oss-sec mailing list archives

Re: CLONE_NEWUSER local DoS

From: Oleg Nesterov <oleg () redhat com>
Date: Tue, 6 Aug 2013 18:47:45 +0200

On 08/06, Petr Matousek wrote:


spender reported [1] a local DoS triggerable by unprivileged user when
user namespaces are enabled (CONFIG_USER_NS).

  [1] https://twitter.com/grsecurity/status/364566062336978944

Reproducer:

b836010000bb00000010cd80ebf2 is for(;;)unshare(1<<28);


What happens? OOM?

I'll recheck, but at first glance this is simple, unshare_userns()
populates new_cred which is not freed by bad_unshare_cleanup_fd
if create_user_ns() fails. And create_user_ns() _should_ fail (iiuc)
when CLONE_NEWUSER is called for the second time and later due to
!kuid_has_mapping().

I'll send the patch, but perhaps there is something else. Eric?

Oleg.

Current thread:

CLONE_NEWUSER local DoS Petr Matousek (Aug 06)
- Re: CLONE_NEWUSER local DoS Kurt Seifried (Aug 06)
- Re: CLONE_NEWUSER local DoS Oleg Nesterov (Aug 06)
  - [PATCH 0/1] (Was: CLONE_NEWUSER local DoS) Oleg Nesterov (Aug 06)
    - [PATCH 1/1] userns: unshare_userns(&cred) should not populate cred on failure Oleg Nesterov (Aug 06)
    - Re: [PATCH 1/1] userns: unshare_userns(&cred) should not populate cred on failure Andy Lutomirski (Aug 06)
    - Re: [PATCH 1/1] userns: unshare_userns(&cred) should not populate cred on failure Eric W. Biederman (Aug 06)
    - Re: [PATCH 0/1] (Was: CLONE_NEWUSER local DoS) Petr Matousek (Aug 07)
  - Re: CLONE_NEWUSER local DoS Andy Lutomirski (Aug 06)
    - Re: CLONE_NEWUSER local DoS Oleg Nesterov (Aug 06)