Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Jul 2016 12:26:42 -0400
From: Jessica Frazelle <me@...sfraz.com>
To: oss-security@...ts.openwall.com
Cc: Greg KH <greg@...ah.com>, cve-assign@...re.org
Subject: Re: Re: cve request: local DoS by overflowing kernel
 mount table using shared bind mount

it's running systemd in a container... isn't it...

On Thu, Jul 14, 2016 at 12:18 PM, Jessica Frazelle <me@...sfraz.com> wrote:
> what is the use case for mounting /mnt:/mnt in a container?
>
> On Thu, Jul 14, 2016 at 12:15 PM, CAI Qian <caiqian@...hat.com> wrote:
>> Maybe this is a better reproducer using docker. It is exploitable even with
>> user namespace enabled.
>>
>> # docker run -it -v /mnt/:/mnt/:shared --cap-add=SYS_ADMIN rhel7 /bin/bash
>>
>> # cat /proc/self/uid_map
>>          0        995      65536
>>
>> # cat /proc/self/gid_map
>>          0        992      65536
>>
>> (insider container) # for i in `seq 1 20`; mount -o bind /mnt/1 /mnt/2; done
>>    CAI Qian
>>
>> ----- Original Message -----
>>> From: "Greg KH" <greg@...ah.com>
>>> To: oss-security@...ts.openwall.com
>>> Cc: caiqian@...hat.com, cve-assign@...re.org
>>> Sent: Wednesday, July 13, 2016 6:45:00 PM
>>> Subject: Re: [oss-security] Re: cve request: local DoS by overflowing kernel mount table using shared bind mount
>>>
>>> On Wed, Jul 13, 2016 at 12:59:40PM -0400, cve-assign@...re.org wrote:
>>> > > It was reported that the mount table expands by a power-of-two
>>> > > with each bind mount command.
>>> >
>>> > > If the system is configured in the way that a non-root user
>>> > > allows bind mount even if with limit number of bind mount
>>> > > allowed, a non-root user could cause a local DoS by quickly
>>> > > overflow the mount table.
>>> >
>>> > > it will cause a deadlock for the whole system,
>>> >
>>> > >> form of unlimited memory consumption that is causing the problem
>>> >
>>> > Use CVE-2016-6213.
>>>
>>> A CVE for an "improperly configured system"?  Huh?  What distro has such
>>> a configuration set by default?  This isn't a kernel bug, so what is
>>> this CVE classified as being "against"?  It better not be against the
>>> Linux kernel...
>>>
>>> confused,
>>>
>>> greg k-h
>>>
>
>
>
> --
>
>
> Jessie Frazelle
> 4096R / D4C4 DD60 0D66 F65A 8EFC  511E 18F3 685C 0022 BFF3
> pgp.mit.edu



-- 


Jessie Frazelle
4096R / D4C4 DD60 0D66 F65A 8EFC  511E 18F3 685C 0022 BFF3
pgp.mit.edu

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