Hello,
played around with perl today and got a strange thing.

Just have a look at this:


----------------------------------cut------------------------------------------

Welcome to SuSE Linux 6.2 (i386) - Kernel 2.2.10 (tty4).

shark login: anarchy
Password:
Last login: Wed Jan  5 00:20:38 on tty6
Have a lot of fun...
anarchy@shark:~ > id
uid=500(anarchy) gid=100(users)
anarchy@shark:~ > l /usr/bin/perl
-rwxr-xr-x   2 root     root       624095 Nov  6 16:52 /usr/bin/perl*
anarchy@shark:~ > perl -e 'while(1) { push(@test,"0"x1000) }'
Out of memory!
anarchy@shark:~ > strace -o out.log perl -e 'while(1)
Out of memory!
anarchy@shark:~ > cat out.log

execve("/usr/bin/perl", ["perl", "-e", "while(1){push(@test,\"0\"x1000)}"], [/* 42 vars */]) = 0
brk(0)                                  = 0x80d224c
open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=35811, ...}) = 0
mmap(NULL, 35811, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40015000
close(4)                                = 0
open("/lib/libnsl.so.1", O_RDONLY)      = 4
fstat(4, {st_mode=S_IFREG|0755, st_size=376092, ...}) = 0
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\3009\0"..., 4096) = 4096
mmap(NULL, 89032, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4001e000
mprotect(0x40030000, 15304, PROT_NONE)  = 0
mmap(0x40030000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x11000) = 0x40030000
mmap(0x40032000, 7112, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40032000
close(4)                                = 0
open("/usr/lib/libgdbm.so.2", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0755, st_size=30161, ...}) = 0
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\320\22"..., 4096) = 4096
mmap(NULL, 24588, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40034000
mprotect(0x40039000, 4108, PROT_NONE)   = 0
mmap(0x40039000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x4000) = 0x40039000
mmap(0x4003a000, 12, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4003a000
close(4)                                = 0
open("/lib/libdb.so.3", O_RDONLY)       = 4
fstat(4, {st_mode=S_IFREG|0755, st_size=821436, ...}) = 0
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`<\0\000"..., 4096) = 4096
mmap(NULL, 255740, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4003b000
mprotect(0x40079000, 1788, PROT_NONE)   = 0
mmap(0x40079000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x3d000) = 0x40079000
close(4)                                = 0
open("/lib/libdl.so.2", O_RDONLY)       = 4
fstat(4, {st_mode=S_IFREG|0755, st_size=75167, ...}) = 0
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\32\0\000"..., 4096) = 4096
mmap(NULL, 11788, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4007a000
mprotect(0x4007c000, 3596, PROT_NONE)   = 0
mmap(0x4007c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x1000) = 0x4007c000
close(4)                                = 0
open("/lib/libm.so.6", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0755, st_size=543826, ...}) = 0
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0>\0\000"..., 4096) = 4096
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4007d000
mmap(NULL, 118488, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4007e000
mprotect(0x4009a000, 3800, PROT_NONE)   = 0
mmap(0x4009a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x1b000) = 0x4009a000
close(4)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0755, st_size=4223971, ...}) = 0
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200\204"..., 4096) = 4096
mmap(NULL, 1025596, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4009b000
mprotect(0x4018e000, 30268, PROT_NONE)  = 0
mmap(0x4018e000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0xf2000) = 0x4018e000
mmap(0x40192000, 13884, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40192000
close(4)                                = 0
open("/lib/libcrypt.so.1", O_RDONLY)    = 4
fstat(4, {st_mode=S_IFREG|0755, st_size=62497, ...}) = 0
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\v\0"..., 4096) = 4096
mmap(NULL, 181820, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x40196000
mprotect(0x4019b000, 161340, PROT_NONE) = 0
mmap(0x4019b000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x4000) = 0x4019b000
mmap(0x4019c000, 157244, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4019c000
close(4)                                = 0
mprotect(0x4009b000, 995328, PROT_READ|PROT_WRITE) = 0
mprotect(0x4009b000, 995328, PROT_READ|PROT_EXEC) = 0
