Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Linux file locking - sigprocmask() issues

From: Trent Lloyd (lathiatbur.st)
Date: Mon Apr 19 2004 - 14:35:46 CDT

Hi Guys,

Suddenly today, out of the blue, two of our production 2.4.24-grsec1 linux
servers decided to have locking problems, after messing around for a bit
I discovered looking at an strace of 'dotlockfile' that it was spinning
on sigprocmask, which jogged my memory of the DoS that was posted to
bugtraq a few days ago (see http://bur.st/~lathiat/sigprocmask).

I tried the DoS on my local machine and found the same symptoms, so
we updated to 2.4.26-grsec2 and rebooted, and worked fine for a few minutes,
but then both machines started doing it. - anyone know if this DoS was
fixed in 2.4.26?

At first I had suspected a DoS but after extensive searching of peoples
homedirs/logs I couldn't find any evidence, and when it started on the
second server after the upgrade, no users had logged in, and there were
no reboot cron entries.

I cannot seem to figure out how to stop this happening, or if its
malicious, we havent' had the problem til now - the only thing I can
think of is its being triggered by NFS (note tho that the locking fails
on both NFS and local filesystems when its broken) - the NFS goes under
fairly high load but it has worked flawlessly forever, since we first
started using our servers in a similar setup in 1998 (although numerous
reinstalls and hardware changes have happened recently, none of them

I'm at a loss as to whats causing it or how to fix, has anyone had this
problem? FWIW I'm running Debian Woody (stable) on a now 2.4.26-grsec2 kernel,
2.4.24-grsec1 did the same, and I can't find any visible exploits by users as
mentioned above, have I missed something? Perhaps it is a remotely
triggerable DoS - we run httpd (apache), pop3 (tpop3d), imap (dovecot),
dns (bind9), mail (postfix), ssh (openssh), nntp (nntpcache) and NFS.

Technical Staff, Bur.st Networking Inc.
Need advertising? Want to reach your consumer? For just $200 you can have
your advertisement in my signature for 2 months! cheap, just call 1800-SIGADS