Bug 74543 - Using kernel semaphores is problematic for hosting and makes denial of service attack easy.
Using kernel semaphores is problematic for hosting and makes denial of servic...
Product: Red Hat Linux
Classification: Retired
Component: mm (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
: Security
: 72158 74671 78134 78360 78922 110744 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2002-09-26 08:56 EDT by Michiel Toneman
Modified: 2014-01-21 17:48 EST (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-12-12 06:19:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Michiel Toneman 2002-09-26 08:56:19 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020606

Description of problem:
The linux kernel only has 128 semaphore arrays total.

Each apache running uses up 4 of those. This makes running separate httpd's for
each customer on a hosting box problematic and hosting more than 32 sites this
way impossible. 

This is WAY below the capabilities of most hosting hardware. 

Additionally, since any user can now start an apache instance, this makes a DOS
attack trivial. 

The old version of apache+mm used files instead, which were written to /var/run.
I believe "null" does the right thing by reverting back to this behaviour, and
putting the semaphore files under ServerRoot.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Run apache httpd as root
2. Check number of semaphore arrays in use using ipcs -s
3. Run additional httpds as non-root user
4. Check number of semaphore arrays in use using ipcs -s

Actual Results:  Semaphore arrays will fill up to the maximum 128

Starting additiona apache httpd will fail because there are no more semaphores

Additional info:

See also bug https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=70846 for
additional information + discussion.
Comment 1 K. Spoon 2002-10-09 17:10:03 EDT

I was going to submit a bug report for this as well.  We've seen a number of
customers having problems with high traffic web apps on 7.X getting stuff like:

Starting httpd: Ouch! ap_mm_create(1048576, "/var/run/httpd.mm.20330") failed
Error: MM: mm:core: failed to acquire semaphore (No space left on device): 
OS: Identifier removed

Would it be possible to do something like setup the mm spec file to create an
RPM for ipcsem compiled mm and another one for fcntl and then use something like
alternatives to let the user decide which one to use?  In the case of 7.2, I
think that fcntl should be used as the default since that's what the distro
shipped with.
Comment 2 John Newbigin 2002-10-16 04:32:15 EDT
You can increase the number of semaphores by setting a parameter in /proc. 
Under RedHat, add the following to /etc/sysctl.conf
kernel.sem = 250 32000 100 256

The last number is the number of semaphore arrays (default is 128).
After editing /etc/sysctl.conf run
sysctl -p
Comment 3 Kevin M. Myer 2002-10-22 15:45:39 EDT
This is the same bug as described in #72158.  I just ran across it today for the
first, triggered apparently by a large number of apache restarts yesterday while
I was bringing a new config up.  Using sysctl to increase the maximum number of
semaphores temporarily solves the problem, at least for however long it takes
for the number of semaphores to reach that maximum again.

Bug #72158 was opened in late August, this bug was opened in late September and
I didn't see any Red Hat response to either yet - both are still set at NEW.  Is
there going to be any real errata/patches to fix this problem or are we just
sitting out there with a known bug but no hope for support (except maybe
upgrading to Apache 2.X which does away with mm but has other problems, like PHP

Just curious - it doesn't seem to be an isolated incident (affects at least all
7.X Red Hat releases), its reproducible, and the silence about a real fix is
deafening.  Maybe I'll have to look at the 1.1.3-4 -> 1.1.3-8 diff and see if
there's anything obvious - anyone have any bright ideas?
Comment 4 Jon Benson 2002-10-24 21:12:58 EDT
As noted in the initial description there is further information under Bug 
70846.  In that bug someone from RedHat requested a separate bug report 
specific to mm.  Well this is a separate bug report but appears to be receiving 
no attention from anyone at RedHat?!

Also as this is a DOS issue can whoever has control of such things please 
elevate this to High priority and Security severity in the hope that someone at 
RedHat actually takes some notice of this.
Comment 5 Peter Collinson 2002-11-09 04:33:57 EST
This is a huge problem. The SysV IPC objects have always been a complete

I've opted to recompile and reload the mm library.
./configure --with-shm=MMANON --with-sem=FLOCK 
Would be nice if you could impose the order of search in ldconfig so you could
the system settings by loading things into /usr/local/lib without having to
disturb existing

I still get one semaphore from httpd.
Comment 6 Joe Orton 2002-12-03 11:30:27 EST
*** Bug 78922 has been marked as a duplicate of this bug. ***
Comment 7 Joe Orton 2002-12-09 09:22:48 EST
http://people.redhat.com/jorton/7.x-mm/ for unsupported RPMs; errata currently
being prepared.
Comment 8 Joe Orton 2002-12-12 06:19:08 EST
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

Comment 9 Joe Orton 2002-12-13 11:44:41 EST
*** Bug 78019 has been marked as a duplicate of this bug. ***
Comment 10 Joe Orton 2002-12-13 11:49:10 EST
*** Bug 72158 has been marked as a duplicate of this bug. ***
Comment 11 Caniffe 2002-12-17 07:19:13 EST
*** Bug 78134 has been marked as a duplicate of this bug. ***
Comment 12 Joe Orton 2003-01-16 12:56:06 EST
*** Bug 74671 has been marked as a duplicate of this bug. ***
Comment 13 Joe Orton 2003-04-03 10:36:21 EST
*** Bug 78360 has been marked as a duplicate of this bug. ***
Comment 14 Nalin Dahyabhai 2005-09-13 19:20:13 EDT
*** Bug 110744 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.