[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#391373: marked as done (Should not DoS system if statically linked binary is run)

Your message dated Thu, 20 Nov 2008 17:45:51 +0100
with message-id <20081120164551.GA26909@wavehammer.waldi.eu.org>
and subject line Fixed
has caused the Debian Bug report #391373,
regarding Should not DoS system if statically linked binary is run
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
391373: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=391373
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: aide
Version: 0.11a-4
Severity: serious

I upgraded my personal server to etch and choosed to use a Xen enabled
kernel since we're going to have Xen support in etch (and also because
we're using this for the new alioth.debian.org so I wanted to have a
testbed for me).

This morning my server was almost unreachable and while looking through
the logs I discovered those messages:
Oct  6 05:17:34 arrakeen kernel: printk: 246 messages suppressed.
Oct  6 05:17:34 arrakeen kernel: 4gb seg fixup, process aide (pid 1627), cs:ip 73:080ae335
Oct  6 05:17:40 arrakeen kernel: printk: 291 messages suppressed.
Oct  6 05:17:40 arrakeen kernel: 4gb seg fixup, process aide (pid 1627), cs:ip 73:080ae335

Those messages appear when you use the standard libc6 instead of libc6-xen
on a Xen enabled kernel. However I have libc6-xen installed.... but aide
is using its own statically linked libc6 which thus generates this
message.

Those messages means that the kernel worked around the bad libc6 but it's
extremely ineffective in doing so, so much that it effectively DOSsed my
server during the 3 hours when aide was running.

I see two solutions:
- either you link again libc6 dynamically
- either you provide two versions of the binary and you use alternatives
  (or you modify the cron script to detect /proc/xen and to start the
  right binary)

However it looks like there's no "libc6-xen-dev" to link statically a
xen-enabled libc6... 

So for etch, the right thing to do might be to provide additionnaly
a binary dynamically linked and to use the dynamic one if you detect
/proc/xen.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-1-xen-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

--- End Message ---
--- Begin Message --- 
Version: 2.6.26-7

None of this messages are given in the newstyle Xen support nor the
oldstyle Xen images in Lenny. So this is fixed now.

Bastian

-- 
Leave bigotry in your quarters; there's no room for it on the bridge.
		-- Kirk, "Balance of Terror", stardate 1709.2

--- End Message ---
Reply to: