Some FreeBSD bugs, some test programs
Currently exploitable bugs in memory limitation rlimit mechanics:
- when handling exec*() system calls, FreeBSD checks if the new executable
image memory requirements fit into active RLIMIT_* bounds. if they do not fit,
exec*() fails returning ENOMEM. The problem is, this check is never done for
ELF binaries, thus, ELF-format program can grab all available memory, no matter
how low *rlimits are.
- Demo: available here.
- Supposed Fix: available here
- Status: Problem Report sent on Apr 25 2000; they gave me
"kern/18209" as a reply, and this is all. still not fixed.
- ... the same problem with iBCS COFF executables: rlimits are never
checked on exec. Demo is trivial, but you probably have to compile it on
solaris box. Fix is also trivial, and if you really need it, let me know,
and i'll make it available.
- FreeBSD never checks no RLIMITs when handling mmap() syscalls. It seems
to be an old news, though. This "feature" also allows any user process to grab
as much memory as it wishes, no matter how low rlimits are.
- Demo: available here.
- Supposed Fix: Oh well. I wrote a patch. It introduces new
rlimit: RLIMIT_VMEM. It has been tested, and it seems to work, but you have to patch your libc also. Kernel patch for RLIMIT_VMEM is available here, but i've got no time to fix libs, /usr/bin/limits, /bin/sh and stuff. A kind person named "Red Plait" has kindly done it for us: here is what we got from him. It's probably not quite for 4.0, but if you got a couple minutes and some common sense, it won't take much to apply it on 4.0.
- Status: Sent to mailing list as a question; no answer. Planning
to send Problem Report (feature request) some day.
Got comments? Send me a message.
have a nice day,
-jsn