From nobody  Sun Mar  9 15:33:48 1997
Received: (from nobody@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id PAA20325;
          Sun, 9 Mar 1997 15:33:48 -0800 (PST)
Message-Id: <199703092333.PAA20325@freefall.freebsd.org>
Date: Sun, 9 Mar 1997 15:33:48 -0800 (PST)
From: chern@tiger.towson.edu
To: freebsd-gnats-submit@freebsd.org
Subject: non-priviledged user can crash FreeBSD!!
X-Send-Pr-Version: www-1.0

>Number:         2925
>Category:       bin
>Synopsis:       non-priviledged user can crash FreeBSD!!
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar  9 15:40:03 PST 1997
>Closed-Date:    Wed May 6 02:05:43 PDT 1998
>Last-Modified:  Wed May  6 02:06:26 PDT 1998
>Originator:     Eric Fang
>Release:        FreeBSD-2.1.5
>Organization:
just a student
>Environment:
FreeBSD vorlon.patriot.net 2.1.5-RELEASE FreeBSD 2.1.5-RELEASE #0: 
Wed Jul 17 03:09:31  1996 
jkh@whisker.cdrom.com:/usr/src/sys/compile/GENERIC  i386

(The CPU is a Cyrix 6x86 PR150+, 64M EDO RAM, 128M Swap partition)
>Description:
I simulated a situation as a novice c++ programmer/student writing
code using pointers.  I was curious and changed the code to be infinite
loop and it would keep creating pointers/data structure.  When I ran this
program as a normal user, and then switched virtual console (Alt-F?) to
root login with 'top' running.  The first time it exited okay saying not 
enough swap space.  Then I ran the same program more than 3 instances in a row with '&' 
background running.  The system simply crashed and stopped.  I waited for 
more than 15mins to see if it would recover, but it didn't.  I will be 
upgrading to 2.1.7 to see if it will occur also.  
>How-To-Repeat:
compile this c++ code and run this program many instances
at the same time (lost the original, this is the
closest possible):

public:
	int Number;
	IntList	*Next;
};
                        

void main() {
	int Number=10000;
	
	IntList *ListPtr;
	
	IntList *LastPtr = 0;
	IntList *First = 0;
	
	while (1) {
		ListPtr = new IntList;
		ListPtr->Number = Number;
		ListPtr->Next = 0;
		if (LastPtr)
			LastPtr->Next = ListPtr;
		else
			First = ListPtr;
		
		LastPtr = ListPtr;
	}
	if (First) {  
			ListPtr = First;
		
		do {
			cout << ListPtr->Number << " ";
			ListPtr = ListPtr->Next;
		}
		while (ListPtr);
		
		cout << "\n";
	}
	cout << "Bye bye!\n";
}
>Fix:

>Release-Note:
>Audit-Trail:

From: "Jordan K. Hubbard" <jkh@time.cdrom.com>
To: chern@tiger.towson.edu
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/2925: non-priviledged user can crash FreeBSD!! 
Date: Sun, 09 Mar 1997 18:09:05 -0800

 > background running.  The system simply crashed and stopped.  I waited for 
 
 Are you *positive* that the system crashed, e.g. you tried to access
 it from another network node and it did not respond?  If you're
 running X and you run out of swap space, many times the system will
 shoot down the X server in its desparate attempt to find more memory
 resources.  Unfortunately, when the X server is shot unexpectedly like
 this it leaves the console in a bad state and it looks to the
 uninitiated like a system crash.  You must verify that it really *was*
 a system crash by seeing if the system is still up after you reproduce
 the failure.  Also, don't run an X server while testing these sorts of
 things - it only complicates the situation.  Thanks.
 
 					Jordan

From: Eric Fang <chern@tiger.towson.edu>
To: "Jordan K. Hubbard" <jkh@time.cdrom.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/2925: non-priviledged user can crash FreeBSD!! 
Date: Mon, 10 Mar 1997 11:58:42 -0500 (EST)

 On Sun, 9 Mar 1997, Jordan K. Hubbard wrote:
 
 > > background running.  The system simply crashed and stopped.  I waited for 
 > 
 > Are you *positive* that the system crashed, e.g. you tried to access
 > it from another network node and it did not respond?  If you're
 
 No, I tested on the local machine *without* running X.  I simply hit
 'alt-F2' and logon as root and run top to see what's going on while the
 'alt-F1' console running that bad program with infinite creating
 pointers.  You can reproduce it yourself (2.1.5, for other version I have
 no idea).  Again, no X involved, no other funky processes running, and
 it's a fresh startup.
 
 > running X and you run out of swap space, many times the system will
 > shoot down the X server in its desparate attempt to find more memory
 > resources.  Unfortunately, when the X server is shot unexpectedly like
 > this it leaves the console in a bad state and it looks to the
 > uninitiated like a system crash.  You must verify that it really *was*
 > a system crash by seeing if the system is still up after you reproduce
 > the failure.  Also, don't run an X server while testing these sorts of
 > things - it only complicates the situation.  Thanks.
 > 
 > 					Jordan
 > 
 
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Wed May 6 02:05:43 PDT 1998 
State-Changed-Why:  
Analyzed by koshy@india.hp.com: 
post addition of login class functionality 
a sysadmin can restrict the usage of system resources by a process. 
Hence non-priviledged users can be prevented from crashing FreeBSD. 

(The deeper of problem of recovering from an arbitrary OS resource  
running out is not easy to fix.  But at least we have now knobs to  
which allow us to tackle the easier cases). 
>Unformatted:
