Re: Re: MS Internet Explorer 7 Denial Of Service Exploit

[Glynn Clements <glynn () gclements plus com>]

craig () airnet net wrote:

> On Konqueror 3.5.9, what happens is that this childish code builds a
> huge string, eats memory, causes swapping, and finally blows away
> Konq. Linux and X and everything else stay up and recover nicely. 
> (Gentoo/AMD64X2/3G mem)
>
> This isn't an exploit -- at least not on Linux -- it's just kiddie
> stupidity. It doesn't take any particular cleverness to blow memory by
> dynamically creating bigger and bigger data structures. With virtual
> memory and 64-bit pointers, when exactly do we return -ENOMEM?

When RLIMIT_AS has been exceeded.

If you disable the use of mmap'd-malloc() via mallopt(M_MMAP_MAX, 0),
you can effectively limit malloc() via RLIMIT_DATA.

If you really want to allow a single process to use all available RAM
for itself, you can; but you don't have to.

It might be nice if the browser limited the amount of memory which
could be used by e.g. JavaScript (although for Firefox, you would
probably want the limit to only be applied to "external" JavaScript,
given that much of the browser itself is written in JavaScript).

-- 
Glynn Clements <glynn () gclements plus com>