From togo@safe.mine.nu  Thu Jun 12 11:46:07 2003
Return-Path: <togo@safe.mine.nu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2FEF137B401
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 12 Jun 2003 11:46:07 -0700 (PDT)
Received: from safe.mine.nu (c-f4b470d5.016-4-67766c2.cust.bredbandsbolaget.se [213.112.180.244])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 01E9043FAF
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 12 Jun 2003 11:46:06 -0700 (PDT)
	(envelope-from togo@safe.mine.nu)
Received: (from togo@localhost)
	by safe.mine.nu (8.11.6/8.11.6) id h5CIkdS64241;
	Thu, 12 Jun 2003 20:46:39 +0200 (CEST)
	(envelope-from togo)
Message-Id: <200306121846.h5CIkdS64241@safe.mine.nu>
Date: Thu, 12 Jun 2003 20:46:39 +0200 (CEST)
From: Tony Gottfridsson <tony@expletus.se>
Reply-To: Tony Gottfridsson <tony@expletus.se>, tony@expletus.se
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: malloc() never returns 0
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         53257
>Category:       kern
>Synopsis:       malloc() never returns 0
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jun 12 11:50:08 PDT 2003
>Closed-Date:    Mon Jul 14 04:00:44 PDT 2003
>Last-Modified:  Mon Jul 14 04:00:44 PDT 2003
>Originator:     Tony Gottfridsson
>Release:        FreeBSD 4.5-RELEASE i386
>Organization:
Expletus
>Environment:
System: FreeBSD safe.mine.nu 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sat Apr 20 12:33:32 CEST 2002 root@safe.mine.nu:/usr/src/sys/compile/SAFE i386


	
>Description:
	FreeBSD 4.5 malloc() never returns 0 and kills what seems to be random processes, in my case apache seems to be the most likely process to get killed first.
	This process killing is out of security bounds, ie. normal user malloc()ing forever can kill processes owned by root
	I haven't found any info on this being solved in newer releases.
>How-To-Repeat:
	togo@~$ cat usemem.c
	#include <stdio.h>
	#include <stdlib.h>

	int main()
	{
	  char *ptr;
	  int malloc_size=10000000;
	  int i;
	  puts("Starting to allocate memory like a wild");
	  for (;;)
	  {
	    if ((ptr=(char *)malloc(malloc_size))==NULL)
	    {
	      puts("Got memory allocation failure");
	      return 1;
	    }
	    for (i=0; i<malloc_size; i++)
	      ptr[i]=0;
	  }
	  return 0;
	}
	togo@~$ ps -aux | grep httpd
	root   63978  0.0  7.6  6896 4576  ??  Ss    8:01PM   0:00.13 /usr/local/sbin/httpd -DMOD_FP
	www    63984  0.0  7.6  6912 4580  ??  I     8:01PM   0:00.00 /usr/local/sbin/httpd -DMOD_FP
	togo@~$ ./usemem
	Starting to allocate memory like a wild
	Killed
	togo@~$ su - 
	Password:
	root@~# tail /var/log/messages
	Jun 12 19:57:29 safe nmbd[248]:   Unable to sync browse lists in this workgroup. 
	Jun 12 20:01:42 safe su: togo to root on /dev/ttyp0
	Jun 12 20:03:44 safe /kernel: swap_pager_getswapspace: failed
	Jun 12 20:03:45 safe last message repeated 8 times
	Jun 12 20:03:45 safe /kernel: pid 63978 (httpd), uid 0, was killed: out of swap space
	Jun 12 20:03:45 safe /kernel: pid 64000 (usemem), uid 1001, was killed: out of swap space
	Jun 12 20:03:45 safe /kernel: pid 64000 (usemem), uid 1001, was killed: out of swap space
	Jun 12 20:03:45 safe /kernel: pid 63984 (httpd), uid 80, was killed: out of swap space
	Jun 12 20:03:45 safe last message repeated 7 times
	Jun 12 20:04:00 safe su: togo to root on /dev/ttyp0
	togo@~$

>Fix:

	


>Release-Note:
>Audit-Trail:

From: Garrett Wollman <wollman@lcs.mit.edu>
To: Tony Gottfridsson <tony@expletus.se>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: kern/53257: malloc() never returns 0
Date: Thu, 12 Jun 2003 14:51:05 -0400 (EDT)

 <<On Thu, 12 Jun 2003 20:46:39 +0200 (CEST), Tony Gottfridsson <tony@expletus.se> said:
 
 > 	FreeBSD 4.5 malloc() never returns 0 and kills what seems to
 > be random processes
 
 man ulimit
 
 -GAWollman
 

From: <anders.linden@cardioid.se>
To: <freebsd-gnats-submit@FreeBSD.org>, <tony@expletus.se>
Cc:  
Subject: Re: kern/53257: malloc() never returns 0
Date: Fri, 13 Jun 2003 10:30:00 +0200

 man ulimit is all you can say?
 My view as BSD as a robust operating system was now ruined.
 
 /Anders
 

From: =?iso-8859-1?Q?Anders_Lind=E9n?= <anderslinden@bredband.net>
To: <freebsd-gnats-submit@FreeBSD.org>
Cc:  
Subject: Re: kern/53257: malloc() never returns 0
Date: Fri, 13 Jun 2003 10:31:02 +0200

 man ulimit is all you can say?
 My view as BSD as a robust operating system was now ruined.
 
 /Anders
 

From: David Schultz <das@FreeBSD.ORG>
To: Tony Gottfridsson <tony@expletus.se>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: kern/53257: malloc() never returns 0
Date: Fri, 13 Jun 2003 02:27:41 -0700

 On Thu, Jun 12, 2003, Tony Gottfridsson wrote:
 > FreeBSD 4.5 malloc() never returns 0 and kills what seems to be
 > random processes, in my case apache seems to be the most likely
 > process to get killed first.
 
 You need to set resource limits on processes whose memory usage
 you wish to bound.  See the 'memoryuse' limit in login.conf(5).
 See also: limit(1) and setrlimit(3).
 
 > This process killing is out of security bounds, ie. normal user
 > malloc()ing forever can kill processes owned by root
 
 The normal behavior is to kill the largest process.  In FreeBSD
 5.1, thanks to Wes, root can designate processes as critical so
 they will not be killed.
State-Changed-From-To: open->closed 
State-Changed-By: kris 
State-Changed-When: Mon Jul 14 04:00:22 PDT 2003 
State-Changed-Why:  
Problem can be solved by appropriate system configuration. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=53257 
>Unformatted:
