Re: x86_64 system lockup from userspace using setitimer()
On Tue, 2007-03-13 at 16:02 -0400, Chuck Ebbert wrote:
> > struct itimerval tim = {
> > .it_interval = {
> > .tv_sec = 140735669863712,
> > .tv_usec = 4199521
> > },
> Could this be fixed by:
>
> http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8bfd9a7a229b5f3d3eda5d7d45c2eebec5b4ba16
>
> [PATCH] hrtimers: prevent possible itimer DoS
No. The possible DoS is only when high res timers are enabled, which is
not the case in 2.6.20.
Looking at the values
140735669863712 = 0x7FFF 939C 0520
We convert second to nanoseconds:
140735669863712 * 1e9 = 0x1DCD 4BC3 6B82 914B 4000
The seconds value is limited to LONG_MAX, but on a 64 bit machine, the
140735669863712 is inside LONG_MAX and we have an multiplication
overflow.
I'm not sure, how this results in a DoS, but I will look into this
tomorrow morning, when I'm more awake.
tglx
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: x86_64 system lockup from userspace using setitimer()
Johannes Bauer wrote:
> Dear Community,
>
> I think I've encountered a bug with the Linux kernel which results in a
> complete system lockup and which can be started without root priviliges.
> It's reproducible with 2.6.20.1 and 2.6.20.2 and only x64_64 seems
> affected.
>
> Here's the code which triggers the bug (originally found by me using an
> only partly initialized "struct itimerval" structure - hence the strange
> values in it_interval):
>
> -8<-8<-8<-8<-8<-8<-8<-8<-8<-
> #include
> #include
> #include
>
> int main(int argc, char **argv) {
> struct itimerval tim = {
> .it_interval = {
> .tv_sec = 140735669863712,
> .tv_usec = 4199521
> },
> .it_value = {
> .tv_sec = 0,
> .tv_usec = 10
> }
> };
> setitimer(ITIMER_REAL, &tim, NULL);
> while (1) sleep(1);
> return 0;
> }
> -8<-8<-8<-8<-8<-8<-8<-8<-8<-
>
> Compiled with gcc 4.1.1 with "gcc -O2 -Wall -o crash crash.c".
>
> The sourcecode can be found at
> http://www.johannes-bauer.com/crash/crash.c and my kernel configuration
> is at http://www.johannes-bauer.com/crash/config
>
> Any further questions: feel free to ask. Please CC me for any posts in
> this thread.
Could this be fixed by:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=8bfd9a7a229b5f3d3eda5d7d45c2eebec5b4ba16
[PATCH] hrtimers: prevent possible itimer DoS
?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Re: x86_64 system lockup from userspace using setitimer()
Johannes Bauer <[EMAIL PROTECTED]> writes: > Dear Community, > > I think I've encountered a bug with the Linux kernel which results in a > complete system lockup and which can be started without root > priviliges. It's reproducible with 2.6.20.1 and 2.6.20.2 and only x64_64 > seems affected. I can also reproduce it on ia64 with 2.6.20. 2.6.16.42 is ok. Andreas. -- Andreas Schwab, SuSE Labs, [EMAIL PROTECTED] SuSE Linux Products GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany PGP key fingerprint = 58CA 54C7 6D53 942B 1756 01D3 44D5 214B 8276 4ED5 "And now for something completely different." - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
