1 files changed, 212 insertions, 0 deletions
diff --git a/debian/patches/oom-adjust.patch b/debian/patches/oom-adjust.patch
new file mode 100644
index 000000000..d01f1f3ad
--- /dev/null
+++ b/debian/patches/oom-adjust.patch
@@ -0,0 +1,212 @@
+Index: b/config.h.in
+===================================================================
+--- a/config.h.in
+++ b/config.h.in
+@@ -1238,6 +1238,9 @@
+ /* Define if X11 doesn't support AF_UNIX sockets on that system */
+ #undef NO_X11_UNIX_SOCKETS
+ 
+/* Adjust Linux out-of-memory killer */
+#undef OOM_ADJUST
+
+ /* Define if EVP_DigestUpdate returns void */
+ #undef OPENSSL_EVP_DIGESTUPDATE_VOID
+ 
+Index: b/configure
+===================================================================
+--- a/configure
+++ b/configure
+@@ -8369,6 +8369,11 @@
+ _ACEOF
+ 
+        fi
+
+cat >>confdefs.h <<\_ACEOF
+#define OOM_ADJUST 1
+_ACEOF
+
+        ;;
+ mips-sony-bsd|mips-sony-newsos4)
+ 
+Index: b/configure.ac
+===================================================================
+--- a/configure.ac
+++ b/configure.ac
+@@ -630,6 +630,7 @@
+                AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
+                    [Prepend the address family to IP tunnel traffic])
+        fi
+       AC_DEFINE(OOM_ADJUST, 1, [Adjust Linux out-of-memory killer])
+        ;;
+ mips-sony-bsd|mips-sony-newsos4)
+        AC_DEFINE(NEED_SETPGRP, 1, [Need setpgrp to acquire controlling tty])
+Index: b/openbsd-compat/port-linux.c
+===================================================================
+--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
+@@ -18,7 +18,7 @@
+  */
+ 
+ /*
+- * Linux-specific portability code - just SELinux support at present
+ * Linux-specific portability code
+  */
+ 
+ #include "includes.h"
+@@ -27,6 +27,15 @@
+ #include <stdarg.h>
+ #include <string.h>
+ 
+#ifdef OOM_ADJUST
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#endif
+
+#include "log.h"
+
+ #ifdef WITH_SELINUX
+ #include "key.h"
+ #include "hostfile.h"
+@@ -34,7 +43,6 @@
+ #ifdef HAVE_GETSEUSERBYNAME
+ #include "xmalloc.h"
+ #endif
+-#include "log.h"
+ #include "port-linux.h"
+ 
+ #include <selinux/selinux.h>
+@@ -186,3 +194,47 @@
+        debug3("%s: done", __func__);
+ }
+ #endif /* WITH_SELINUX */
+
+#ifdef OOM_ADJUST
+/* Get the out-of-memory adjustment file for the current process */
+static int
+oom_adj_open(int oflag)
+{
+       int fd = open("/proc/self/oom_adj", oflag);
+       if (fd < 0)
+               logit("error opening /proc/self/oom_adj: %s", strerror(errno));
+       return fd;
+}
+
+/* Get the current OOM adjustment */
+int
+oom_adj_get(char *buf, size_t maxlen)
+{
+       ssize_t n;
+       int fd = oom_adj_open(O_RDONLY);
+       if (fd < 0)
+               return -1;
+       n = read(fd, buf, maxlen);
+       if (n < 0)
+               logit("error reading /proc/self/oom_adj: %s", strerror(errno));
+       else
+               buf[n] = '\0';
+       close(fd);
+       return n < 0 ? -1 : 0;
+}
+
+/* Set the current OOM adjustment */
+int
+oom_adj_set(const char *buf)
+{
+       ssize_t n;
+       int fd = oom_adj_open(O_WRONLY);
+       if (fd < 0)
+               return -1;
+       n = write(fd, buf, strlen(buf));
+       if (n < 0)
+               logit("error writing /proc/self/oom_adj: %s", strerror(errno));
+       close(fd);
+       return n < 0 ? -1 : 0;
+}
+#endif
+Index: b/openbsd-compat/port-linux.h
+===================================================================
+--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
+@@ -25,4 +25,9 @@
+ void ssh_selinux_setup_exec_context(char *);
+ #endif
+ 
+#ifdef OOM_ADJUST
+int oom_adj_get(char *buf, size_t maxlen);
+int oom_adj_set(const char *buf);
+#endif
+
+ #endif /* ! _PORT_LINUX_H */
+Index: b/sshd.c
+===================================================================
+--- a/sshd.c
+++ b/sshd.c
+@@ -254,6 +254,11 @@
+ /* Unprivileged user */
+ struct passwd *privsep_pw = NULL;
+ 
+#ifdef OOM_ADJUST
+/* Linux out-of-memory killer adjustment */
+static char oom_adj_save[8];
+#endif
+
+ /* Prototypes for various functions defined later in this file. */
+ void destroy_sensitive_data(void);
+ void demote_sensitive_data(void);
+@@ -908,6 +913,31 @@
+        debug3("%s: done", __func__);
+ }
+ 
+#ifdef OOM_ADJUST
+/*
+ * If requested in the environment, tell the Linux kernel's out-of-memory
+ * killer to avoid sshd. The old state will be restored when forking child
+ * processes.
