Possibly a new bug!

WGamers · **Joined:** 04 Jan 2009 17:02 **Posts:** 4

Hello,

I run Counter-Strike 1.5 Servers in my Linux box. I think there is a new bug in this (hlds_3111 with fixes)

I use dlfile-boffix and hlshield for protection.

Some of the hlds_i686 processes uses almost half of the memory on the system suddenly. And if this number of servers comes about 3-4 , I can't connect/reach the box for a couple of minutes via SSH .. All of the memory is leak .. Then swap space becomes 0kb, not available ..

Here is what I got in /var/log/messages ;

Code:

kernel: oom-killer: gfp_mask=0x1d2
kernel: Mem-info:
kernel: DMA per-cpu:
kernel: cpu 0 hot: low 2, high 6, batch 1
kernel: cpu 0 cold: low 0, high 2, batch 1
kernel: cpu 1 hot: low 2, high 6, batch 1
kernel: cpu 1 cold: low 0, high 2, batch 1
kernel: Normal per-cpu:
kernel: cpu 0 hot: low 32, high 96, batch 16
kernel: cpu 0 cold: low 0, high 32, batch 16
kernel: cpu 1 hot: low 32, high 96, batch 16
kernel: cpu 1 cold: low 0, high 32, batch 16
kernel: HighMem per-cpu: empty
kernel:
kernel: Free pages:       19480kB (0kB HighMem)
kernel: Active:616778 inactive:142562 dirty:0 writeback:0 unstable:0 free:4870 slab:4352 mapped:758940 pagetables:3626
kernel: DMA free:12496kB min:36kB low:72kB high:108kB active:0kB inactive:0kB present:16384kB pages_scanned:0 all_unrecl$
kernel: protections[]: 0 878000 878000
kernel: Normal free:6984kB min:7024kB low:14048kB high:21072kB active:2467624kB inactive:569864kB present:3121088kB page$
kernel: protections[]: 0 0 0
kernel: HighMem free:0kB min:128kB low:256kB high:384kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclai$
kernel: protections[]: 0 0 0
kernel: DMA: 4*4kB 4*8kB 2*16kB 4*32kB 2*64kB 3*128kB 2*256kB 0*512kB 1*1024kB 1*2048kB 2*4096kB = 12496kB
kernel: Normal: 0*4kB 1*8kB 0*16kB 0*32kB 1*64kB 0*128kB 1*256kB 1*512kB 0*1024kB 1*2048kB 1*4096kB = 6984kB
kernel: HighMem: empty
kernel: 780 pagecache pages
kernel: Swap cache: add 515649, delete 515649, find 1324/2062, race 0+0
kernel: 0 bounce buffer pages
kernel: Free swap:            0kB
kernel: 784368 pages of RAM
kernel: 0 pages of HIGHMEM
kernel: 8245 reserved pages
kernel: 411 pages shared
kernel: 0 pages swap cached
kernel: Out of Memory: Killed process 4669 (hlds_i686).
kernel: Out of Memory: Killed process 4456 (hlds_i686).
kernel: Out of Memory: Killed process 4670 (hlds_i686).
kernel: hlds_i686: page allocation failure. order:0, mode:0x1d2
kernel:  [<02143e5b>] __alloc_pages+0x29f/0x2b1
kernel:  [<02146493>] do_page_cache_readahead+0xe7/0x158
kernel:  [<021410c5>] filemap_nopage+0x167/0x302
kernel:  [<0214e6fd>] do_no_page+0xcb/0x2f9
kernel:  [<0214eae1>] handle_mm_fault+0xdc/0x193
kernel:  [<0211b00f>] do_page_fault+0x1be/0x5f7
kernel:  [<0214fa56>] vma_adjust+0x286/0x2d6
kernel:  [<021a403f>] mqueue_destroy_inode+0x6/0xd
kernel:  [<0214fc2a>] vma_merge+0xe1/0x165
kernel:  [<0214fc3e>] vma_merge+0xf5/0x165
kernel:  [<021511b3>] do_brk+0x184/0x24d
kernel:  [<0211ae51>] do_page_fault+0x0/0x5f7
kernel: Mem-info:
kernel: DMA per-cpu:
kernel: cpu 0 hot: low 2, high 6, batch 1
kernel: cpu 0 cold: low 0, high 2, batch 1
kernel: cpu 1 hot: low 2, high 6, batch 1
kernel: cpu 1 cold: low 0, high 2, batch 1
kernel: Normal per-cpu:
kernel: cpu 0 hot: low 32, high 96, batch 16
kernel: cpu 0 cold: low 0, high 32, batch 16
kernel: cpu 1 hot: low 32, high 96, batch 16
kernel: cpu 1 cold: low 0, high 32, batch 16
kernel: HighMem per-cpu: empty
kernel:
kernel: Free pages:       19480kB (0kB HighMem)
kernel: Active:643034 inactive:116338 dirty:0 writeback:0 unstable:0 free:4870 slab:4353 mapped:758940 pagetables:3626
kernel: DMA free:12496kB min:36kB low:72kB high:108kB active:0kB inactive:0kB present:16384kB pages_scanned:0 all_unrecl$
kernel: protections[]: 0 878000 878000
kernel: Normal free:6984kB min:7024kB low:14048kB high:21072kB active:2573032kB inactive:464456kB present:3121088kB page$
kernel: protections[]: 0 0 0
kernel: HighMem free:0kB min:128kB low:256kB high:384kB active:0kB inactive:0kB present:0kB pages_scanned:0 all_unreclai$
kernel: protections[]: 0 0 0
kernel: DMA: 4*4kB 4*8kB 2*16kB 4*32kB 2*64kB 3*128kB 2*256kB 0*512kB 1*1024kB 1*2048kB 2*4096kB = 12496kB
kernel: Normal: 0*4kB 1*8kB 0*16kB 0*32kB 1*64kB 0*128kB 1*256kB 1*512kB 0*1024kB 1*2048kB 1*4096kB = 6984kB
kernel: HighMem: empty
kernel: 780 pagecache pages
kernel: Swap cache: add 635608, delete 635608, find 1901/3114, race 0+0
kernel: 0 bounce buffer pages
kernel: Free swap:            0kB
kernel: 784368 pages of RAM
kernel: 0 pages of HIGHMEM
kernel: 8245 reserved pages
kernel: 541 pages shared
kernel: 0 pages swap cached

kernel: Out of Memory: Killed process 4475 (hlds_i686).
kernel: Out of Memory: Killed process 4422 (hlds_i686).
kernel: Out of Memory: Killed process 4476 (hlds_i686).
kernel: Out of Memory: Killed process 5004 (hlds_i686).

kernel: hlds_i686: page allocation failure. order:0, mode:0x1d2

I know this attack can be done only inside the game. Because I see someone's nickname in playerlist (last connected one) in all of our servers. So the attacker do this after he joined the game. Maybe he types some commands to the console. Maybe something else, but he ALWAYS connects to the servers.

I tested cmd dlfile shit, it does not work for my servers (fixed). Anyway it just increases CPU usage of the hlds process.

I know there is not a problem about the hardware, memories, CPUs, Ethernet etc.. (I tried to move and run the servers in another box)

So.. What do you think?

// sorry for my poor english in our country Argentina we dont use it much :)

aluigi · **Posted:** 04 Jan 2009 19:15

I'm not aware of in-game commands which allow to pass arguments used then by the server for allocating a certain amount of memory.
so my doubts fall on the download system.

are you running hlds 3111e or 3111?
do you have downloads and/or uploads enabled?
do you use mods or something else non-standard?
have you monitored the process before the termination?

the "cmd dlfile hugefile" bug has just the effect of freezing the process during the reading and dynamic allocation of the requested file (you can see the process eating memory each second) so it could be the cause although nothing happened in your tests.

then I don't know (never tested) what happens if you try to download /dev/urandom or /dev/null or other "special" files moreover because I don't know if version 3111 is vulnerable to directory traversal... it's only an impossible hypothesis

WGamers · **Joined:** 04 Jan 2009 17:02 **Posts:** 4

I use sv_allowdownload 1 but I tried to make it 0 to stop the attacker, it does not effect. cmd dlfile just increases the cpu usage, not effects to memory on the system.

We use v3.1.1.1e with standard mods such as MetaMOD, AMX and SXEI (for anticheat)

I didn't monitor the process. I just know the attacker connects to the server and types something to the console, maybe he executes a big *.cfg file and send some huge information to the server.

Can we log/read what kind of command he use? We can't do anything to this operation after he sent the command.

aluigi · **Posted:** 05 Jan 2009 17:11

check if the mods you use have options to enable verbose logging so that you can have something more detailed to analyze.
if this doesn't give results I have another idea.

energypower · **Joined:** 28 Nov 2008 00:27 **Posts:** 7

same porblem at me.

any fixies ?

aluigi · **Posted:** 15 Jan 2009 00:32

no details, no bug, no fixes

Luigi Auriemma

Possibly a new bug!