[PATCH 1/2] limit print_fatal_signal() rate (was: [RFC] log out-of-virtual-memory events)

[PATCH 1/2] limit print_fatal_signal() rate (was: [RFC] log out-of-virtual-memory events)

[Andrea Righi]

Bernd Eckenfels wrote:
> In article <464DCEAB.3090905@users.sourceforge.net> you wrote:
>>        printk("%s/%d: potentially unexpected fatal signal %d.\n",
>>                current->comm, current->pid, signr);
> 
> can we have both KERN_WARNING please?
> 
> Gruss
> Bernd

Depends on print_fatal_signals patch.

---

Limit the rate of print_fatal_signal() to avoid potential denial-of-service
attacks.

Signed-off-by: Andrea Righi <a.righi@cineca.it>

diff -urpN linux-2.6.22-rc1-mm1/kernel/signal.c linux-2.6.22-rc1-mm1-vm-log-enomem/kernel/signal.c
--- linux-2.6.22-rc1-mm1/kernel/signal.c	2007-05-19 11:25:24.000000000 +0200
+++ linux-2.6.22-rc1-mm1-vm-log-enomem/kernel/signal.c	2007-05-19 11:30:00.000000000 +0200
@@ -790,7 +790,10 @@ static void print_vmas(void)
 
 static void print_fatal_signal(struct pt_regs *regs, int signr)
 {
-	printk("%s/%d: potentially unexpected fatal signal %d.\n",
+	if (unlikely(!printk_ratelimit()))
+		return;
+
+	printk(KERN_WARNING "%s/%d: potentially unexpected fatal signal %d.\n",
 		current->comm, current->pid, signr);
 
 #ifdef __i386__

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH 1/2] limit print_fatal_signal() rate (was: [RFC] log out-of-virtual-memory events)

[Andrew Morton]

On Sat, 19 May 2007 12:33:04 +0200 (MEST) Andrea Righi <righiandr@users.sourceforge.net> wrote:

> Bernd Eckenfels wrote:
> > In article <464DCEAB.3090905@users.sourceforge.net> you wrote:
> >>        printk("%s/%d: potentially unexpected fatal signal %d.\n",
> >>                current->comm, current->pid, signr);
> > 
> > can we have both KERN_WARNING please?
> > 
> > Gruss
> > Bernd
> 
> Depends on print_fatal_signals patch.
> 
> ---
> 
> Limit the rate of print_fatal_signal() to avoid potential denial-of-service
> attacks.
> 
> Signed-off-by: Andrea Righi <a.righi@cineca.it>
> 
> diff -urpN linux-2.6.22-rc1-mm1/kernel/signal.c linux-2.6.22-rc1-mm1-vm-log-enomem/kernel/signal.c
> --- linux-2.6.22-rc1-mm1/kernel/signal.c	2007-05-19 11:25:24.000000000 +0200
> +++ linux-2.6.22-rc1-mm1-vm-log-enomem/kernel/signal.c	2007-05-19 11:30:00.000000000 +0200
> @@ -790,7 +790,10 @@ static void print_vmas(void)
>  
>  static void print_fatal_signal(struct pt_regs *regs, int signr)
>  {
> -	printk("%s/%d: potentially unexpected fatal signal %d.\n",
> +	if (unlikely(!printk_ratelimit()))
> +		return;
> +
> +	printk(KERN_WARNING "%s/%d: potentially unexpected fatal signal %d.\n",
>  		current->comm, current->pid, signr);
>  
>  #ifdef __i386__

Well OK.  But vdso-print-fatal-signals.patch is designated not-for-mainline
anyway.

I think the DoS which you identify has been available for a very long time
on ia64, x86_64 and perhaps others.


--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH 1/2] limit print_fatal_signal() rate

[Andrea Righi]

Andrew Morton wrote:
> Well OK.  But vdso-print-fatal-signals.patch is designated not-for-mainline
> anyway.
> 
> I think the DoS which you identify has been available for a very long time
> on ia64, x86_64 and perhaps others.
> 

For the mainline a fix could be the following...

