Linux file locking - sigprocmask() issues

From: Trent Lloyd (lathiat_at_bur.st)
Date: 04/19/04

  • Next message: Shashank Rai: "Re: Strange set of TCP ports"
    Date: Tue, 20 Apr 2004 03:35:46 +0800
    To: INCIDENTS@SECURITYFOCUS.COM
    
    

    Hi Guys,

    Suddenly today, out of the blue, two of our production 2.4.24-grsec1 linux
    servers decided to have locking problems, after messing around for a bit
    I discovered looking at an strace of 'dotlockfile' that it was spinning
    on sigprocmask, which jogged my memory of the DoS that was posted to
    bugtraq a few days ago (see http://bur.st/~lathiat/sigprocmask).

    I tried the DoS on my local machine and found the same symptoms, so
    we updated to 2.4.26-grsec2 and rebooted, and worked fine for a few minutes,
    but then both machines started doing it. - anyone know if this DoS was
    fixed in 2.4.26?

    At first I had suspected a DoS but after extensive searching of peoples
    homedirs/logs I couldn't find any evidence, and when it started on the
    second server after the upgrade, no users had logged in, and there were
    no @reboot cron entries.

    I cannot seem to figure out how to stop this happening, or if its
    malicious, we havent' had the problem til now - the only thing I can
    think of is its being triggered by NFS (note tho that the locking fails
    on both NFS and local filesystems when its broken) - the NFS goes under
    fairly high load but it has worked flawlessly forever, since we first
    started using our servers in a similar setup in 1998 (although numerous
    reinstalls and hardware changes have happened recently, none of them
    recent).

    I'm at a loss as to whats causing it or how to fix, has anyone had this
    problem? FWIW I'm running Debian Woody (stable) on a now 2.4.26-grsec2 kernel,
    2.4.24-grsec1 did the same, and I can't find any visible exploits by users as
    mentioned above, have I missed something? Perhaps it is a remotely
    triggerable DoS - we run httpd (apache), pop3 (tpop3d), imap (dovecot),
    dns (bind9), mail (postfix), ssh (openssh), nntp (nntpcache) and NFS.

    Cheers,
    Trent
    Technical Staff, Bur.st Networking Inc.

    -- 
    Need advertising? Want to reach your consumer? For just $200 you can have
    your advertisement in my signature for 2 months! cheap, just call 1800-SIGADS
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Shashank Rai: "Re: Strange set of TCP ports"

    Relevant Pages

    • Re: NFS- SAN - FreeBSD
      ... The way to use a DAS is to connect the DAS to a server with an external SAS cable. ... You are quite right, I would like to use NFS to connect the device to the 6 servers I have, again, it would be only hosting the /home partition for each of them. ... Would freebsd support (on the storage device) that many connections? ...
      (freebsd-questions)
    • Re: Stale NFS file handles on 8.x amd64
      ... minimum of NFS problems, but it got worse with 8.x. ... accessing mail on a Netapp over NFSv3 via imapd. ... Client connections to imapd go to random servers ... I upgraded some of the servers to 8.x and dovecot 1.2 and ran ...
      (freebsd-questions)
    • Re: NFS mounts to NetApp
      ... is to gather some statistics from your Sun servers to verify throughput ... Netapp's through our Sun server we get something like: ... > having regarding NFS timeouts to NetApp filers from Sun Solaris boxes. ... > We have a NetApp filer cluster where each partner has a fiber gig ...
      (comp.unix.solaris)
    • Re: The dreaded "Alternatives to NFS" question
      ... >> to server secure data that is stored on servers based in a DMZ. ... > over NFS (unless you consider the software itself so confidential that ... confidential data between hosts but you're still wrong. ...
      (comp.security.unix)
    • SUMMARY: Errors writing large files via NFS
      ... applications and via NFS on our Tru64 5.1A PK5 servers. ... I had originally dismissed patch t64kit0019900-v51ab23-e-20030906 as not ... UNIX NFS client attempts to increase the size of an AdvFS file." ...
      (Tru64-UNIX-Managers)