You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by John Giannandrea <jg...@meer.net> on 1999/03/25 10:45:01 UTC

general/4122: mmap without limit considered harmful

>Number:         4122
>Category:       general
>Synopsis:       mmap without limit considered harmful
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Mar 25 01:50:00 PST 1999
>Last-Modified:
>Originator:     jg@meer.net
>Organization:
apache
>Release:        1.3.6
>Environment:
Any platform using mmap(2) I think.  Debugged on IRIX 6.2
>Description:
There is a denial of service attack on apache servers that use mmap on OSs
that need to allocate swap to cover the mmap allocation.  On IRIX 6.2 for example
an mmap of 32MB will require virtual swap of 32MB and if virtual swap is not
allocated (which is the default) real swap is allocated.  If you have one hundred
concurrent HTTP GETs of a 32MB file, then you need >3GB swap.
(We are an ISP, this happened to us today :-)
This is bad because its not known in advance what resources a server needs.
If you are serving static content only, you cant multiply MaxClients by
some swap budget for each process.  Depending on the files being requested
the swap budget is unknown.  When swap runs out random httpds will
fail which is an undesirable failure mode.

One fix is to limit the maximum size of an MMAP GET, and fall back to 
buffered reads for files over that size.  A simple patch for this is included.
>How-To-Repeat:
Create a large file, fetch it and watch an httpd grow to larger than the file size.
>Fix:
*** http_core.c.orig    Thu Mar 25 01:27:55 1999
--- http_core.c Thu Mar 25 01:29:34 1999
***************
*** 91,96 ****
--- 91,101 ----
  #endif
  #endif
  
+ #ifndef MMAP_LIMIT
+ #define MMAP_LIMIT            (4*1024*1024)
+ #endif
+ 
+ 
  /* Server core module... This module provides support for really basic
   * server operations, including options and commands which control the
   * operation of other modules.  Consider this the bureaucracy module.
***************
*** 3026,3031 ****
--- 3031,3037 ----
  #ifdef USE_MMAP_FILES
      ap_block_alarms();
      if ((r->finfo.st_size >= MMAP_THRESHOLD)
+       && (r->finfo.st_size < MMAP_LIMIT)
        && (!r->header_only || (d->content_md5 & 1))) {
        /* we need to protect ourselves in case we die while we've got the
         * file mmapped */
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]