From owner-freebsd-security  Fri Sep 24  7:34: 7 1999
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id D63F014CCB
	for <freebsd-security@FreeBSD.ORG>; Fri, 24 Sep 1999 07:34:00 -0700 (PDT)
	(envelope-from cy@cschuber.net.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA04679;
	Fri, 24 Sep 1999 07:33:28 -0700
Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com"
 via SMTP by point.osg.gov.bc.ca, id smtpda04677; Fri Sep 24 07:33:11 1999
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.9.3/8.9.1) id HAA63586;
	Fri, 24 Sep 1999 07:33:04 -0700 (PDT)
Message-Id: <199909241433.HAA63586@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdb63581; Fri Sep 24 07:32:40 1999
X-Mailer: exmh version 2.0.2 2/24/98
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 3.3-RELEASE
X-Sender: cy
To: Adrian Penisoara <ady@freebsd.ady.ro>
Cc: "Charles M. Hannum" <root@IHACK.NET>, BUGTRAQ@SECURITYFOCUS.COM,
	freebsd-security@FreeBSD.ORG
Subject: Re: FreeBSD-specific denial of service 
In-reply-to: Your message of "Fri, 24 Sep 1999 17:02:25 +0300."
             <Pine.BSF.4.10.9909241652530.35644-100000@ady.warpnet.ro> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 24 Sep 1999 07:32:40 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <Pine.BSF.4.10.9909241652530.35644-100000@ady.warpnet.ro>, 
Adrian Pe
nisoara writes:
> Hi,
> 
> On Tue, 21 Sep 1999, Charles M. Hannum wrote:
> 
> > [Resending once, since it's been 10.5 days...]
> > 
> > Here's an interesting denial-of-service attack against FreeBSD >=3.0
> > systems.  It abuses a flaw in the `new' FreeBSD vfs_cache.c; it has no
> > way to purge entries unless the `vnode' (e.g. the file) they point to
> > is removed from memory -- which generally doesn't happen unless a
> > certain magic number of `vnodes' is in use, and never happens when the
> > `vnode' (i.e. file) is open.  Thus it's possible to chew up an
> > arbitrary amount of wired kernel memory relatively simply.
> > 
> 
>  Seems to be fixed in CVS version 1.38.2.3 of vfs_cache.c for RELENG_3
> branch (meaning 3.3-STABLE) -- could you please check again ?
> 
>  Commit log:
> 
>    Limit aliases to a vnode in the namecache to a sysctl tunable
>    'vfs.cache.maxaliases'. This protects against a DoS via thousands of
>    hardlinks to a file wiring down all kernel memory.

In other words this has been fixed in 3.3-RELEASE.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Open Systems Group          Internet:  Cy.Schubert@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Province of BC
                      "e**(i*pi)+1=0"





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message