Date: Thu, 12 Jun 2003 20:46:39 +0200 (CEST) From: Tony Gottfridsson <tony@expletus.se> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/53257: malloc() never returns 0 Message-ID: <200306121846.h5CIkdS64241@safe.mine.nu> Resent-Message-ID: <200306121850.h5CIo9BL042654@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 53257
>Category: kern
>Synopsis: malloc() never returns 0
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 12 11:50:08 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Tony Gottfridsson
>Release: FreeBSD 4.5-RELEASE i386
>Organization:
Expletus
>Environment:
System: FreeBSD safe.mine.nu 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sat Apr 20 12:33:32 CEST 2002 root@safe.mine.nu:/usr/src/sys/compile/SAFE i386
>Description:
FreeBSD 4.5 malloc() never returns 0 and kills what seems to be random processes, in my case apache seems to be the most likely process to get killed first.
This process killing is out of security bounds, ie. normal user malloc()ing forever can kill processes owned by root
I haven't found any info on this being solved in newer releases.
>How-To-Repeat:
togo@~$ cat usemem.c
#include <stdio.h>
#include <stdlib.h>
int main()
{
char *ptr;
int malloc_size=10000000;
int i;
puts("Starting to allocate memory like a wild");
for (;;)
{
if ((ptr=(char *)malloc(malloc_size))==NULL)
{
puts("Got memory allocation failure");
return 1;
}
for (i=0; i<malloc_size; i++)
ptr[i]=0;
}
return 0;
}
togo@~$ ps -aux | grep httpd
root 63978 0.0 7.6 6896 4576 ?? Ss 8:01PM 0:00.13 /usr/local/sbin/httpd -DMOD_FP
www 63984 0.0 7.6 6912 4580 ?? I 8:01PM 0:00.00 /usr/local/sbin/httpd -DMOD_FP
togo@~$ ./usemem
Starting to allocate memory like a wild
Killed
togo@~$ su -
Password:
root@~# tail /var/log/messages
Jun 12 19:57:29 safe nmbd[248]: Unable to sync browse lists in this workgroup.
Jun 12 20:01:42 safe su: togo to root on /dev/ttyp0
Jun 12 20:03:44 safe /kernel: swap_pager_getswapspace: failed
Jun 12 20:03:45 safe last message repeated 8 times
Jun 12 20:03:45 safe /kernel: pid 63978 (httpd), uid 0, was killed: out of swap space
Jun 12 20:03:45 safe /kernel: pid 64000 (usemem), uid 1001, was killed: out of swap space
Jun 12 20:03:45 safe /kernel: pid 64000 (usemem), uid 1001, was killed: out of swap space
Jun 12 20:03:45 safe /kernel: pid 63984 (httpd), uid 80, was killed: out of swap space
Jun 12 20:03:45 safe last message repeated 7 times
Jun 12 20:04:00 safe su: togo to root on /dev/ttyp0
togo@~$
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306121846.h5CIkdS64241>