Re: [PATCH] exec argument expansion can inappropriately trigger OOM-killer
From: KOSAKI Motohiro
Date: Sun Aug 29 2010 - 20:20:10 EST
> Brad Spengler published a local memory-allocation DoS that
> evades the OOM-killer (though not the virtual memory RLIMIT):
> http://www.grsecurity.net/~spender/64bit_dos.c
>
> The recent changes to create a stack guard page helps slightly to
> discourage this attack, but it is not sufficient. Compiling it statically
> moves the libraries out of the way, allowing the stack VMA to fill the
> entire TASK_SIZE.
>
> There are two issues:
> 1) the OOM killer doesn't notice this argv memory explosion
> 2) the argv expansion does not check if rlim[RLIMIT_STACK].rlim_cur is -1.
>
> I figure a quick solution for #2 would be the following patch. However,
> running multiple copies of this program could result in similar OOM
> behavior, so issue #1 still needs a solution.
>
>Reported-by: Brad Spengler <spender@xxxxxxxxxxxxxx>
>Signed-off-by: Kees Cook <kees.cook@xxxxxxxxxxxxx>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@xxxxxxxxxxxxxx>
And, I have a patch for #1. Can you please see this? Alternative idea
is to change rss accounting itself.