

Self-propagating heap memory crawler in x86-64 Linux Assembly - adulau
http://pastebin.com/rtGeDEmC

======
CurtHagenlocher
I'm a Windows guy, so maybe this is a stupid question. Don't you eventually
have to call mmap to get more memory committed to your address space?

Also, it seems weird to me that the heap pages are marked as executable by
default.

~~~
spauka
In answer to your two questions:

1: Yes, you will eventually need to mmap more memory. Since you want to
minimize the number of mmap calls necessary for things like heap allocations,
you generally allocate in larger chunks then necessary and then malloc etc.
allocates from these chunks. It doesn't matter too much in terms of memory
waste, since in the back end, linux allocates physical memory lazily, so the
extra allocated block of virtual memory doesn't get a physical allocation
until something tries to access it. For this reason, it can sometimes seem
like a malloc call completes successfully, but you run into an out of memory
condition once you try to actually use your "successfully" allocated memory.

2\. It turns out most kernels don't actually enable the NX bit automatically,
with the reason given being that early processors have buggy implementations,
so by default the NX flag is not honored. As a result, all memory is
executable by default, unless explicitly set not to be (i.e. using
memprotect), and this is only if the kernel is compiled to support NX, which
it may not be. This is changing, and some systems such implementing SELinux or
similar are supposedly stricter but I haven't actually tested this out myself.

~~~
ZephyrP
1\. Elaborate more on this, as this doesn't agree with my understanding of it.
Glibc Malloc allocates differently depending on the size of the allocation --
glibc uses dynamic mmap thresholds, which as I previously stated starts at
128kb, but when blocks larger than the current threshold are freed, the
threshold is adjusted to the size of the freed block, unless once again,
you've set any of the slew of paremeters that disable the threshold in which
case you'll go back to either "old school" brk() memory management by storing
current and previous results of sbrk(0) or you will have arenas for small
allocations managed through mmap().

2\. If only this were true, I regularly pine for the days of EIP ->
0xc0c0c0c0. It is true that some compilers generate entirely RWE memory pages,
but usually for much different reasons (Executable stacks for GCC trampolines,
for example)

------
bediger4000
Done correctly, you don't even need to use assembly to do this sort of thing.
<http://stratiger.com/cpup4.c> is a straightforward C member of the same
category of programs.

~~~
Nick_C
For anyone trying this, there's a typo in the URL, it is actually
<http://stratigery.com/cpup4.c>

------
smegel
A fork bomb will also reproduce a program until you run out of memory, and
actually stand a better chance of crashing the system if that was your goal.

~~~
serf
Did you even read what it does, or are you just spouting out other arbitrary
ways to crash systems?

There are a host of ways to run out of memory and crash a system. Why not list
every single example, if that's your intention, because the fact that it runs
a machine out of memory is about the only thing it has in common with a fork
bomb.

In fact, a fork bomb doesn't even imply the system runs out of memory, but
only that the system runs out of a finite resource.