---

Limit the rate of the kernel logging for the segfaults of user applications, to
avoid potential message floods or denial-of-service attacks.

Signed-off-by: Andrea Righi <a.righi@cineca.it>

diff -urpN linux-2.6.22-rc2/arch/avr32/mm/fault.c linux-2.6.22-rc2-limit-segfaults-printk-rate/arch/avr32/mm/fault.c
--- linux-2.6.22-rc2/arch/avr32/mm/fault.c	2007-05-19 13:11:30.000000000 +0200
+++ linux-2.6.22-rc2-limit-segfaults-printk-rate/arch/avr32/mm/fault.c	2007-05-21 11:48:37.000000000 +0200
@@ -158,7 +158,7 @@ bad_area:
 	up_read(&mm->mmap_sem);
 
 	if (user_mode(regs)) {
-		if (exception_trace)
+		if (exception_trace && printk_ratelimit())
 			printk("%s%s[%d]: segfault at %08lx pc %08lx "
 			       "sp %08lx ecr %lu\n",
 			       is_init(tsk) ? KERN_EMERG : KERN_INFO,
diff -urpN linux-2.6.22-rc2/arch/x86_64/mm/fault.c linux-2.6.22-rc2-limit-segfaults-printk-rate/arch/x86_64/mm/fault.c
--- linux-2.6.22-rc2/arch/x86_64/mm/fault.c	2007-05-21 11:42:07.000000000 +0200
+++ linux-2.6.22-rc2-limit-segfaults-printk-rate/arch/x86_64/mm/fault.c	2007-05-21 11:45:55.000000000 +0200
@@ -489,7 +489,8 @@ bad_area_nosemaphore:
 		    (address >> 32))
 			return;
 
-		if (exception_trace && unhandled_signal(tsk, SIGSEGV)) {
+		if (exception_trace && unhandled_signal(tsk, SIGSEGV) &&
+		    printk_ratelimit()) {
 			printk(
 		       "%s%s[%d]: segfault at %016lx rip %016lx rsp %016lx error %lx\n",
 					tsk->pid > 1 ? KERN_INFO : KERN_EMERG,

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH 1/2] limit print_fatal_signal() rate (was: [RFC] log out-of-virtual-memory events)

[Ingo Molnar]

* Andrew Morton <akpm@linux-foundation.org> wrote:

> Well OK.  But vdso-print-fatal-signals.patch is designated 
> not-for-mainline anyway.

btw., why? It's very, very useful to distro, early-boot-userspace and 
glibc development. The only add-on change should be to not print SIGKILL 
events. Otherwise it's very much a keeper. Hm?

	Ingo

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH 1/2] limit print_fatal_signal() rate (was: [RFC] log out-of-virtual-memory events)

[Andrew Morton]

On Thu, 24 May 2007 09:58:35 +0200 Ingo Molnar <mingo@elte.hu> wrote:

> 
> * Andrew Morton <akpm@linux-foundation.org> wrote:
> 
> > Well OK.  But vdso-print-fatal-signals.patch is designated 
> > not-for-mainline anyway.
> 
> btw., why?

err, because that's what I decided a year ago.  I wonder why ;)

Perhaps because of the DoS thing, but it has a /proc knob and defaults to
off, so it should be OK.

> It's very, very useful to distro, early-boot-userspace and 
> glibc development. The only add-on change should be to not print SIGKILL 
> events. Otherwise it's very much a keeper. Hm?
> 

<promotes it>

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH 1/2] limit print_fatal_signal() rate

[Andrea Righi]

Ingo Molnar wrote:
> * Andrew Morton <akpm@linux-foundation.org> wrote:
> 
>> Well OK.  But vdso-print-fatal-signals.patch is designated 
>> not-for-mainline anyway.
> 
> btw., why? It's very, very useful to distro, early-boot-userspace and 
> glibc development. The only add-on change should be to not print SIGKILL 
> events. Otherwise it's very much a keeper. Hm?
> 

Actually it seems that SIGKILLs are not printed. In get_signal_to_deliver() we have:

