How Linux fork() Can Crash a System

Added: 2026-05-21

[00:00:00]This machine got compromised. It is hard to notice, but if you look at the process table, you will see something like this.

[00:00:09]In this video, we will understand the basics of Linux forking and see how it can be abused by hackers. Forking is a way of creating a copy of a running process. When a process forks, it becomes the parent. The process that was born from forking is the child. Let's do some quick demo.

[00:00:25]When we launch a Python shell, we see it in the process table.

[00:00:32]To fork, we run the OS fork method.

[00:00:36]This will return the process ID of the child. And another number, which we will discuss in a bit. Going back to the process table, we now see two instances of Python. The first is the parent and the second is the child.

[00:00:50]Both of them are very identical to each other. During the start, they point to the same memory location. The only time they will diverge is when any of them perform some modification or changes. If that happens, one process will create a separate memory allocation and perform the rights there. This is done so it will not affect the memory space of the other process. This is called the copy-on-write mechanism or cow. If we kill the child, see what happens.

[00:01:15]It becomes defunct.

[00:01:17]This is called a zombie process. The kernel leaves it in that state to give the parent a chance to do proper cleanup. Most of us would think rebooting the machine is the only way to clear them. But there is a graceful way of handling zombie processes. In order to do that, we need to invoke the wait system call.

[00:01:34]After invoking, we will see two numbers inside the tuple. First is the process ID of the child, and second is the exit status. Nine represents sigkill, which tells us how the child was terminated.

[00:01:46]Now, when we go back to the process table, the zombie process is gone.

[00:01:50]Let's try a different thing by doing it the other way around. That is by killing the parent rather than the child. Take note that under normal circumstances, the child's PPID is set to the parent's PID.

[00:02:02]Now, if we kill the parent, the child remains, which makes it an orphan process. Also, notice one more thing.

[00:02:07]The child's PPID is now set to one, which is the init process. What happened here is that init adopted the child.

[00:02:14]That's because the child no longer has a parent, and there will be no one to perform a proper cleanup. So, the init process will now take care of that responsibility.

[00:02:23]Let's analyze forking from a different view. This time, let's understand how this is implemented at a low level. We have here a small C program that will fork itself. When a program runs, it becomes a process. If that process wants to fork itself, the fork system call needs to be invoked. This will return an integer, which most of the time corresponds to a process ID. If for some reason forking failed, we would get a negative number.

[00:02:46]If the number is zero, then that means the program code is running inside the child process. Else, if it is a number greater than one, that means forking was successful, and the code is still running inside the parent. At that point, a child process is born, and the number returned is its process ID. There are some nuances here. We know that forking is cloning yourself. Does it mean the child process runs the program again from the start? Not really. The child process will start the execution after the fork is invoked, which is in this part.

[00:03:15]That is another optimization done by the kernel to conserve resources.

[00:03:19]The number of possible PIDs inside a Linux machine is determined by this file.

[00:03:25]If that limit is exhausted, programs will no longer work, and your machine will stop working as a whole. Attackers can perform denial of service by abusing this limit. They can run malicious programs that will fork many processes.

[00:03:37]To do that, the program can loop through a large amount of numbers. Then, for each iteration, a child process will be created. During that time, the child will be forced to exit, but the parent will not do proper cleanup by invoking the wait system call. This is a legitimate way of performing denial of service. So, if you see a lot of defunct processes in your machine, try to look into it as soon as possible.

[00:03:59]Forking is a common Linux kernel operation. This is used by programs to run services or scale their capacity.

[00:04:05]Attackers may abuse this by forcing a fork without doing proper cleanup. I hope you learned something today. If you find my content valuable, please support me by liking this video and subscribing to my channel. See you on the next one.