From alane@wwweasel.geeksrus.net  Sat Sep 14 05:41:49 2002
Return-Path: <alane@wwweasel.geeksrus.net>
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 91ED937B400; Sat, 14 Sep 2002 05:41:49 -0700 (PDT)
Received: from wwweasel.geeksrus.net (wwweasel.geeksrus.net [64.8.210.226])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id C156043E75; Sat, 14 Sep 2002 05:41:48 -0700 (PDT)
	(envelope-from alane@wwweasel.geeksrus.net)
Received: from wwweasel.geeksrus.net (alane@localhost [127.0.0.1])
	by wwweasel.geeksrus.net (8.12.6/8.12.6) with ESMTP id g8ECemkZ046254;
	Sat, 14 Sep 2002 08:40:48 -0400 (EDT)
	(envelope-from alane@wwweasel.geeksrus.net)
Received: (from alane@localhost)
	by wwweasel.geeksrus.net (8.12.6/8.12.6/Submit) id g8ECelg9046253;
	Sat, 14 Sep 2002 08:40:47 -0400 (EDT)
	(envelope-from alane)
Message-Id: <200209141240.g8ECelg9046253@wwweasel.geeksrus.net>
Date: Sat, 14 Sep 2002 08:40:47 -0400 (EDT)
From: Alan Eldridge <ports@geeksrus.net>
Reply-To: Alan Eldridge <ports@geeksrus.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc: jmallet@freebsd.org, kris@obsecurity.org
Subject: usr.bin/make: patch to stop a fork bomb
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         42772
>Category:       bin
>Synopsis:       usr.bin/make: patch to stop a fork bomb
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Sep 14 05:50:02 PDT 2002
>Closed-Date:    Mon Aug 23 16:59:25 GMT 2004
>Last-Modified:  Mon Aug 23 16:59:25 GMT 2004
>Originator:     Alan Eldridge
>Release:        FreeBSD 4.7-PRERELEASE i386
>Organization:
Geeksrus.NET
>Environment:
System: FreeBSD wwweasel.geeksrus.net 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #0: Sun Sep 8 06:05:58 EDT 2002 root@wwweasel.geeksrus.net:/usr/obj/usr/src/sys/WWWEASEL i386

>Description:

Under certain cirumstances, it is possible, by setting certain variables
(does anybody have a list?), to cause a ports make to enter an infinite 
look, eventually fork()ing itself to dealth, and presenting a denial-of-service attach against the host by preventing other programs from fork()ing.

This patch uses an env var, __MKLVL__, to keep track of the recursion
level and causes a failure when it reaches 500.

>How-To-Repeat:

cd /usr/ports/irc/xchat; make USE_GNOME-gtk12 package

>Fix:

Note: this is just a tournequet for a severed artery; it prevents the 
most egregious symptom and prevents the box from falling on its side.

However, I'd be grateful if this could be committed to both CURRENT and
STABLE ASAP after the code freeze is lifted. Thanks.

==8<====8<====8<====8<====8<====8<====8<====8<====8<====8<==
diff -ru /usr/src/usr.bin/make/main.c usr.bin/make/main.c
--- /usr/src/usr.bin/make/main.c	Thu Jul 25 03:10:15 2002
+++ usr.bin/make/main.c	Sat Sep 14 08:07:29 2002
@@ -108,6 +108,8 @@
 #include "job.h"
 #include "pathnames.h"
 
