Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 6 Aug 2013 18:47:45 +0200
From: Oleg Nesterov <oleg@...hat.com>
To: security@...nel.org, oss-security@...ts.openwall.com,
        Petr Matousek <pmatouse@...hat.com>
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
        Andy Lutomirski <luto@...capital.net>
Subject: Re: CLONE_NEWUSER local DoS

On 08/06, Petr Matousek wrote:
>
> spender reported [1] a local DoS triggerable by unprivileged user when
> user namespaces are enabled (CONFIG_USER_NS).
>
>   [1] https://twitter.com/grsecurity/status/364566062336978944
>
> Reproducer:
>
> b836010000bb00000010cd80ebf2 is for(;;)unshare(1<<28);

What happens? OOM?

I'll recheck, but at first glance this is simple, unshare_userns()
populates new_cred which is not freed by bad_unshare_cleanup_fd
if create_user_ns() fails. And create_user_ns() _should_ fail (iiuc)
when CLONE_NEWUSER is called for the second time and later due to
!kuid_has_mapping().

I'll send the patch, but perhaps there is something else. Eric?

Oleg.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.