lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 10 Nov 2015 10:58:39 -0500
From:	Austin S Hemmelgarn <ahferroin7@...il.com>
To:	Aleksa Sarai <cyphar@...har.com>, Max Kellermann <mk@...all.com>
Cc:	Tejun Heo <tj@...nel.org>, cgroups@...r.kernel.org,
	lizefan@...wei.com, Johannes Weiner <hannes@...xchg.org>,
	max@...mpel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] cgroup_pids: add fork limit

On 2015-11-10 10:25, Aleksa Sarai wrote:
> Processes don't "use up resources" after they've died and been freed
> (which is dealt with inside PIDs). Yes, lots of small processes that
> die quickly could (in principle) make hard work for the scheduler, but
> I don't see how "time spent scheduling in general" is a resource...
> Fork bombs aren't bad because they cause a lot of fork()s, they're bad
> because the *create a bunch of processes that use up memory*, which
> happens because they call fork() a bunch of times and **don't
> exit()**.
While I'm indifferent about the patch, I would like to point out that 
fork-bombs are also bad because they eat _a lot_ of processor time, and 
I've seen ones designed to bring a system to it's knees just by 
saturating the processor with calls to fork() (which is as slow as or 
slower than stat() on many commodity systems, setting up the various 
structures for a new process is an expensive operation) and clogging up 
the scheduler.  This isn't as evident of course when you run a fork-bomb 
on a laptop or similar system, because you run out of memory and PID's 
before the latency from scheduling and so many processes calling fork 
really starts to become noticeable, but when you start to look at really 
big systems (on the order of hundreds of GB of RAM), it does become much 
more noticeable.


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3019 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