From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755122AbcAVVzn (ORCPT <rfc822;w@1wt.eu>);
	Fri, 22 Jan 2016 16:55:43 -0500
Received: from zeniv.linux.org.uk ([195.92.253.2]:53386 "EHLO
	ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751431AbcAVVzl (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Fri, 22 Jan 2016 16:55:41 -0500
Date: Fri, 22 Jan 2016 21:55:37 +0000
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: David Howells <dhowells@redhat.com>, LKML <linux-kernel@vger.kernel.org>,
        Miklos Szeredi <mszeredi@suse.cz>,
        syzkaller <syzkaller@googlegroups.com>,
        Kostya Serebryany <kcc@google.com>,
        Alexander Potapenko <glider@google.com>,
        Eric Dumazet <edumazet@google.com>,
        Sasha Levin <sasha.levin@oracle.com>,
        Robert Swiecki <swiecki@google.com>, Kees Cook <keescook@google.com>
Subject: Re: fs: sandboxed process brings host down
Message-ID: <20160122215537.GH17997@ZenIV.linux.org.uk>
References: <CACT4Y+aRgUi9CxMOi7GO3eU3aDZhOkpY9gbO1Qmt6=bAjLXTXQ@mail.gmail.com>
 <20160122212157.GG17997@ZenIV.linux.org.uk>
 <CACT4Y+b7TKbS6iaPLuo0iZStRJQ3BOBLTG1ZyC2nrh-=66bWDA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACT4Y+b7TKbS6iaPLuo0iZStRJQ3BOBLTG1ZyC2nrh-=66bWDA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jan 22, 2016 at 10:38:40PM +0100, Dmitry Vyukov wrote:

> My 2GB VM dies at around just 10-th iteration, is it normal?
> Each iteration consumes several hundreds of megs of kernel memory. And
> there seems to be exponential slowdown at around 5-th iteration.
> I understand that there can be lots of forms of a local DoS. But there
> seems to be something pathological about this particular one. And it
> happens only with sandboxing that is meant to reduce DoS
> possibilities...

Sandboxing == giving attacker to do mount without being root.

As for exponential - sure, you double the amount of mounts on each step
(if not quadruple - I don't have your code in front of me right now,
but ISTR two mount --rbind in there).  More obvious form would be
for i in `seq 64`; do mkdir /tmp/$i; mount --rbind / /tmp/$i; done - there
the entire tree would be visible (and visibly exponential by the number of
iterations).

I doubt that the first iteration chews hundreds of megs, BTW.  If you
really get two mount --rbind per iteration, you would have about a million-fold
increase of the number of mounts after ten iterations, and having that chew
2Gb is quite plausible; in that case the first iteration would eat about 10K
or so...