Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 24 Sep 1999 07:35:06 -0700
From:      Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        freebsd-current@freebsd.org
Subject:   Re: FreeBSD-specific denial of service
Message-ID:  <199909241436.HAA63605@cwsys.cwsent.com>

next in thread | raw e-mail | index | archive | help
The following is from BUGTRAQ.  There's a fix for -stable, though there 
is none for -current.  Is -current vulnerable?


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Open Systems Group          Internet:  Cy.Schubert@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Province of BC            
                      "e**(i*pi)+1=0"


------- Forwarded Message

Replied: Fri, 24 Sep 1999 07:32:41 -0700
Replied: Adrian Penisoara <ady@freebsd.ady.ro>
Replied: "Charles M. Hannum" <root@IHACK.NET>
Replied: BUGTRAQ@SECURITYFOCUS.COM
Replied: freebsd-security@FreeBSD.ORG
Return-Path: Cy.Schubert@uumail.gov.bc.ca
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA19965
	for <cy>; Fri, 24 Sep 1999 07:07:39 -0700 (PDT)
Resent-Message-Id: <199909241407.HAA19965@passer.osg.gov.bc.ca>
Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be 
"passer.osg.gov.bc.ca"
 via SMTP by localhost.osg.gov.bc.ca, id smtpdL19958; Fri Sep 24 
07:06:39 1999
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.9.3/8.9.1) id HAA19950
	for <cschuber@passer.osg.gov.bc.ca>; Fri, 24 Sep 1999 07:06:39 -0700 
(PDT)
Received: from point.osg.gov.bc.ca(142.32.102.44)
 via SMTP by passer.osg.gov.bc.ca, id smtpdW19948; Fri Sep 24 07:06:27 
1999
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA04613
	for <cschuber@uumail.gov.bc.ca>; Fri, 24 Sep 1999 07:06:27 -0700
Received: from hub.FreeBSD.ORG(204.216.27.18)
 via SMTP by point.osg.gov.bc.ca, id smtpda04611; Fri Sep 24 07:06:14 
1999
Received: by hub.freebsd.org (Postfix, from userid 538)
	id 47FB414D1C; Fri, 24 Sep 1999 07:04:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with SMTP
	id 309E61CD621; Fri, 24 Sep 1999 07:04:18 -0700 (PDT)
	(envelope-from owner-freebsd-security)
Received: by hub.freebsd.org (bulk_mailer v1.12); Fri, 24 Sep 1999 
07:04:18 -0700
Delivered-To: freebsd-security@freebsd.org
Received: from ady.warpnet.ro (ady.warpnet.ro [194.102.224.1])
	by hub.freebsd.org (Postfix) with ESMTP id C4621150E5
	for <freebsd-security@FreeBSD.org>; Fri, 24 Sep 1999 07:04:02 -0700 
(PDT)
	(envelope-from ady@freebsd.ady.ro)
Received: from localhost (ady@localhost)
	by ady.warpnet.ro (8.9.3/8.9.3) with ESMTP id RAA36387;
	Fri, 24 Sep 1999 17:02:25 +0300 (EEST)
	(envelope-from ady@freebsd.ady.ro)
Date: Fri, 24 Sep 1999 17:02:25 +0300 (EEST)
From: Adrian Penisoara <ady@freebsd.ady.ro>
X-Sender: ady@ady.warpnet.ro
To: "Charles M. Hannum" <root@IHACK.NET>
Cc: BUGTRAQ@SECURITYFOCUS.COM, freebsd-security@FreeBSD.ORG
Subject: Re: FreeBSD-specific denial of service
In-Reply-To: <199909211950.PAA09009@bill-the-cat.mit.edu>
Message-ID: <Pine.BSF.4.10.9909241652530.35644-100000@ady.warpnet.ro>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk
Resent-To: cy
Resent-Date: Fri, 24 Sep 1999 07:06:39 -0700
Resent-From: Cy Schubert <cschuber@uumail.gov.bc.ca>
X-UIDL: e11831742cf1648327586c6ab307b72c

Hi,

On Tue, 21 Sep 1999, Charles M. Hannum wrote:

> [Resending once, since it's been 10.5 days...]
> 
> Here's an interesting denial-of-service attack against FreeBSD >=3.0
> systems.  It abuses a flaw in the `new' FreeBSD vfs_cache.c; it has no
> way to purge entries unless the `vnode' (e.g. the file) they point to
> is removed from memory -- which generally doesn't happen unless a
> certain magic number of `vnodes' is in use, and never happens when the
> `vnode' (i.e. file) is open.  Thus it's possible to chew up an
> arbitrary amount of wired kernel memory relatively simply.
> 

 Seems to be fixed in CVS version 1.38.2.3 of vfs_cache.c for RELENG_3
branch (meaning 3.3-STABLE) -- could you please check again ?

 Commit log:

   Limit aliases to a vnode in the namecache to a sysctl tunable
   'vfs.cache.maxaliases'. This protects against a DoS via thousands of
   hardlinks to a file wiring down all kernel memory.

 Ady (@freebsd.ady.ro)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


------- End of Forwarded Message





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909241436.HAA63605>