[14432] in bugtraq
Re: Local Denial-of-Service attack against Linux
daemon@ATHENA.MIT.EDU (Gigi Sullivan)
Tue Mar 28 01:23:56 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="W/nzBZO5zC0uMSeA"
Message-Id: <20000327090438.A317@armageddon.libero.it>
Date: Mon, 27 Mar 2000 09:04:39 +0200
Reply-To: sullivan@sikurezza.org
From: Gigi Sullivan <sullivan@SIKUREZZA.ORG>
X-To: Jay Fenlason <fenlason@CLEARWAY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000323175509.A23709@clearway.com>; from Jay Fenlason on Thu,
Mar 23, 2000 at 05:55:09PM -0500
--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Aiee :)
Hello!
>
> This amusing little program will hang Linux 2.2.12 (default Red Hat 6.1),
> 2.2.14 (latest stable kernel) and 2.3.99-pre2 (latest development kernel)
> on my 6x86 scratch machine and our various Pentium development machines.
> Note that this does not require any special privileges.
>
> The send system call immediately puts the kernel in a loop spewing
> kmalloc: Size (131076) too large
> forever (or until you hit the reset button).
>
[snip]
I here enclose a very easy little kernel patch that should fix
this problem.
This is a temporary fix, tho.
I'm not sure this is the right way to do it and probably this could
break some actual behaviour (see the comments).
I apologize; Still learning kernel internals.
bye bye
-- gg sullivan
P.S.
Advices, correction, bug fixes :) are really wellcome.
--
Lorenzo Cavallaro `Gigi Sullivan' <sullivan@sikurezza.org>
Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)
--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=ldos_patch
--- sock.c.orig Mon Mar 27 08:43:41 2000
+++ sock.c Mon Mar 27 08:52:16 2000
@@ -79,6 +79,10 @@
* Jay Schulist : Added SO_ATTACH_FILTER and SO_DETACH_FILTER.
* Andi Kleen : Add sock_kmalloc()/sock_kfree_s()
* Andi Kleen : Fix write_space callback
+ * Lorenzo `Gigi Sullivan' Cavallaro: Temporary Fix to local DoS due to
+ * too big buffer (AF_UNIX SOCK_DGRAM).
+ * Maybe this will broke something else.
+ * I apologize.
*
* To Fix:
*
@@ -566,6 +570,18 @@
skb->sk = sk;
return skb;
}
+
+ /*
+ * kmalloc (mm/slab.c) checks the size to allocate through a
+ * `cache size struct'.
+ * If we try to allocate much more then the maximum, just report it
+ * backwardly.
+ * XXX Will this broke something, like sock_wait_for_wmem()
+ * defined in net/core/sock.c ?
+ * Is this the right way ?
+ */
+
+ sk->err = EMSGSIZE;
}
return NULL;
}
--W/nzBZO5zC0uMSeA--