munmap(0x40015000, 35811)               = 0
personality(PER_LINUX)                  = 0
getpid()                                = 411
brk(0)                                  = 0x80d224c
brk(0x80d2284)                          = 0x80d2284
brk(0x80d3000)                          = 0x80d3000
open("/usr/share/locale/locale.alias", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=2174, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40015000
read(4, "# Locale name alias data base.\n#"..., 4096) = 2174
read(4, "", 4096)                       = 0
close(4)                                = 0
munmap(0x40015000, 4096)                = 0
open("/usr/share/locale/de_DE.ISO-8859-1/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/i18n/de_DE.ISO-8859-1/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE.iso88591/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/i18n/de_DE.iso88591/LC_MESSAGES", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE/LC_MESSAGES", O_RDONLY) = 4
fstat(4, {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
close(4)                                = 0
open("/usr/share/locale/de_DE/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=44, ...}) = 0
mmap(NULL, 44, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40015000
close(4)                                = 0
brk(0x80d4000)                          = 0x80d4000
open("/usr/share/locale/de_DE.ISO-8859-1/LC_MONETARY", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/i18n/de_DE.ISO-8859-1/LC_MONETARY", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE.iso88591/LC_MONETARY", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/i18n/de_DE.iso88591/LC_MONETARY", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE/LC_MONETARY", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=94, ...}) = 0
mmap(NULL, 94, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40016000
close(4)                                = 0
open("/usr/share/locale/de_DE.ISO-8859-1/LC_COLLATE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/i18n/de_DE.ISO-8859-1/LC_COLLATE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE.iso88591/LC_COLLATE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/i18n/de_DE.iso88591/LC_COLLATE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE/LC_COLLATE", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=29970, ...}) = 0
mmap(NULL, 29970, PROT_READ, MAP_PRIVATE, 4, 0) = 0x401c3000
close(4)                                = 0
open("/usr/share/locale/de_DE.ISO-8859-1/LC_TIME", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/i18n/de_DE.ISO-8859-1/LC_TIME", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE.iso88591/LC_TIME", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/i18n/de_DE.iso88591/LC_TIME", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE/LC_TIME", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=492, ...}) = 0
mmap(NULL, 492, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40017000
close(4)                                = 0
brk(0x80d5000)                          = 0x80d5000
open("/usr/share/locale/de_DE.ISO-8859-1/LC_NUMERIC", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/i18n/de_DE.ISO-8859-1/LC_NUMERIC", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE.iso88591/LC_NUMERIC", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/i18n/de_DE.iso88591/LC_NUMERIC", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE/LC_NUMERIC", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=27, ...}) = 0
mmap(NULL, 27, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40018000
close(4)                                = 0
open("/usr/share/locale/de_DE.ISO-8859-1/LC_CTYPE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/i18n/de_DE.ISO-8859-1/LC_CTYPE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE.iso88591/LC_CTYPE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/i18n/de_DE.iso88591/LC_CTYPE", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/de_DE/LC_CTYPE", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=10428, ...}) = 0
mmap(NULL, 10428, PROT_READ, MAP_PRIVATE, 4, 0) = 0x40019000
close(4)                                = 0
brk(0x80d6000)                          = 0x80d6000
lstat("/usr", {st_mode=S_IFDIR|0755, st_size=1024, ...}) = 0
lstat("/usr/lib", {st_mode=S_IFDIR|0755, st_size=9216, ...}) = 0
lstat("/usr/lib/gconv", {st_mode=S_IFDIR|0755, st_size=3072, ...}) = 0
open("/usr/lib/gconv/gconv-modules", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=33489, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4001c000
