack, but
> doesn't interact with the common non-attacky use-case.

Agreed entirely.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/