57714 – Possible DoS attack with Reiserfs and large files.

Bug 57714 - Possible DoS attack with Reiserfs and large files.

Summary: Possible DoS attack with Reiserfs and large files.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	kernel
Sub Component:
Version:	7.2
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Stephen Tweedie
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2001-12-19 23:57 UTC by Gigs
Modified:	2007-04-18 16:38 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2002-12-18 19:37:02 UTC
Embargoed:

Attachments	(Terms of Use)

Description Gigs 2001-12-19 23:57:23 UTC

Description of Problem:
I've found an apparent local (or possibly remote) DoS that is
due to a bug somewhere in Reiserfs apparently. Kernel version is stock RedHat 2.4.13smp.
Root fs is EXT3. File system in question is a secondary storage fs that is software RAID0
over hardware RAID5 on 3ware cards. Reiserfs partition is created on
/dev/md0.

Attempting to create a file on the Reiser partition that is larger than 2GB
will cause the process that is accessing that file to continue to write, but the file size
as reported by df and ls maxes out at 2GB. Once the process starts attempting to write past
2GB, it cannot be killed. This means an unprivlidged user can create many processes that
cannot be killed by any means, except for a hardware reset of the system. Reboot is
impossible, as the processes will not die. Attempts to rm this file will cause rm to hang
with high cpu usage. The filesystem with the large file on it must be destroyed to get rid of
the file.

This could be a remote DoS in certain configurations. IPCHAINS rules that log
invalid packets, or similar logging with any remote application could be used to attempt
to create large log files that would hang system, force hard boot, and damage filesystem.
Workaround would be to ensure that all logs cannot exceed 2GB under any circumstances, if
they are written to Reiserfs.

Version-Release number of selected component (if
applicable):
2.4.9-13smp #1 SMP Tue Oct 30 19:57:16 EST 2001 i686 unknown

How
Reproducible:
Always, on system in question. Was not able to get access to other systems
with reiserfs to confirm. Confirmed that EXT3 has no problem with big files in default Red
Hat config.

Steps to Reproduce:
Create large reiserfs filesystem on 2.4.9-13smp
dd
if=/dev/zero of=/storage/bigfile
Wait until file hits 2GB
Attempt to kill dd process
or rm file.

Actual Results:
Hung processes with high cpu use, that cannot be killed by
owner or root.
System must be hard booted, file system must be recreated.

Expected
Results:
A big file of NULLs

Additional Information:
Contacted 3ware driver
maintainer, he said problem was not with driver, and likely not with software RAID0 code,
as those operate on the block level and are not aware of file sizes. He suggested the file
system as a likely culprit.

System is Red Hat 7.2 with all updates applied.

Comment 1 Gigs 2002-01-03 20:37:20 UTC

Confirmed bug on independant system.  The problem seems to be with ReiserFS as it is included in 
Red Hat's kernel 2.4.9-13, smp and up.

Comment 2 Alan Cox 2002-12-18 16:19:38 UTC

Should be fine in current 2.4.18 based kernels, please confirm.

Comment 3 Gigs 2002-12-18 19:37:02 UTC

No longer problem in 2.4.18-18-7.x, closing bug.

Note You need to log in before you can comment on or make changes to this bug.