[Bug 293000] Re: hardy: openssh-server oom_adj can lead to denial of service

Cal Leeming [Simplicity Media Ltd] cal at foxwhisper.co.uk
Mon May 30 21:46:08 UTC 2011 

Hi all,

I have recently came up against this problem myself, and have fixed /
submitted a patch to the openssh development team. Here is the original
report:


So I modified the code to try and repair this oom_adj problem...

port-linux.c:
line 235: //static int oom_adj_save = INT_MIN;
line 236: static int oom_adj_save = 0;
line 277: verbose("Set %s to %d - sleepycal", OOM_ADJ_PATH, oom_adj_save);


I then ran compiled the package, ran SSHd, and yet we still have -17 in oom_adj_save. Wtf? Now, I'm not much of a C coder, but this is weird even in my books...

May 30 22:18:19 vicky sshd[12825]: Set /proc/self/oom_adj to -17 -
sleepycal

So, I went all out crazy, and did the following patch:

        static int sleepycal_oom_adj_save = 0;
        verbose("sleepycal_oom_adj_save=%d", sleepycal_oom_adj_save);

        if (fprintf(fp, "%d\n", sleepycal_oom_adj_save) <= 0)
                verbose("error writing %s: %s", OOM_ADJ_PATH, strerror(errno));
        else
                verbose("Set %s to %d - sleepycal", OOM_ADJ_PATH, sleepycal_oom_adj_save);

And it worked!!! :)

May 30 22:27:12 vicky sshd[2532]: sleepycal_oom_adj_save=0
May 30 22:27:12 vicky sshd[2532]: Set /proc/self/oom_adj to 0 - sleepycal

root at vicky:~/openssh-5.5p1# cat /proc/2532/oom_adj
0

So, it turns out that it is actually OpenSSH which is broken, after
almost 3 days of frustrating digging through millions of lines of code
lol. Anyways, would appreciate if someone could get this merged into
master (obv rename the vars if you want).

Attached is the appropriate patch file as of openssh-5.5p1

Cal


** Patch added: "oom_patch_for_openssh-5.5p1_by_sleepycal.patch"
   https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/293000/+attachment/2148347/+files/oom_patch_for_openssh-5.5p1_by_sleepycal.patch

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/293000

Title:
  hardy: openssh-server oom_adj can lead to denial of service

Status in “openssh” package in Ubuntu:
  Fix Released
Status in “openssh” source package in Hardy:
  Confirmed
Status in Debian GNU/Linux:
  Fix Released

Bug description:
  Binary package hint: openssh-server

  The ssh init script sets the /proc/$PID/oom_adj value to -17 to avoid
  being killed by the OOM killer in low memory situations. Unfortunately
  all child processes of sshd inherit this setting.

  So any user with ssh access can easily launch a process which
  accumulates memory without being killed by the kernel until the system
  gets to out of memory kernel panic. This will lead to a denial of
  service.

  The bug is already reported in the debian bug tracker under the following location:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480020

  The fix is included in openssh/1:4.7p1-11. Please update Hardy to this
  package version.

More information about the foundations-bugs mailing list