Bug 57714

Summary: Possible DoS attack with Reiserfs and large files.
Product: [Retired] Red Hat Linux Reporter: Gigs <jgiglio>
Component: kernelAssignee: Stephen Tweedie <sct>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-12-18 19:37:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gigs 2001-12-19 23:57:23 UTC 
Description of Problem:
I've found an apparent local (or possibly remote) DoS that is 
due to a bug somewhere in Reiserfs apparently.  Kernel version is stock RedHat 2.4.13smp.  
Root fs is EXT3.  File system in question is a secondary storage fs that is software RAID0 
over hardware RAID5 on 3ware cards.  Reiserfs partition is created on 
/dev/md0.

Attempting to create a file on the Reiser partition that is larger than 2GB 
will cause the process that is accessing that file to continue to write, but the file size 
as reported by df and ls maxes out at 2GB.  Once the process starts attempting to write past 
2GB, it cannot be killed.  This means an unprivlidged user can create many processes that 
cannot be killed by any means, except for a hardware reset of the system.  Reboot is 
impossible, as the processes will not die.  Attempts to rm this file will cause rm to hang 
with high cpu usage.  The filesystem with the large file on it must be destroyed to get rid of 
the file.

This could be a remote DoS in certain configurations.  IPCHAINS rules that log 
invalid packets, or similar logging with any remote application could be used to attempt 
to create large log files that would hang system, force hard boot, and damage filesystem.  
Workaround would be to ensure that all logs cannot exceed 2GB under any circumstances, if 
they are written to Reiserfs.

Version-Release number of selected component (if 
applicable):
2.4.9-13smp #1 SMP Tue Oct 30 19:57:16 EST 2001 i686 unknown

How 
Reproducible:
Always, on system in question.  Was not able to get access to other systems 
with reiserfs to confirm.  Confirmed that EXT3 has no problem with big files in default Red 
Hat config.

Steps to Reproduce:
Create large reiserfs filesystem on 2.4.9-13smp
dd 
if=/dev/zero of=/storage/bigfile
Wait until file hits 2GB
Attempt to kill dd process 
or rm file.

Actual Results:
Hung processes with high cpu use, that cannot be killed by 
owner or root.
System must be hard booted, file system must be recreated.

Expected 
Results:
A big file of NULLs

Additional Information:
Contacted 3ware driver 
maintainer, he said problem was not with driver, and likely not with software RAID0 code, 
as those operate on the block level and are not aware of file sizes.  He suggested the file 
system as a likely culprit.

System is Red Hat 7.2 with all updates applied.
Comment 1 Gigs 2002-01-03 20:37:20 UTC 
Confirmed bug on independant system.  The problem seems to be with ReiserFS as it is included in 
Red Hat's kernel 2.4.9-13, smp and up.
Comment 2 Alan Cox 2002-12-18 16:19:38 UTC 
Should be fine in current 2.4.18 based kernels, please confirm.
Comment 3 Gigs 2002-12-18 19:37:02 UTC 
No longer problem in 2.4.18-18-7.x, closing bug.