resource limit

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

resource limit

Postby devillinux » Fri Feb 28, 2003 11:42 am

Hey,

I'm getting the following message on my Lotus Domino Server (and the process fails):

Code: Select all
Feb 28 10:44:35 src@xxxxx kernel: grsec: attempted resource overstep by requesting 4294967295 for RLIMIT_LOCKS against limit 4294967295 by (http:2539) UID(1000) EUID(1000), parent (http:4353) UID(1000) EUID(1000)


The 2 numbers are identical so grsec shouldn't complain, or?

Regards
Heiko
devillinux
 
Posts: 30
Joined: Tue Dec 24, 2002 6:55 pm

Postby spender » Fri Feb 28, 2003 10:21 pm

Here's the relevant code from the kernel. As you can see, grsecurity is reporting correctly. It seems though that current->locks is -1, (as an unsigned long it would be the number you reported)...so it's a bug in the application, as no app could hold that many locks.

if (account && current->locks >= current->rlim[RLIMIT_LOCKS].rlim_cur)
return NULL;

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby PaX Team » Sat Mar 01, 2003 7:48 am

spender wrote:Here's the relevant code from the kernel. As you can see, grsecurity is reporting correctly. It seems though that current->locks is -1, (as an unsigned long it would be the number you reported)...so it's a bug in the application, as no app could hold that many locks.

if (account && current->locks >= current->rlim[RLIMIT_LOCKS].rlim_cur)
return NULL;
then the kernel is likely wrong. here's the even more relevant code from include/asm-i386/resource.h:

Code: Select all
#define RLIM_INFINITY   (~0UL)


that is, before evaluating rlim_cur for >=, it should be checked against RLIM_INFINITY.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby spender » Sat Mar 01, 2003 11:22 am

True, but there still must be something wrong with the kernel or the app itself, since it is decrementing its lock count without it being incremented.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby devillinux » Sat Mar 01, 2003 12:58 pm

spender wrote:True, but there still must be something wrong with the kernel or the app itself, since it is decrementing its lock count without it being incremented.


What? :-?
devillinux
 
Posts: 30
Joined: Tue Dec 24, 2002 6:55 pm

Postby spender » Sat Mar 01, 2003 11:19 pm

Well, from the code that I pasted, the value of current->locks must have been -1(unsigned). This leads me to believe there's a bug in the kernel (since it should be at least 0)

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby devillinux » Sun Mar 02, 2003 1:46 pm

spender wrote:Well, from the code that I pasted, the value of current->locks must have been -1(unsigned). This leads me to believe there's a bug in the kernel (since it should be at least 0)

Infinity is greater then 0, correct?
So I think PaX Team is right and you should check on it.

Heiko
devillinux
 
Posts: 30
Joined: Tue Dec 24, 2002 6:55 pm

Postby spender » Sun Mar 02, 2003 1:56 pm

RLIM_INFINITY is the equivalent of -1 converted to an unsigned integer. I've updated grsecurity so that it doesn't bother logging if the limit is RLIM_INFINITY, but it should be noted that in this case, the kernel doesn't honor RLIM_INFINITY, so in your case the operation failed. So really, the original way I was implementing the logging was correct for this case. But the point that I was trying to make is that you should have never gotten that log unless there was a bug in the kernel that was decrementing the lock count without ever incrementing it. If you don't understand all this yet, there's no point in going over it again, as I've done repeatedly in the thread.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby devillinux » Sun Mar 02, 2003 2:14 pm

ok I'll shut up :wink:
devillinux
 
Posts: 30
Joined: Tue Dec 24, 2002 6:55 pm


Return to grsecurity support