[linux-security] Re: simple perl script bypasses limits

[Scott Doty <scott sonic net>]

On Sat, Nov 21, 1998 at 01:18:31PM -0800, David Lai wrote:
> Any user with shell access, or with access to upload a cgi
> script can exploit this to make machine thrash badly.

> #!/usr/bin/perl
> open(XXX,"<xxx");
> @abc=<XXX>;
> print "read\n";
> exit;

/dev/zero works as well.

When reading the data in, perl uses mremap() to seize more memory.
Unfortunately, the resource check in sys_mremap() uses RLIMIT_AS;
my shell doesn't appear to set that.  (Apparently, yours doesn't
either.)  I'm using the default /bin/bash that comes with RH 5.1;
the problem could be there.

On the other hand, it could be a kernel thing, and I certainly want
it solved immediately.  So I did:  the following patch adds a check
for RLIMIT_DATA in sys_mremap(), which appears to foil this exploit.

(YMMV, if it breaks, you get to keep both pieces, etc.)

While the patch seems to deter the problem pointed out with your
perl script, but there could be similar problems lurking in
linux/mm -- or it could be our shells setting the wrong setrlimit()
field.

--- linux/mm/mremap.c	1998/11/24 10:33:53	1.1
+++ linux/mm/mremap.c	1998/11/24 11:53:42
@@ -165,6 +165,7 @@
 	unsigned long flags)
 {
 	struct vm_area_struct *vma;
+	unsigned long check_len;
 
 	if (addr & ~PAGE_MASK)
 		return -EINVAL;
@@ -195,8 +196,9 @@
 		if (locked > current->rlim[RLIMIT_MEMLOCK].rlim_cur)
 			return -EAGAIN;
 	}
-	if ((current->mm->total_vm << PAGE_SHIFT) + (new_len - old_len)
-	    > current->rlim[RLIMIT_AS].rlim_cur)
+	check_len = (current->mm->total_vm << PAGE_SHIFT) +(new_len - old_len);
+	if (check_len > current->rlim[RLIMIT_AS].rlim_cur ||
+		check_len > current->rlim[RLIMIT_DATA].rlim_cur)
 		return -ENOMEM;
 	/* Private writable mapping? Check memory availability.. */
 	if ((vma->vm_flags & (VM_SHARED | VM_WRITE)) == VM_WRITE) {

 -Scott Doty