Vigil@nce: FreeBSD, denial of service via SCHED_ULE
March 2010 by Vigil@nce
When the SCHED_ULE scheduler is used, a local attacker on a multiprocessor system can block FreeBSD.
Consequences: denial of service of computer
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 01/03/2010
DESCRIPTION OF THE VULNERABILITY
The FreeBSD system uses two implementations of the thread/process
SCHED_4BSD (by default on FreeBSD <= 7.0)
SCHED_ULE (by default on FreeBSD >= 7.1)
With SCHED_ULE, each CPU has a locked queue. When a thread is transfered from one CPU to another one, SCHED_ULE locks the source and destination CPU queues. However, if two other threads are transfered during this time range, they wait indefinitely for a lock to be freed. The associated CPUs are then unused.
When the SCHED_ULE scheduler is used, a local attacker on a multiprocessor system can therefore block FreeBSD.
Identifiers: FreeBSD-EN-10:02.sched_ule, VIGILANCE-VUL-9479