read(4, "# GNU libc iconv configuration.\n"..., 4096) = 4096
brk(0x80d7000)                          = 0x80d7000
read(4, "9-RO//\nmodule\tJIS_C6220-1969-RO/"..., 4096) = 4096
brk(0x80d8000)                          = 0x80d8000
brk(0x80d9000)                          = 0x80d9000
read(4, "O8859-3\t1\nmodule\tINTERNAL\t\tISO-8"..., 4096) = 4096
brk(0x80da000)                          = 0x80da000
brk(0x80db000)                          = 0x80db000
brk(0x80dc000)                          = 0x80dc000
read(4, "\tSJIS//\nalias\tCSSHIFTJIS//\t\tSJIS"..., 4096) = 4096
brk(0x80dd000)                          = 0x80dd000
brk(0x80de000)                          = 0x80de000
read(4, "/\nalias\tCSIBM273//\t\tIBM273//\nali"..., 4096) = 4096
brk(0x80df000)                          = 0x80df000
brk(0x80e0000)                          = 0x80e0000
read(4, "\tINTERNAL\t\tIBM855\t\t1\nmodule\tINTE"..., 4096) = 4096
brk(0x80e1000)                          = 0x80e1000
brk(0x80e2000)                          = 0x80e2000
brk(0x80e3000)                          = 0x80e3000
read(4, "le\t\tcost\nalias\tCP1026//\t\tIBM1026"..., 4096) = 4096
brk(0x80e4000)                          = 0x80e4000
brk(0x80e5000)                          = 0x80e5000
read(4, "/\nalias\tARABIC7//\t\tASMO_449//\nal"..., 4096) = 4096
brk(0x80e6000)                          = 0x80e6000
brk(0x80e7000)                          = 0x80e7000
read(4, "NATSSEFI//\t\tNATS-SEFI//\nmodule\tN"..., 4096) = 721
brk(0x80e8000)                          = 0x80e8000
read(4, "", 4096)                       = 0
close(4)                                = 0
munmap(0x4001c000, 4096)                = 0
open("/usr/lib/gconv/ISO8859-1.so", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0755, st_size=32857, ...}) = 0
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\5\0"..., 4096) = 4096
mmap(NULL, 7020, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0x4001c000
mprotect(0x4001d000, 2924, PROT_NONE)   = 0
mmap(0x4001d000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x4001d000
close(4)                                = 0
brk(0x80ea000)                          = 0x80ea000
brk(0x80eb000)                          = 0x80eb000
getuid()                                = 500
geteuid()                               = 500
getgid()                                = 100
getegid()                               = 100
time([947028917])                       = 947028917
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
brk(0x80ed000)                          = 0x80ed000
open("/dev/null", O_RDONLY)             = 4
fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
fstat(4, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0
brk(0x80ee000)                          = 0x80ee000
brk(0x80ef000)                          = 0x80ef000
brk(0x80f0000)                          = 0x80f0000
brk(0x80f1000)                          = 0x80f1000
getpid()                                = 411
brk(0x80f2000)                          = 0x80f2000
close(4)                                = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
brk(0x80f3000)                          = 0x80f3000
brk(0x80f4000)                          = 0x80f4000
brk(0x80f5000)                          = 0x80f5000
brk(0x80f6000)                          = 0x80f6000
brk(0x80f7000)                          = 0x80f7000
brk(0x80f8000)                          = 0x80f8000
brk(0x80f9000)                          = 0x80f9000
brk(0x115a6000)                         = 0x115a6000
brk(0x115a7000)                         = 0x115a7000
...
...
...
write(2, "Out of memory!\n", 15)        = 15


----------------------------------cut------------------------------------------

Well...but that's not all... after I'd executed this fuckin' program
my system got very slow (that's ok) but also two of my rootshells got killed.
I also tried this under SuSE Linux 6.3 (kernel: 2.2.13),
RedHat 5.2 (kernel: 2.2.10 and 2.2.12) and under RedHat 6.0 (2.2.12) and I got
the same results (killed rootshells and other programs like top and X).

I really don't understand this, cuz I started this program as a normal
user and because perl wasn't setuid (also tried this as user nobody and got
the same results).
And I also think that vm should kill the process before it consumes all the
system memory (ram and swap).


So that's it...

(sorry for my english guys...)


Greetings:
arbon, Hunz, cray, basti, cyberlord and all others I forgot.



Anarchy  (anarchy@elxsi.de)
