OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Linux file locking - sigprocmask() issues

From: Trent Lloyd (lathiatbur.st)
Date: Mon Apr 19 2004 - 14:35:46 CDT


Hi Guys,

Suddenly today, out of the blue, two of our production 2.4.24-grsec1 linux
servers decided to have locking problems, after messing around for a bit
I discovered looking at an strace of 'dotlockfile' that it was spinning
on sigprocmask, which jogged my memory of the DoS that was posted to
bugtraq a few days ago (see http://bur.st/~lathiat/sigprocmask).

I tried the DoS on my local machine and found the same symptoms, so
we updated to 2.4.26-grsec2 and rebooted, and worked fine for a few minutes,
but then both machines started doing it. - anyone know if this DoS was
fixed in 2.4.26?

At first I had suspected a DoS but after extensive searching of peoples
homedirs/logs I couldn't find any evidence, and when it started on the
second server after the upgrade, no users had logged in, and there were
no reboot cron entries.

I cannot seem to figure out how to stop this happening, or if its
malicious, we havent' had the problem til now - the only thing I can
think of is its being triggered by NFS (note tho that the locking fails
on both NFS and local filesystems when its broken) - the NFS goes under
fairly high load but it has worked flawlessly forever, since we first
started using our servers in a similar setup in 1998 (although numerous
reinstalls and hardware changes have happened recently, none of them
recent).

I'm at a loss as to whats causing it or how to fix, has anyone had this
problem? FWIW I'm running Debian Woody (stable) on a now 2.4.26-grsec2 kernel,
2.4.24-grsec1 did the same, and I can't find any visible exploits by users as
mentioned above, have I missed something? Perhaps it is a remotely
triggerable DoS - we run httpd (apache), pop3 (tpop3d), imap (dovecot),
dns (bind9), mail (postfix), ssh (openssh), nntp (nntpcache) and NFS.

Cheers,
Trent
Technical Staff, Bur.st Networking Inc.
--
Need advertising? Want to reach your consumer? For just $200 you can have
your advertisement in my signature for 2 months! cheap, just call 1800-SIGADS

---------------------------------------------------------------------------
----------------------------------------------------------------------------