+#define WANT_ENV_MKLVL	1
+
 #ifndef	DEFMAXLOCAL
 #define	DEFMAXLOCAL DEFMAXJOBS
 #endif	/* DEFMAXLOCAL */
@@ -475,6 +477,12 @@
 	struct stat sb;
 	char *pwd;
 #endif
+#ifdef WANT_ENV_MKLVL
+#define MKLVL_MAXVAL	500
+#define MKLVL_ENVVAR	"__MKLVL__"
+	int iMkLvl = 0;
+	char *szMkLvl = getenv(MKLVL_ENVVAR);
+#endif /* WANT_ENV_MKLVL */
 	char mdpath[MAXPATHLEN + 1];
 	char obpath[MAXPATHLEN + 1];
 	char cdpath[MAXPATHLEN + 1];
@@ -485,6 +493,19 @@
 	char *cp = NULL, *start;
 					/* avoid faults on read-only strings */
 	static char syspath[] = _PATH_DEFSYSPATH;
+
+#ifdef WANT_ENV_MKLVL
+	if ((iMkLvl = szMkLvl ? atoi(szMkLvl) : 0) < 0) {
+	  iMkLvl = 0;
+	}
+	if (iMkLvl++ > MKLVL_MAXVAL) {
+	  errc(2, EAGAIN, 
+	       "Max recursion level (%d) exceeded.", MKLVL_MAXVAL);
+	}
+	bzero(szMkLvl = emalloc(32), 32);
+	sprintf(szMkLvl, "%d", iMkLvl);
+	setenv(MKLVL_ENVVAR, szMkLvl, 1);
+#endif /* WANT_ENV_MKLVL */
 
 #ifdef RLIMIT_NOFILE
 	/*
==8<====8<====8<====8<====8<====8<====8<====8<====8<====8<==

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: schweikh 
State-Changed-When: Fri Sep 20 10:01:16 PDT 2002 
State-Changed-Why:  
I don't like this for various reasons. 

1) It does not solve the root cause (ports variables leading to recursions 
in make) Can this be solved in bsd.port.mk? 
2) Fork Bomb DoS attacks should not be handled by hardening all the 
potential utilities (you can't prevent them in shells etc). They 
can be addressed by resource limits in login.conf(5), maxproc. 
3) The patch uses Hungarian Notation which is as far from BSD style 
as it gets :-) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=42772 
State-Changed-From-To: feedback->patched 
State-Changed-By: jmallett 
State-Changed-When: Wed Oct 2 21:37:08 PDT 2002 
State-Changed-Why:  
I dislike this for the reasons Jens noted in his reply, but it's better than 
nothing at all.  A reasonable stopgap until there are more efficient graphing 
algorithms for detecting recursion/... in make(1). 

Committed, thanks! 


Responsible-Changed-From-To: freebsd-bugs->jmallett 
Responsible-Changed-By: jmallett 
Responsible-Changed-When: Wed Oct 2 21:37:08 PDT 2002 
Responsible-Changed-Why:  
I dislike this for the reasons Jens noted in his reply, but it's better than 
nothing at all.  A reasonable stopgap until there are more efficient graphing 
algorithms for detecting recursion/... in make(1). 

Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=42772 
Responsible-Changed-From-To: jmallett->freebsd-bugs 
Responsible-Changed-By: jmallett 
Responsible-Changed-When: Wed Oct 30 04:52:22 PST 2002 
Responsible-Changed-Why:  
I'm not interested in make at the moment.  Back to freebsd-bugs.  Needs to 
be MFC'd.  Peter [Wemm] pointed out (ISTR) that the number for max_lvl is 
very bogus.  Someone should look at both issues. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=42772 
State-Changed-From-To: patched->closed 
State-Changed-By: schweikh 
State-Changed-When: Mon Aug 23 16:58:01 GMT 2004 
State-Changed-Why:  
Apparently won't be merged to RELENG_4. Leave it at that 
now that RELENG_5 exists. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=42772 
>Unformatted:

I don't like this for various reasons.

1) It does not solve the root cause (ports variables leading to recursions
   in make)
2) Fork Bomb DoS attacks should not be handled by hardening all the
   potential utilities (you can't prevent them in shells etc). They
   can be addressed by resource limits in login.conf(5), maxproc.
3) The patch uses Hungarian Notation which is as far from BSD style
   as it gets :-)

Regards,

	Jens
-- 
Jens Schweikhardt http://www.schweikhardt.net/
SIGSIG -- signature too long (core dumped)
