https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223732
Bug ID: 223732
Summary: mmap(2) causes unkillable denial of service with
specific flags
Product: Base System
Version: 11.1-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: kern
Assignee: freebsd-bugs@FreeBSD.org
Reporter: aks...@gmail.com
Created attachment 188093
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=188093&action=edit
mmap(2) local denial of service with MAP_STACK|MAP_ALIGNED(N) flags
I have found a set of flags that will cause a process to saturate an entire
execution unit at 100% median while the process becomes unkillable even with
kill -9. Sometimes the process might go under 100% CPU usage, but it gets back
too 100% after a while. The process state stays "running". This is effectively
a perfect local denial of service, which cannot be undone by administrators or
counter-intrusion software.
The only way to get out of this DoS is to reboot the entire system.
Furthermore, if you the process a number of times greater than the number of
physical CPU cores available to the system (at least on amd64), the system
becomes totally unresponsive, and then only a forced power down from a power
button is effective.
To reproduce this denial of service, compile the following source code with
clang and execute it:
#include <sys/mman.h>
int main(int argc, char** argv) {
void *stack = mmap(0, 1<<12, PROT_READ|PROT_WRITE,
MAP_STACK|MAP_ALIGNED(12), -1, 0);
/* Never reached.
* Process will saturate one entire execution unit!
* ALSO THIS PROCESS CANNOT BE KILLED!
*
* DoS manifests when the value of 2nd argument (len)
* is less than or equal to 1<<N, where N is the argument
* N to MAP_ALIGNED(N) macro
*
* MAP_STACK|MAP_ALIGNED(N) is the combination of flags
* that seem to cause this DoS */
return 0;
}
Like the above source code comments, the DoS manifests when flags
MAP_STACK|MAP_ALIGNED(N) are used together, and the value of 2nd argument (len)
is less than or equal to 1<<N where N is the argument N to MAP_ALIGNED(N) flag
macro.
I have not tested if this affects jails, but I assume it does.
I marked this bug to affect all hardware, because I think this should be tested
on all possible hardware, yet I have only amd64 boxes.
Source code to reproduce this bug also attached as a file for convenience.
Output of uname -a:
FreeBSD xxx.xxx 11.1-RELEASE-p4 FreeBSD 11.1-RELEASE-p4 #0: Tue Nov 14 06:12:40
UTC 2017 r...@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
amd64
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
