Re: Bug in VM accounting code, probably exploitable
From: Marcelo Tosatti
Date: Thu May 20 2004 - 14:43:57 EST
On Tue, May 11, 2004 at 11:50:27PM +0400, Stas Sergeev wrote:
>
> Hello.
>
> As far as I know, if overcommit is
> disabled, the OOM kill should never
> happen.
> It seems to be the bug in the linux
> kernel though (any version I think,
> probably also including 2.4.x), which
> makes it possible to overcommit almost
> arbitrary and provoke an OOM kill
> afterwards.
> Attached is a program that demonstrates
> the bug. Don't forget to "swapoff -a"
> before starting it, or touching pages
> will take eternity. And the amount of
> RAM must be <1Gb, or the prog will not
> work:)
>
> On 2.4.25 I get:
> ---
> May 11 22:28:18 lin kernel: __alloc_pages: 0-order allocation failed
> (gfp=0x1d2/0)
> May 11 22:28:20 lin syslogd: /var/log/debug: Cannot allocate memory
> May 11 22:28:18 lin kernel: VM: killing process mozilla-bin
> May 11 22:28:18 lin kernel: __alloc_pages: 0-order allocation failed
> (gfp=0x1f0/0)
> May 11 22:28:20 lin kernel: __alloc_pages: 0-order allocation failed
> (gfp=0x1d2/0)
> May 11 22:28:21 lin kernel: __alloc_pages: 0-order allocation failed
> (gfp=0x1d2/0)
> May 11 22:28:21 lin kernel: VM: killing process X
> May 11 22:28:21 lin gnome-name-server[1254]: input condition is: 0x11,
> exiting
> May 11 22:29:00 lin kernel: __alloc_pages: 0-order allocation failed
> (gfp=0x1d2/0)
> May 11 22:29:00 lin kernel: VM: killing process overc_test
> ---
> As you can see, the program caused many
> other processes to be killed, before it
> died itself.
About v2.4, can you try v2.4.26 with CONFIG_OOM_KILLER=y ?
As for the overcommit, I think it has always been "broken"? (its always
possible to overcommit).
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/