+ */
+static void
+oom_adjust_startup(void)
+{
+       const char *oom_adj = getenv("SSHD_OOM_ADJUST");
+
+       if (!oom_adj || !*oom_adj)
+               return;
+       oom_adj_get(oom_adj_save, sizeof(oom_adj_save));
+       oom_adj_set(oom_adj);
+}
+
+static void
+oom_restore(void)
+{
+       if (oom_adj_save[0])
+               oom_adj_set(oom_adj_save);
+}
+#endif
+
+ /* Accept a connection from inetd */
+ static void
+ server_accept_inetd(int *sock_in, int *sock_out)
+@@ -1670,6 +1700,11 @@
+        /* ignore SIGPIPE */
+        signal(SIGPIPE, SIG_IGN);
+ 
+#ifdef OOM_ADJUST
+       /* Adjust out-of-memory killer */
+       oom_adjust_startup();
+#endif
+
+        /* Get a connection, either from inetd or a listening TCP socket */
+        if (inetd_flag) {
+                server_accept_inetd(&sock_in, &sock_out);
+@@ -1708,6 +1743,10 @@
+        /* This is the child processing a new connection. */
+        setproctitle("%s", "[accepted]");
+ 
+#ifdef OOM_ADJUST
+       oom_restore();
+#endif
+
+        /*
+         * Create a new session and process group since the 4.4BSD
+         * setlogin() affects the entire process group.  We don't

diff --git a/debian/patches/oom-adjust.patch b/debian/patches/oom-adjust.patch new file mode 100644 index 000000000..d01f1f3ad --- /dev/null +++ b/debian/patches/oom-adjust.patch
@@ -0,0 +1,212 @@
	1	Index: b/config.h.in
	2	===================================================================
	3	--- a/config.h.in
	4	+++ b/config.h.in
	5	@@ -1238,6 +1238,9 @@
	6	/* Define if X11 doesn't support AF_UNIX sockets on that system */
	7	#undef NO_X11_UNIX_SOCKETS
	8
	9	+/* Adjust Linux out-of-memory killer */
	10	+#undef OOM_ADJUST
	11	+
	12	/* Define if EVP_DigestUpdate returns void */
	13	#undef OPENSSL_EVP_DIGESTUPDATE_VOID
	14
	15	Index: b/configure
	16	===================================================================
	17	--- a/configure
	18	+++ b/configure
	19	@@ -8369,6 +8369,11 @@
	20	_ACEOF
	21
	22	fi
	23	+
	24	+cat >>confdefs.h <<\_ACEOF
	25	+#define OOM_ADJUST 1
	26	+_ACEOF
	27	+
	28	;;
	29	mips-sony-bsd\|mips-sony-newsos4)
	30
	31	Index: b/configure.ac
	32	===================================================================
	33	--- a/configure.ac
	34	+++ b/configure.ac
	35	@@ -630,6 +630,7 @@
	36	AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
	37	[Prepend the address family to IP tunnel traffic])
	38	fi
	39	+ AC_DEFINE(OOM_ADJUST, 1, [Adjust Linux out-of-memory killer])
	40	;;
	41	mips-sony-bsd\|mips-sony-newsos4)
	42	AC_DEFINE(NEED_SETPGRP, 1, [Need setpgrp to acquire controlling tty])
	43	Index: b/openbsd-compat/port-linux.c
	44	===================================================================
	45	--- a/openbsd-compat/port-linux.c
	46	+++ b/openbsd-compat/port-linux.c
	47	@@ -18,7 +18,7 @@
	48	*/
	49
	50	/*
	51	- * Linux-specific portability code - just SELinux support at present
	52	+ * Linux-specific portability code
	53	*/
	54
	55	#include "includes.h"
	56	@@ -27,6 +27,15 @@
	57	#include <stdarg.h>
	58	#include <string.h>
	59
	60	+#ifdef OOM_ADJUST
	61	+#include <sys/types.h>
	62	+#include <sys/stat.h>
	63	+#include <fcntl.h>
	64	+#include <unistd.h>
	65	+#endif
	66	+
	67	+#include "log.h"
	68	+
	69	#ifdef WITH_SELINUX
	70	#include "key.h"
	71	#include "hostfile.h"
	72	@@ -34,7 +43,6 @@
	73	#ifdef HAVE_GETSEUSERBYNAME
	74	#include "xmalloc.h"
	75	#endif
	76	-#include "log.h"
	77	#include "port-linux.h"
	78
	79	#include <selinux/selinux.h>
	80	@@ -186,3 +194,47 @@
	81	debug3("%s: done", __func__);
	82	}
	83	#endif /* WITH_SELINUX */
	84	+
