[2092] in linux-security and linux-alert archive
[linux-security] Re: simple perl script bypasses limits
daemon@ATHENA.MIT.EDU (Scott Doty)
Tue Nov 24 11:35:46 1998
Date: Tue, 24 Nov 1998 04:49:25 -0800
From: Scott Doty <scott@sonic.net>
To: David Lai <dlai@bacon.esd.sgi.com>, linux-security@redhat.com
In-Reply-To: <199811212118.NAA00867@bacon.esd.sgi.com>; from David Lai on Sat, Nov 21, 1998 at 01:18:31PM -0800
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
On Sat, Nov 21, 1998 at 01:18:31PM -0800, David Lai wrote:
> Any user with shell access, or with access to upload a cgi
> script can exploit this to make machine thrash badly.
> #!/usr/bin/perl
> open(XXX,"<xxx");
> @abc=<XXX>;
> print "read\n";
> exit;
/dev/zero works as well.
When reading the data in, perl uses mremap() to seize more memory.
Unfortunately, the resource check in sys_mremap() uses RLIMIT_AS;
my shell doesn't appear to set that. (Apparently, yours doesn't
either.) I'm using the default /bin/bash that comes with RH 5.1;
the problem could be there.
On the other hand, it could be a kernel thing, and I certainly want
it solved immediately. So I did: the following patch adds a check
for RLIMIT_DATA in sys_mremap(), which appears to foil this exploit.
(YMMV, if it breaks, you get to keep both pieces, etc.)
While the patch seems to deter the problem pointed out with your
perl script, but there could be similar problems lurking in
linux/mm -- or it could be our shells setting the wrong setrlimit()
field.
--- linux/mm/mremap.c 1998/11/24 10:33:53 1.1
+++ linux/mm/mremap.c 1998/11/24 11:53:42
@@ -165,6 +165,7 @@
unsigned long flags)
{
struct vm_area_struct *vma;
+ unsigned long check_len;
if (addr & ~PAGE_MASK)
return -EINVAL;
@@ -195,8 +196,9 @@
if (locked > current->rlim[RLIMIT_MEMLOCK].rlim_cur)
return -EAGAIN;
}
- if ((current->mm->total_vm << PAGE_SHIFT) + (new_len - old_len)
- > current->rlim[RLIMIT_AS].rlim_cur)
+ check_len = (current->mm->total_vm << PAGE_SHIFT) +(new_len - old_len);
+ if (check_len > current->rlim[RLIMIT_AS].rlim_cur ||
+ check_len > current->rlim[RLIMIT_DATA].rlim_cur)
return -ENOMEM;
/* Private writable mapping? Check memory availability.. */
if ((vma->vm_flags & (VM_SHARED | VM_WRITE)) == VM_WRITE) {
-Scott Doty
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
