From owner-freebsd-security Fri Sep 24 7: 4:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from ady.warpnet.ro (ady.warpnet.ro [194.102.224.1]) by hub.freebsd.org (Postfix) with ESMTP id C4621150E5 for ; Fri, 24 Sep 1999 07:04:02 -0700 (PDT) (envelope-from ady@freebsd.ady.ro) Received: from localhost (ady@localhost) by ady.warpnet.ro (8.9.3/8.9.3) with ESMTP id RAA36387; Fri, 24 Sep 1999 17:02:25 +0300 (EEST) (envelope-from ady@freebsd.ady.ro) Date: Fri, 24 Sep 1999 17:02:25 +0300 (EEST) From: Adrian Penisoara X-Sender: ady@ady.warpnet.ro To: "Charles M. Hannum" Cc: BUGTRAQ@SECURITYFOCUS.COM, freebsd-security@FreeBSD.org Subject: Re: FreeBSD-specific denial of service In-Reply-To: <199909211950.PAA09009@bill-the-cat.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, On Tue, 21 Sep 1999, Charles M. Hannum wrote: > [Resending once, since it's been 10.5 days...] > > Here's an interesting denial-of-service attack against FreeBSD >=3.0 > systems. It abuses a flaw in the `new' FreeBSD vfs_cache.c; it has no > way to purge entries unless the `vnode' (e.g. the file) they point to > is removed from memory -- which generally doesn't happen unless a > certain magic number of `vnodes' is in use, and never happens when the > `vnode' (i.e. file) is open. Thus it's possible to chew up an > arbitrary amount of wired kernel memory relatively simply. > Seems to be fixed in CVS version 1.38.2.3 of vfs_cache.c for RELENG_3 branch (meaning 3.3-STABLE) -- could you please check again ? Commit log: Limit aliases to a vnode in the namecache to a sysctl tunable 'vfs.cache.maxaliases'. This protects against a DoS via thousands of hardlinks to a file wiring down all kernel memory. Ady (@freebsd.ady.ro) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message