> > Member i_count in struct inode contains the usage count. It is of type
> > unsigned short, which is only 16-bit long on i386. Unfortunately, it
> > is not enough. You can make it overflow by mapping one file many
> > times:
>
> Making i_count unsigned long fixes this (Im sure its simple enough not to
> need a patch). This should be in 2.0.34
Ok, it is simple, but *PLEASE* post that patch anyway.
Also, I do not like that solution. Expands structure a bit. Is it
possible to do overflow detection (if (i_count > 32000) return
EOPIMPOSSIBLEBECAUSEIDONTLIKEYOU?)? Even kill process with -9 would be
enough, I believe.
Also, how resistant is 2.1.79 to this kind of attack?
> This seems to be a generic Unix bug. I brought down our SGI with that
> program, and netbsd also seems to jam solid. The general vulnerability
> is going to be the same on all OS's (anyone got an NT port ?) or want
> to make a summary table.
Ok, but I believe that even generic linux bugs should be solved. Well,
my solution would be to go for mixie ;-). I believe that this is hard
to do. Actually, it may be impossible before Jakub Jelinek finishes his
work on dealocating page tables early.
Pavel
-- I'm really pavel@atrey.karlin.mff.cuni.cz. Pavel Look at http://atrey.karlin.mff.cuni.cz/~pavel/ ;-).