* DoS using tmpfs
@ 2001-06-08 22:42 Pavel Roskin
2001-06-13 7:04 ` Christoph Rohland
0 siblings, 1 reply; 2+ messages in thread
From: Pavel Roskin @ 2001-06-08 22:42 UTC (permalink / raw)
To: linux-kernel
Hello!
It appears that a system with tmpfs mounted with the default (!!!)
parameters can be used by ordinary users to make the system
non-functional.
Let me tell you the whole story. I don't know what is wrong here and what
is not, but the end result is a security hole.
The kernel version is 2.4.5-ac9. It's compiled with gcc from RedHat 7.1.
The processor is Pentium III 550 MHz. Alt-Sysrq is enabled - we'll need it
later.
# mount
/dev/ide/host2/bus0/target0/lun0/part4 on / type reiserfs (rw)
none on /proc type proc (rw)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
devfs on /dev type devfs (rw)
none on /tmp type tmpfs (rw,mode=1777)
none on /dev/shm type shm (rw)
Note the "mode=1777" is not required - it's the default. I put is here
just in case if the default changes.
# df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/ide/host2/bus0/target0/lun0/part4
5124540 3510036 1614504 69% /
none 277728 0 277728 0% /tmp
none 277728 0 277728 0% /dev/shm
# free
total used free shared buffers cached
Mem: 255948 97520 158428 0 14880 68172
-/+ buffers/cache: 14468 241480
Swap: 104380 0 104380
Note that my swap file is just 100M compared to 256M memory, but I never
run anything bigger than Mozilla, so even 350M virtual memory is more than
enough for me.
Now I log in on tty2 as user.
$ dd if=/dev/zero of=/tmp/foo
If a few seconds I'm pressing Ctrl-C - it doesn't work. Alt-F1 works. I
type df as root, press enter and it hangs. I'm hitting Ctrl-C in vain. Now
I press Alt-F2 - it works. I'm trying the last resort - Alt-Sysrq-K. It
works, the login appears.
Now let's see what we have.
# df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/ide/host2/bus0/target0/lun0/part4
5124540 3510044 1614496 69% /
none 177124 159968 17156 91% /tmp
none 17156 0 17156 0% /dev/shm
There is still free space in /tmp, but ...
# free
total used free shared buffers cached
Mem: 255948 253680 2268 55588 14880 171280
-/+ buffers/cache: 67520 188428
Swap: 104380 104380 0
... the swap is exhausted, and so it the memory. Now let's remove /tmp/foo
and see what happens.
# df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/ide/host2/bus0/target0/lun0/part4
5124540 3510044 1614496 69% /
none 72340 0 72340 0% /tmp
none 72340 0 72340 0% /dev/shm
The free space didn't rebound to it's initial value, and here's why:
# free
total used free shared buffers cached
Mem: 255948 198492 57456 0 14880 171284
-/+ buffers/cache: 12328 243620
Swap: 104380 104380 0
The memory is freed, but the swap is still full!
Running "swapoff -a" followed by "swapon -a" brings the system to the sane
state.
Now let me stress some points where the kernel is _possibly_ at fault.
1) tmpfs, as opposed to ramfs doesn't limit the usage by default. It's not
a good default for a filesystem designed for temporary files.
2) Not delivering SIGINT to processes is probably not the best behavior if
the memory if low. However, one could argue that some processes would use
even more resources if they get control with SIGINT.
3) All swap in the system was exhausted and yet tmpfs didn't return ENOSPC
to "dd".
4) The swap wasn't freed. Yes, I know, it's not a new problem.
I don't really know much about OS design and VM in particular, but I was
bitten by this behavior, so I desided to report it. If you cannot find
anything useful in this message, I'm sorry for your time. "IMHO" applies
to all statements made in this message.
--
Regards,
Pavel Roskin
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: DoS using tmpfs
2001-06-08 22:42 DoS using tmpfs Pavel Roskin
@ 2001-06-13 7:04 ` Christoph Rohland
0 siblings, 0 replies; 2+ messages in thread
From: Christoph Rohland @ 2001-06-13 7:04 UTC (permalink / raw)
To: Pavel Roskin; +Cc: linux-kernel
Hi Pavel,
On Fri, 8 Jun 2001, Pavel Roskin wrote:
> Hello!
>
> It appears that a system with tmpfs mounted with the default (!!!)
> parameters can be used by ordinary users to make the system
> non-functional.
...
> 1) tmpfs, as opposed to ramfs doesn't limit the usage by
> default. It's not a good default for a filesystem designed for
> temporary files.
Yes, use the size parameter. And no, ramfs has no resource limits in
the stock kernel at all. In -ac it limits to half the size of the
physical RAM unconditionally. But that's not useful for tmpfs simce
this uses swap also. So it is the admins task to add a size
parameter. I would love to add a size paramater in percent of virtual
memory but this would need some changes in the swapon/off coding.
> 2) Not delivering SIGINT to processes is probably not the best
> behavior if the memory if low. However, one could argue that some
> processes would use even more resources if they get control with
> SIGINT.
>
> 3) All swap in the system was exhausted and yet tmpfs didn't return
> ENOSPC to "dd".
That the kernel locks up is IMHO a mm fault. tmpfs allocates its pages
with GFP_USER and will return an error if this fails. Apparently it
never fails but locks up.
Greetings
Christoph
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2001-06-13 7:05 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2001-06-08 22:42 DoS using tmpfs Pavel Roskin
2001-06-13 7:04 ` Christoph Rohland
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).