[Virtio-fs] [PATCH v2 0/2] virtiofsd: stay under fs.file-max sysctl limit (CVE-2020-10717)
Stefan Hajnoczi
stefanha at redhat.com
Fri May 1 14:06:42 UTC 2020
This patch series introduces the --rlimit-nofile=NUM option for setting the
number of open files on the virtiofsd process. This gives users and management
tools more control over resource limits.
Previously it was possible for FUSE clients on machines with less than ~10 GB
of RAM to exhaust the system-wide open file limit. This is a denial of service
attack against other processes running on the host.
This patch series updates the default RLIMIT_NOFILE calculation to take the
fs.file-max sysctl value into account. This solves the fs.file-max DoS.
Stefan Hajnoczi (2):
virtiofsd: add --rlimit-nofile=NUM option
virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717)
tools/virtiofsd/fuse_lowlevel.h | 1 +
tools/virtiofsd/helper.c | 47 ++++++++++++++++++++++++++++++++
tools/virtiofsd/passthrough_ll.c | 22 ++++++---------
3 files changed, 56 insertions(+), 14 deletions(-)
--
2.25.3
More information about the Virtio-fs
mailing list