Linux file locking - sigprocmask() issues

From: Trent Lloyd (lathiat_at_bur.st)
Date: 04/19/04

  • Next message: Shashank Rai: "Re: Strange set of TCP ports"
    Date: Tue, 20 Apr 2004 03:35:46 +0800
    To: INCIDENTS@SECURITYFOCUS.COM
    
    

    Hi Guys,

    Suddenly today, out of the blue, two of our production 2.4.24-grsec1 linux
    servers decided to have locking problems, after messing around for a bit
    I discovered looking at an strace of 'dotlockfile' that it was spinning
    on sigprocmask, which jogged my memory of the DoS that was posted to
    bugtraq a few days ago (see http://bur.st/~lathiat/sigprocmask).

    I tried the DoS on my local machine and found the same symptoms, so
    we updated to 2.4.26-grsec2 and rebooted, and worked fine for a few minutes,
    but then both machines started doing it. - anyone know if this DoS was
    fixed in 2.4.26?

    At first I had suspected a DoS but after extensive searching of peoples
    homedirs/logs I couldn't find any evidence, and when it started on the
    second server after the upgrade, no users had logged in, and there were
    no @reboot cron entries.

    I cannot seem to figure out how to stop this happening, or if its
    malicious, we havent' had the problem til now - the only thing I can
    think of is its being triggered by NFS (note tho that the locking fails
    on both NFS and local filesystems when its broken) - the NFS goes under
    fairly high load but it has worked flawlessly forever, since we first
    started using our servers in a similar setup in 1998 (although numerous
    reinstalls and hardware changes have happened recently, none of them
    recent).

    I'm at a loss as to whats causing it or how to fix, has anyone had this
    problem? FWIW I'm running Debian Woody (stable) on a now 2.4.26-grsec2 kernel,
    2.4.24-grsec1 did the same, and I can't find any visible exploits by users as
    mentioned above, have I missed something? Perhaps it is a remotely
    triggerable DoS - we run httpd (apache), pop3 (tpop3d), imap (dovecot),
    dns (bind9), mail (postfix), ssh (openssh), nntp (nntpcache) and NFS.

    Cheers,
    Trent
    Technical Staff, Bur.st Networking Inc.

    -- 
    Need advertising? Want to reach your consumer? For just $200 you can have
    your advertisement in my signature for 2 months! cheap, just call 1800-SIGADS
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Shashank Rai: "Re: Strange set of TCP ports"