Bugtraq mailing list archives

Re: local users can panic linux kernel (was: SuSE syslogd advisory)

From: Cy.Schubert () UUMAIL GOV BC CA (Cy Schubert - ITSD Open Systems Group)
Date: Tue, 23 Nov 1999 06:23:53 -0800


In message <199911201152.WAA08968 () cairo anu edu au>, Darren Reed writes:

In some mail from Mixter, sie said:


The impact of the syslogd Denial Of Service vulnerability seems to
be bigger than expected. I found that syslog could not be stopped from
responding by one or a few connections, since it uses select() calls
to synchronously manage the connections to /dev/log. I made an attempt
with the attached test code, which makes about 2000 connects to syslog,
using multiple processes, and my system instantly died with the message:
'Kernel panic: can't push onto full stack'


Given that most other platforms use datagram sockets (of one type or another)
for syslog, can anyone explain the benefit of using streams sockets ? FWIW,
even the STREAMS driver used by Solaris has better operational properties
than this (only one receiving device).

A naive guess is to provide better reliability of sent messages.  Denial of
Service issues (with datagram mode - flooding of packets) are still present,
just different and are arguably more difficult to deal with for little
overall gain.  I'd venture to say that in a friendly environment, there is
no benefit in using stream sockets and in an unfriendly one, perhaps even
disadvantages.


At the time the Linux syslogd was written (6+ years ago), Linux did not
support UNIX domain datagram sockets.  Now that it does support
datagram sockets, I suspect that no one has bothered to change syslogd
to use them.

Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Sun/DEC Team, UNIX Group    Internet:  Cy.Schubert () uumail gov bc ca
ITSD                                   Cy.Schubert () gems8 gov bc ca
Province of BC
                      "e**(i*pi)+1=0"

Current thread:

Windows NT 4.0 Service Pack 6A Breaks IP Forwarding, (continued)
- - - Windows NT 4.0 Service Pack 6A Breaks IP Forwarding Brendan Howes (Nov 25)
    - Oracle Web Listener Mnemonix (Nov 25)
    - [w00giving '99 #6]: UnixWare 7's Xsco Matt Conover (Nov 25)
    - Re: Operational Issues: Applications & Appliances (was: Buffer Overflow Survey Paper) Mark Seiden (Nov 24)
    - Netscape Communicator 4.7 - Navigator Overflows Mike Boto (Nov 24)
    - BindView Security Advisory: SSR Denial of Service BindView Security Advisory (Nov 24)
    - Re: BindView Security Advisory: SSR Denial of Service Alan Cox (Nov 24)
    - Oracle 8i questions Brock Tellier (Nov 23)
    - Printer Vulnerabilities (Tektronix and JetDirect) Elias Levy (Nov 23)
    - Re: local users can panic linux kernel (was: SuSE syslogd advisory) Darren Reed (Nov 20)
    - Re: local users can panic linux kernel (was: SuSE syslogd advisory) Cy Schubert - ITSD Open Systems Group (Nov 23)
    - Re: local users can panic linux kernel (was: SuSE syslogdadvisory) Jefferson Ogata (Nov 23)
    - Re: local users can panic linux kernel (was: SuSE syslogdadvisory) Shafik Yaghmour (Nov 23)
    - Re: local users can panic linux kernel (was: SuSE syslogdadvisory) Olaf Kirch (Nov 24)
    - Re: local users can panic linux kernel (was: SuSE syslogdadvisory) Goetz Babin-Ebell (Nov 24)
    - more about IP ID antirez () INVECE ORG (Nov 20)
    - FreeBSD sysinstall Jonas Eriksson (Nov 20)
    - Re: local users can panic linux kernel (was: SuSE syslogd advisory) Malcolm Beattie (Nov 22)
    - DNA-1999-001: NetTerm FTP Daemon vulnerabilities Jeremy Iverson (Nov 22)
    - Microsoft Security Bulletin (MS99-043) Aleph One (Nov 17)
    - Re: Microsoft Security Bulletin (MS99-043) John Madden (Nov 18)