[Virtio-fs] [PATCH v2 0/2] virtiofsd: stay under fs.file-max sysctl limit (CVE-2020-10717)
Dr. David Alan Gilbert
dgilbert at redhat.com
Fri May 1 17:42:33 UTC 2020
* Stefan Hajnoczi (stefanha at redhat.com) wrote:
> This patch series introduces the --rlimit-nofile=NUM option for setting the
> number of open files on the virtiofsd process. This gives users and management
> tools more control over resource limits.
>
> Previously it was possible for FUSE clients on machines with less than ~10 GB
> of RAM to exhaust the system-wide open file limit. This is a denial of service
> attack against other processes running on the host.
>
> This patch series updates the default RLIMIT_NOFILE calculation to take the
> fs.file-max sysctl value into account. This solves the fs.file-max DoS.
Queued.
> Stefan Hajnoczi (2):
> virtiofsd: add --rlimit-nofile=NUM option
> virtiofsd: stay below fs.file-max sysctl value (CVE-2020-10717)
>
> tools/virtiofsd/fuse_lowlevel.h | 1 +
> tools/virtiofsd/helper.c | 47 ++++++++++++++++++++++++++++++++
> tools/virtiofsd/passthrough_ll.c | 22 ++++++---------
> 3 files changed, 56 insertions(+), 14 deletions(-)
>
> --
> 2.25.3
>
--
Dr. David Alan Gilbert / dgilbert at redhat.com / Manchester, UK
More information about the Virtio-fs
mailing list