On Feb 24, 2012, at 4:39 PM, Timo Sirainen wrote: > On 25.2.2012, at 0.49, Doug Henderson wrote: > >> [8irgehuq] CVE-2011-1083: Algorithmic denial of service in epoll. >> >> After ksplice automatically installed the above patch on our mail servers, >> most/all IMAP/POP3 connections began experiencing time-outs trying to >> connect, or extreme timeouts in the auth procedure. > > I'd guess this patch is already in new Linux kernel versions, so other people > should have seen any problems caused by it?
Actually, it was only released a couple of days ago (2/21) by redhat for EL 5.8 see: https://rhn.redhat.com/errata/RHSA-2012-0150.html "A flaw was found in the way the Linux kernel's Event Poll (epoll) subsystem handled large, nested epoll structures. A local, unprivileged user could use this flaw to cause a denial of service. (CVE-2011-1083, Moderate)" Our automated patching (ksplice) installed it at around 10am PST today. Other distributions may vary. > >> dovecot: pop3-login: Panic: epoll_ctl(add, 6) failed: Invalid argument > .. >> Once this patch was removed, everything started working again. >> >> Is it possible that dovecot is trying to re-add already-added connections to >> the polling list - which this specific 'patch' prevents? > > It shouldn't be possible .. EPOLL_CTL_ADD is done only once, EPOLL_CTL_MOD is > done afterwards. And if the same fd is attempted to be added/modded twice, > Dovecot should assert-crash first in ioloop_iolist_add(). > We haven't spent enough time investigating to be sure, but epoll_ctl was certainly "in the thick of it". The only outward evidence (in logs, even with debug turned on) that there was anything wrong with Dovecot at all was the Panic shown for that method. Dovecot may have been an innocent bystander in this case - but something was causing it to fail on inbound IMAP/POP3 connections, and when the patch was removed everything started working again.