[snip]
@@ -1843,6 +1879,8 @@ relock:
 		 * Anything else is fatal, maybe with a core dump.
 		 */
 		current->flags |= PF_SIGNALED;
+		if ((signr != SIGKILL) && print_fatal_signals)
+			print_fatal_signal(regs, signr);
 		if (sig_kernel_coredump(signr)) {
 			/*
 			 * If it was able to dump core, this kills all
[snip]

-Andrea

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH 1/2] limit print_fatal_signal() rate (was: [RFC] log out-of-virtual-memory events)

[Ingo Molnar]

* Andrew Morton <akpm@linux-foundation.org> wrote:

> On Thu, 24 May 2007 09:58:35 +0200 Ingo Molnar <mingo@elte.hu> wrote:
> 
> > 
> > * Andrew Morton <akpm@linux-foundation.org> wrote:
> > 
> > > Well OK.  But vdso-print-fatal-signals.patch is designated 
> > > not-for-mainline anyway.
> > 
> > btw., why?
> 
> err, because that's what I decided a year ago.  I wonder why ;)
> 
> Perhaps because of the DoS thing, but it has a /proc knob and defaults 
> to off, so it should be OK.

yeah. There's also a boot option. To address the DoS angle, should i 
make it optionally printk_ratelimit() perhaps? (although often the 
messages come in streams and skipping a message can be annoying)

> > It's very, very useful to distro, early-boot-userspace and glibc 
> > development. The only add-on change should be to not print SIGKILL 
> > events. Otherwise it's very much a keeper. Hm?
> 
> <promotes it>

thanks :-)

	Ingo

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH 1/2] limit print_fatal_signal() rate (was: [RFC] log out-of-virtual-memory events)

[Ingo Molnar]

* Ingo Molnar <mingo@elte.hu> wrote:

> [...] The only add-on change should be to not print SIGKILL events.

ah, that's already included in the version in -mm.

admittedly, the #ifdef __i386__ is quite lame, but there's no generic 
safely-try-to-show-code-at-addr function available at the moment.

	Ingo

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH 1/2] limit print_fatal_signal() rate

[Ingo Molnar]

* Andrea Righi <righiandr@users.sourceforge.net> wrote:

> Actually it seems that SIGKILLs are not printed. In 
> get_signal_to_deliver() we have:
> 
> [snip]
> @@ -1843,6 +1879,8 @@ relock:
>  		 * Anything else is fatal, maybe with a core dump.
>  		 */
>  		current->flags |= PF_SIGNALED;
> +		if ((signr != SIGKILL) && print_fatal_signals)
> +			print_fatal_signal(regs, signr);

yeah. Either i implemented that and forgot, or someone else implemented 
it. :)

	Ingo

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

Re: [PATCH 1/2] limit print_fatal_signal() rate (was: [RFC] log out-of-virtual-memory events)

[Andrew Morton]

On Thu, 24 May 2007 11:55:03 +0200 Ingo Molnar <mingo@elte.hu> wrote:

> 
> * Andrew Morton <akpm@linux-foundation.org> wrote:
> 
> > On Thu, 24 May 2007 09:58:35 +0200 Ingo Molnar <mingo@elte.hu> wrote:
> > 
> > > 
> > > * Andrew Morton <akpm@linux-foundation.org> wrote:
> > > 
> > > > Well OK.  But vdso-print-fatal-signals.patch is designated 
> > > > not-for-mainline anyway.
> > > 
> > > btw., why?
> > 
> > err, because that's what I decided a year ago.  I wonder why ;)
> > 
> > Perhaps because of the DoS thing, but it has a /proc knob and defaults 
> > to off, so it should be OK.
> 
> yeah. There's also a boot option. To address the DoS angle, should i 
> make it optionally printk_ratelimit() perhaps? (although often the 
> messages come in streams and skipping a message can be annoying)

I don't think so, really.  It takes a deliberate act to turn the thing
on, after all.

I we _were_ concerned about the logspam then it might be better to make the
feature turn itself off after 100 messages, rather than ratelimiting it.

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>