Re: [PATCH 4/4] ipc/mqueue: update maximums for the mqueue subsystem

From: KOSAKI Motohiro
Date: Mon Oct 24 2011 - 21:01:36 EST


2011/9/27 Doug Ledford <dledford@xxxxxxxxxx>:
> Commit b231cca4381ee15ec99afbfb244fbc0324869927 changed
> the maximum size of a message in a message queue from
> INT_MAX to 8192*128.  Unfortunately, we had customers
> that relied on a size much larger than 8192*128 on their
> production systems.  After reviewing POSIX, we found that
> it is silent on the maximum message size.  We did find
> a couple other areas in which it was not silent.  Fix up
> the mqueue maximums so that the customer's system can
> continue to work, and document both the POSIX and real
> world requirements in ipc_namespace.h so that we don't
> have this issue crop back up.
>
> Also, commit 9cf18e1dd74cd0061d58ac55029784ca3dd88f6a
> fiddled with HARD_MSGMAX without realizing that the
> number was intentionally in place to limit the msg
> queue depth to one that was small enough to kmalloc
> an array of pointers (hence why we divided 128k by
> sizeof(long)).  If we wish to meet POSIX requirements,
> we have no choice but to change our allocation to
> a vmalloc instead (at least for the large queue size
> case).  With that, it's possible to increase our
> allowed maximum to the POSIX requirements (or more if
> we choose).
>
> Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx>
> ---
>  include/linux/ipc_namespace.h |   47 ++++++++++++++++++++++++++++++----------
>  ipc/mqueue.c                  |   10 +++++++-
>  2 files changed, 43 insertions(+), 14 deletions(-)
>
> diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
> index bde094e..ceeef68 100644
> --- a/include/linux/ipc_namespace.h
> +++ b/include/linux/ipc_namespace.h
> @@ -90,18 +90,41 @@ static inline void shm_destroy_orphaned(struct ipc_namespace *ns) {}
>
>  #ifdef CONFIG_POSIX_MQUEUE
>  extern int mq_init_ns(struct ipc_namespace *ns);
> -/* default values */
> -#define MIN_QUEUESMAX  1
> -#define DFLT_QUEUESMAX 256     /* max number of message queues */
> -#define HARD_QUEUESMAX 1024
> -#define MIN_MSGMAX     1
> -#define DFLT_MSG       10U
> -#define DFLT_MSGMAX    10      /* max number of messages in each queue */
> -#define HARD_MSGMAX    (32768*sizeof(void *)/4)
> -#define MIN_MSGSIZEMAX  128
> -#define DFLT_MSGSIZE    8192U
> -#define DFLT_MSGSIZEMAX 8192   /* max message size */
> -#define HARD_MSGSIZEMAX (8192*128)
> +/*
> + * POSIX Message Queue default values:
> + *
> + * MIN_*: Lowest value an admin can set the maximum unprivileged limit to
> + * DFLT_*MAX: Default values for the maximum unprivileged limits
> + * DFLT_{MSG,MSGSIZE}: Default values used when the user doesn't supply
> + *   an attribute to the open call and the queue must be created
> + * HARD_*: Highest value the maximums can be set to.  These are enforced
> + *   on CAP_SYS_RESOURCE apps as well making them inviolate (so make them
> + *   suitably high)
> + *
> + * POSIX Requirements:
> + *   Per app minimum openable message queues - 8.  This does not map well
> + *     to the fact that we limit the number of queues on a per namespace
> + *     basis instead of a per app basis.  So, make the default high enough
> + *     that no given app should have a hard time opening 8 queues.
> + *   Minimum maximum for HARD_MSGMAX - 32767.  I bumped this to 65536.
> + *   Minimum maximum for HARD_MSGSIZEMAX - POSIX is silent on this.  However,
> + *     we have run into a situation where running applications in the wild
> + *     require this to be at least 5MB, and preferably 10MB, so I set the
> + *     value to 16MB in hopes that this user is the worst of the bunch and
> + *     the new maximum will handle anyone else.  I may have to revisit this
> + *     in the future.
> + */
> +#define MIN_QUEUESMAX                  1
> +#define DFLT_QUEUESMAX               256
> +#define HARD_QUEUESMAX              1024
> +#define MIN_MSGMAX                     1
> +#define DFLT_MSG                      64U
> +#define DFLT_MSGMAX                 1024
> +#define HARD_MSGMAX                65536
> +#define MIN_MSGSIZEMAX               128
> +#define DFLT_MSGSIZE                8192U
> +#define DFLT_MSGSIZEMAX                1024*1024
> +#define HARD_MSGSIZEMAX             16*1024*1024

NAK.
To change hard coded limit is safe and we should restore
pre b231cca438 value.
However, to increase DFLT_*MAX is wrong idea. mqueue data can't
be swapped out. Thus, this patch increase a chance fo DoS attack
by unprivileged user.

You have to change only HARD_*MAX.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/