mbox series

[v2,0/2] virtiofsd: stay under fs.file-max sysctl limit (CVE-2020-10717)

Message ID 20200501140644.220940-1-stefanha@redhat.com
Headers show
Series virtiofsd: stay under fs.file-max sysctl limit (CVE-2020-10717) | expand

Message

Stefan Hajnoczi May 1, 2020, 2:06 p.m. UTC
This patch series introduces the --rlimit-nofile=NUM option for setting the
number of open files on the virtiofsd process.  This gives users and management
tools more control over resource limits.

Previously it was possible for FUSE clients on machines with less than ~10 GB
of RAM to exhaust the system-wide open file limit.  This is a denial of service
attack against other processes running on the host.

This patch series updates the default RLIMIT_NOFILE calculation to take the
fs.file-max sysctl value into account.  This solves the fs.file-max DoS.

Stefan Hajnoczi (2):
  virtiofsd: add --rlimit-nofile=NUM option
  virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717)

 tools/virtiofsd/fuse_lowlevel.h  |  1 +
 tools/virtiofsd/helper.c         | 47 ++++++++++++++++++++++++++++++++
 tools/virtiofsd/passthrough_ll.c | 22 ++++++---------
 3 files changed, 56 insertions(+), 14 deletions(-)

-- 
2.25.3