Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Sun, 7 Mar 1999 01:41:25 +0100  
From: Michal Zalewski <lcamtuf@IDS.PL>  
Linux 2.x IPC vunerability  
Linux IPC implementation seems to be broken. I noticed Alan about one/two  
months ago, so I believe it has been fixed in recent 2.2.x Linuxes. In  
fact, any luser may consume whole memory available on system using this  
simple program:  
-- shmkill.c --  
extern int errno;int i,d=1;char*x;main(){while(1){x=shmat(shmget(0,10000000/  
-- eof --  
Memory won't be freed even if luser's process will be killed, you have to  
use ipcrm, but there could be not enough memory to run anything :-(  
Under early 2.2.x, you have to run this program several times, to ensure  
pages are detached (in this state, they are onwerless ;-).  
The simpliest solution is to restrict for lusers IPC at all. Only a few  
programs uses IPC - probably only dosemu and ShoutCast ;>  
Michal Zalewski [] [link / marchew] [ SYSADM]  
[Marchew Industries] ! [] bash$ :(){ :|:&};:  
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]  
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]  
Date: Mon, 8 Mar 1999 02:37:18 +0100  
From: Michal Zalewski <lcamtuf@IDS.PL>  
> 5. Linux 2.x IPC vunerability  
As Solar Designer said, there are 'beancounter' feature (or per-user  
limits, instead of per-process). Probably it will be implemented in  
2.2.x kernels soon. As today, it's hard to control detached IPC pages.