Date: Thu, 14 Jul 2016 12:26:42 -0400 From: Jessica Frazelle <me@...sfraz.com> To: oss-security@...ts.openwall.com Cc: Greg KH <greg@...ah.com>, cve-assign@...re.org Subject: Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount it's running systemd in a container... isn't it... On Thu, Jul 14, 2016 at 12:18 PM, Jessica Frazelle <me@...sfraz.com> wrote: > what is the use case for mounting /mnt:/mnt in a container? > > On Thu, Jul 14, 2016 at 12:15 PM, CAI Qian <caiqian@...hat.com> wrote: >> Maybe this is a better reproducer using docker. It is exploitable even with >> user namespace enabled. >> >> # docker run -it -v /mnt/:/mnt/:shared --cap-add=SYS_ADMIN rhel7 /bin/bash >> >> # cat /proc/self/uid_map >> 0 995 65536 >> >> # cat /proc/self/gid_map >> 0 992 65536 >> >> (insider container) # for i in `seq 1 20`; mount -o bind /mnt/1 /mnt/2; done >> CAI Qian >> >> ----- Original Message ----- >>> From: "Greg KH" <greg@...ah.com> >>> To: oss-security@...ts.openwall.com >>> Cc: caiqian@...hat.com, cve-assign@...re.org >>> Sent: Wednesday, July 13, 2016 6:45:00 PM >>> Subject: Re: [oss-security] Re: cve request: local DoS by overflowing kernel mount table using shared bind mount >>> >>> On Wed, Jul 13, 2016 at 12:59:40PM -0400, cve-assign@...re.org wrote: >>> > > It was reported that the mount table expands by a power-of-two >>> > > with each bind mount command. >>> > >>> > > If the system is configured in the way that a non-root user >>> > > allows bind mount even if with limit number of bind mount >>> > > allowed, a non-root user could cause a local DoS by quickly >>> > > overflow the mount table. >>> > >>> > > it will cause a deadlock for the whole system, >>> > >>> > >> form of unlimited memory consumption that is causing the problem >>> > >>> > Use CVE-2016-6213. >>> >>> A CVE for an "improperly configured system"? Huh? What distro has such >>> a configuration set by default? This isn't a kernel bug, so what is >>> this CVE classified as being "against"? It better not be against the >>> Linux kernel... >>> >>> confused, >>> >>> greg k-h >>> > > > > -- > > > Jessie Frazelle > 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 > pgp.mit.edu -- Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