tech-kern: Fork bomb protection patch

Subject: Fork bomb protection patch
To: None <tech-kern@netbsd.org>
From: Jaromir Dolecek <jdolecek@netbsd.org>
List: tech-kern
Date: 12/04/2002 10:07:35
Hi,
following is a deal with common forkbomb attacks. The change
is based on FreeBSD kern_fork.c change in rev.1.132. Please
let me know if you'd see anything obviously wrong in the
patch; I'll commit the change later today otherwise.

Changes:
* leave 10 processes for root-only use
  - 1 is not enough to get through sshd login nowadays (as pointed
    out by Bang Jun-Young), and it makes it easier for root
    to handle the problem
* use ratecheck() to limit the 'table full' messages to once per 10s 
  - this is to reduce spam to syslogd and thus log/console; this
    is still useful even through syslogd normally doesn't actually
    log the repeated messages
* make process sleep for 0.5s if the system table is full
  or when the user reaches their process number limit
  - this is to not hog the system with huge number of CPU-hungry
    looping processes

Jaromir

Index: kern_fork.c
===================================================================
RCS file: /cvsroot/syssrc/sys/kern/kern_fork.c,v
retrieving revision 1.100
diff -u -p -r1.100 kern_fork.c
--- kern_fork.c	2002/11/30 11:20:51	1.100
+++ kern_fork.c	2002/12/04 08:46:02
@@ -189,6 +189,9 @@ sys___clone(struct proc *p, void *v, reg
 	    NULL, NULL, retval, NULL));
 }
 
+/* print the 'table full' message once per 10 seconds */
+struct timeval fork_tfmrate = { 10, 0 };
+
 int
 fork1(struct proc *p1, int flags, int exitsig, void *stack, size_t stacksize,
     void (*func)(void *), void *arg, register_t *retval,
@@ -209,9 +212,13 @@ fork1(struct proc *p1, int flags, int ex
 	 * processes, maxproc is the limit.
 	 */
 	uid = p1->p_cred->p_ruid;
-	if (__predict_false((nprocs >= maxproc - 1 && uid != 0) ||
+	if (__predict_false((nprocs >= maxproc - 10 && uid != 0) ||
 			    nprocs >= maxproc)) {
-		tablefull("proc", "increase kern.maxproc or NPROC");
+		static struct timeval lasttfm;
+
+		if (ratecheck(&lasttfm, &fork_tfmrate))
+			tablefull("proc", "increase kern.maxproc or NPROC");
+		(void)tsleep(&nprocs, PUSER, "forkmx", hz / 2);
 		return (EAGAIN);
 	}
 	nprocs++;
@@ -225,6 +232,7 @@ fork1(struct proc *p1, int flags, int ex
 			    p1->p_rlimit[RLIMIT_NPROC].rlim_cur)) {
 		(void)chgproccnt(uid, -1);
 		nprocs--;
+		(void)tsleep(&nprocs, PUSER, "forkulim", hz / 2);
 		return (EAGAIN);
 	}
 
-- 
Jaromir Dolecek <jdolecek@NetBSD.org>            http://www.NetBSD.org/
-=- We should be mindful of the potential goal, but as the tantric    -=-
-=- Buddhist masters say, ``You may notice during meditation that you -=-
-=- sometimes levitate or glow.   Do not let this distract you.''     -=-