Security Incidents mailing list archives
Linux file locking - sigprocmask() issues
From: Trent Lloyd <lathiat () bur st>
Date: Tue, 20 Apr 2004 03:35:46 +0800
Hi Guys, Suddenly today, out of the blue, two of our production 2.4.24-grsec1 linux servers decided to have locking problems, after messing around for a bit I discovered looking at an strace of 'dotlockfile' that it was spinning on sigprocmask, which jogged my memory of the DoS that was posted to bugtraq a few days ago (see http://bur.st/~lathiat/sigprocmask). I tried the DoS on my local machine and found the same symptoms, so we updated to 2.4.26-grsec2 and rebooted, and worked fine for a few minutes, but then both machines started doing it. - anyone know if this DoS was fixed in 2.4.26? At first I had suspected a DoS but after extensive searching of peoples homedirs/logs I couldn't find any evidence, and when it started on the second server after the upgrade, no users had logged in, and there were no @reboot cron entries. I cannot seem to figure out how to stop this happening, or if its malicious, we havent' had the problem til now - the only thing I can think of is its being triggered by NFS (note tho that the locking fails on both NFS and local filesystems when its broken) - the NFS goes under fairly high load but it has worked flawlessly forever, since we first started using our servers in a similar setup in 1998 (although numerous reinstalls and hardware changes have happened recently, none of them recent). I'm at a loss as to whats causing it or how to fix, has anyone had this problem? FWIW I'm running Debian Woody (stable) on a now 2.4.26-grsec2 kernel, 2.4.24-grsec1 did the same, and I can't find any visible exploits by users as mentioned above, have I missed something? Perhaps it is a remotely triggerable DoS - we run httpd (apache), pop3 (tpop3d), imap (dovecot), dns (bind9), mail (postfix), ssh (openssh), nntp (nntpcache) and NFS. Cheers, Trent Technical Staff, Bur.st Networking Inc. -- Need advertising? Want to reach your consumer? For just $200 you can have your advertisement in my signature for 2 months! cheap, just call 1800-SIGADS --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Linux file locking - sigprocmask() issues Trent Lloyd (Apr 19)