Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Shared memory DoS's
From: glynn () SENSEI CO UK (Glynn Clements)
Date: Fri, 16 Jul 1999 11:53:14 +0100

Mike Perry wrote:

  1. The system does not check rlimits for mmap and shmget (FreeBSD)
  2. The system never bothers to offer the ability to set the rlimits for
     virtual memory via shells, login process, or otherwise. (Linux)

Some fixes:

The Linux SysVinit (>2.54) uses /etc/initscript (or /sbin/initscript)
to spawn the processes listed in /etc/inittab, so you can set limits
within that (e.g. for the getty processes).

Either wrap in.telnetd or use -L to wrap the login program.

Set limits in the rc.init2 (etc) script for daemons which may execute
user-defined code (e.g. crond, httpd). Similarly for xdm via Xstartup.
You might also want to wrap your MDAs if you are using procmail or
allow program aliases in ~/.forward files.

Some versions of Linux (RedHat?) have a login which allows limits to
be set via a login.defs file.

  4. With System V IPC, shared memory persists even after the process is
     gone. So even though the kernel may kill the process after it exhausts
     all memory from page faults, there still is 0 memory left for the system.
     I suppose with some trickery you might be able to achieve the same results
     by shared mmap()'ing a few large files between pairs of processes. (All)

mmap() is potentially less serious as the memory will be released if
the processes are killed.

Glynn Clements <glynn () sensei co uk>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]