	85	+#ifdef OOM_ADJUST
	86	+/* Get the out-of-memory adjustment file for the current process */
	87	+static int
	88	+oom_adj_open(int oflag)
	89	+{
	90	+ int fd = open("/proc/self/oom_adj", oflag);
	91	+ if (fd < 0)
	92	+ logit("error opening /proc/self/oom_adj: %s", strerror(errno));
	93	+ return fd;
	94	+}
	95	+
	96	+/* Get the current OOM adjustment */
	97	+int
	98	+oom_adj_get(char *buf, size_t maxlen)
	99	+{
	100	+ ssize_t n;
	101	+ int fd = oom_adj_open(O_RDONLY);
	102	+ if (fd < 0)
	103	+ return -1;
	104	+ n = read(fd, buf, maxlen);
	105	+ if (n < 0)
	106	+ logit("error reading /proc/self/oom_adj: %s", strerror(errno));
	107	+ else
	108	+ buf[n] = '\0';
	109	+ close(fd);
	110	+ return n < 0 ? -1 : 0;
	111	+}
	112	+
	113	+/* Set the current OOM adjustment */
	114	+int
	115	+oom_adj_set(const char *buf)
	116	+{
	117	+ ssize_t n;
	118	+ int fd = oom_adj_open(O_WRONLY);
	119	+ if (fd < 0)
	120	+ return -1;
	121	+ n = write(fd, buf, strlen(buf));
	122	+ if (n < 0)
	123	+ logit("error writing /proc/self/oom_adj: %s", strerror(errno));
	124	+ close(fd);
	125	+ return n < 0 ? -1 : 0;
	126	+}
	127	+#endif
	128	Index: b/openbsd-compat/port-linux.h
	129	===================================================================
	130	--- a/openbsd-compat/port-linux.h
	131	+++ b/openbsd-compat/port-linux.h
	132	@@ -25,4 +25,9 @@
	133	void ssh_selinux_setup_exec_context(char *);
	134	#endif
	135
	136	+#ifdef OOM_ADJUST
	137	+int oom_adj_get(char *buf, size_t maxlen);
	138	+int oom_adj_set(const char *buf);
	139	+#endif
	140	+
	141	#endif /* ! _PORT_LINUX_H */
	142	Index: b/sshd.c
	143	===================================================================
	144	--- a/sshd.c
	145	+++ b/sshd.c
	146	@@ -254,6 +254,11 @@
	147	/* Unprivileged user */
	148	struct passwd *privsep_pw = NULL;
	149
	150	+#ifdef OOM_ADJUST
	151	+/* Linux out-of-memory killer adjustment */
	152	+static char oom_adj_save[8];
	153	+#endif
	154	+
	155	/* Prototypes for various functions defined later in this file. */
	156	void destroy_sensitive_data(void);
	157	void demote_sensitive_data(void);
	158	@@ -908,6 +913,31 @@
	159	debug3("%s: done", __func__);
	160	}
	161
	162	+#ifdef OOM_ADJUST
	163	+/*
	164	+ * If requested in the environment, tell the Linux kernel's out-of-memory
	165	+ * killer to avoid sshd. The old state will be restored when forking child
	166	+ * processes.
	167	+ */
	168	+static void
	169	+oom_adjust_startup(void)
	170	+{
	171	+ const char *oom_adj = getenv("SSHD_OOM_ADJUST");
	172	+
	173	+ if (!oom_adj \|\| !*oom_adj)
	174	+ return;
	175	+ oom_adj_get(oom_adj_save, sizeof(oom_adj_save));
	176	+ oom_adj_set(oom_adj);
	177	+}
	178	+
	179	+static void
	180	+oom_restore(void)
	181	+{
	182	+ if (oom_adj_save[0])
	183	+ oom_adj_set(oom_adj_save);
	184	+}
	185	+#endif
	186	+
	187	/* Accept a connection from inetd */
	188	static void
	189	server_accept_inetd(int sock_in, int sock_out)
	190	@@ -1670,6 +1700,11 @@
	191	/* ignore SIGPIPE */
	192	signal(SIGPIPE, SIG_IGN);
	193
	194	+#ifdef OOM_ADJUST
	195	+ /* Adjust out-of-memory killer */
	196	+ oom_adjust_startup();
	197	+#endif
	198	+
	199	/* Get a connection, either from inetd or a listening TCP socket */
	200	if (inetd_flag) {
	201	server_accept_inetd(&sock_in, &sock_out);
	202	@@ -1708,6 +1743,10 @@
	203	/* This is the child processing a new connection. */
	204	setproctitle("%s", "[accepted]");
	205
	206	+#ifdef OOM_ADJUST
	207	+ oom_restore();
	208	+#endif
	209	+
	210	/*
	211	* Create a new session and process group since the 4.4BSD
	212	* setlogin() affects the entire process group. We don't