Re: Linux kernels DoSable by file-max limit

[<elv () openbeer it>]

In-Reply-To: <3D28AA94.8030105 () starzetz de>

> Hi,
>
> the recently mentioned problem in BSD kernels 
concerning the global 
> limit of open files seems to be present in the Linux-
kernel too. However 
> as mentioned in the advisory about the BSD specific 
problem the Linux 
> kernel keeps some additional file slots reserved for 
> the root user.
[...]
> Greping the source code (2.4.18) reveals that the 
limit is pretty low:
> ./include/linux/fs.h:#define NR_RESERVED_FILES 10 /* 
reserved for root */
> The problem is obviously the checking for superuser 
privilege in the [*] 
> line since every user can usually run some setuid 
binaries like passwd 
> or su.

hi all,

the obvious solution to this problem is a proper use 
of setrlimit() (ulimit):

> fddos output:

preforked child 0


errno 24 pid 896 got 29 files
errno 24 pid 897 got 29 files
errno 24 pid 898 got 29 files
errno 24 pid 899 got 29 files
errno 24 pid 900 got 29 files
errno 24 pid 901 got 29 files
errno 24 pid 902 got 29 files
errno 24 pid 903 got 29 files
errno 24 pid 904 got 29 files
errno 24 pid 905 got 29 files
errno 24 pid 906 got 29 files
errno 24 pid 907 got 29 files

> strace output:

[...]

preforked child 0rt_sigprocmask(SIG_BLOCK, [CHLD], 
[], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, {1, 0})               = 0
write(1, "\n\n\n", 3)                   = 3
fork()                                  = 913
errno 24 pid 913 got 29 files
[...]
fork()                                  = -1 EAGAIN 
(Resource temporarily unavailable)
nanosleep({0, 100000000}, NULL)         = 0
nanosleep({0, 100000000}, NULL)         = 0
[...]

elvinho ~ $ ulimit -Ha
core file size        (blocks, -c) 0
data seg size         (kbytes, -d) 6144
file size             (blocks, -f) 32768
max locked memory     (kbytes, -l) unlimited
max memory size       (kbytes, -m) 1024
open files                    (-n) 32
pipe size          (512 bytes, -p) 8
stack size            (kbytes, -s) 4096
cpu time             (seconds, -t) 300
max user processes            (-u) 16
virtual memory        (kbytes, -v) unlimited
elvinho ~ $

you can set an ulimit mask in /etc/login.defs


in this manner the problem is solved but the kernel
bug still remains, so two little pieces of code:

--- /usr/src/linux/fs/file_table.c      Mon Sep 17 
20:16:30 2001
+++ /usr/src/linux/fs/file_table.c      Mon Jul  8 
23:42:01 2002
@@ -51,9 +51,12 @@
                return f;
        }
        /*
-        * Use a reserved one if we're the superuser
+        * Use one of the first 16 reserved fds if we 
have euid == 0 
+        * and one of the second 16 reserved fds if 
we're the superuser
         */
-       if (files_stat.nr_free_files && !current-
> euid)
+       if (files_stat.nr_free_files > 
(NR_RESERVED_FILES/2) && !current->euid)
+               goto used_one;
+       else if (files_stat.nr_free_files <= 
(NR_RESERVED_FILES/2) && !current->uid)
                goto used_one;
        /*
         * Allocate a new one if we're below the 
limit.

--- /usr/src/linux/include/linux/fs.h   Mon Jul  1 
14:48:44 2002
+++ /usr/src/linux/include/linux/fs.h   Tue Jul  9 
00:07:06 2002
@@ -65,7 +65,7 @@
 extern int leases_enable, dir_notify_enable, 
lease_break_time;
 
 #define NR_FILE  8192  /* this can well be larger on 
a larger system */
-#define NR_RESERVED_FILES 10 /* reserved for root */
+#define NR_RESERVED_FILES 32 /* first 16 for euid == 
0 processes and second 16 only for root */
 #define NR_SUPER 256
 
 #define MAY_EXEC 1

we check if uid == 0 because suid bit cause the 
kernel to set the egid to the uid/gid of the binary 
owner:

[...]
                /* Set-uid? */
                if (mode & S_ISUID)
                        bprm->e_uid = inode->i_uid;
[...]
/usr/src/linux/fs/exec.c line 631 of 1071 (58%)


if someone can try to post these patches to the linux 
kernel ml it would be a good thing.

cheers, elv