* Report Bug to Linux Control Group
@ 2021-04-20 9:48 nanzi yang
0 siblings, 0 replies; 2+ messages in thread
From: nanzi yang @ 2021-04-20 9:48 UTC (permalink / raw)
To: tj-DgEjT+Ai2ygdnm+yROfE0A, lizefan.x-EC8Uxl6Npydl57MIdRCFDg,
hannes-druUgvl0LCNAfugRpC6u6w
Cc: cgroups-u79uwXL29TY76Z2rM5mHXA, shenwenbo-Y5EWUtBUdg4nDS1+zs4M5A
Hi, our team has found a problem in fs system on Linux kernel v5.10,
leading to DoS attacks.
The struct file can be exhausted by normal users by calling multiple
syscalls such as timerfd_create/pipe/open etc. Although the rlimit
limits the max fds could be opened by a single process. A normal user
can fork multiple processes, repeatedly make the
timerfd_create/pipe/open syscalls and exhaust all struct files. As a
result, all struct-file-allocation related operations of all other
users will fail.
In fact, we try this attack inside a deprivileged docker container
without any capabilities. The processes in the docker can exhaust all
struct-file on the host kernel. We use a machine with 16G memory. We
start 2000 processes, each process with a 1024 limit. In total, around
1613400 number struct-file are consumed and there is no available
struct-file in the kernel. The total consumed memory is less than 2G,
which is small, so the memory control group can not help.
They are caused by the code snippets listed below:
/*----------------fs/file_table.c----------------*/
......
134 struct file *alloc_empty_file(int flags, const struct cred *cred)
135 {
......
142 if (get_nr_files() >= files_stat.max_files && !capable(CAP_SYS_ADMIN)) {
......
147 if (percpu_counter_sum_positive(&nr_files) >=
files_stat.max_files)
148 goto over;
149 }
......
157 over:
......
163 return ERR_PTR(-ENFILE);
164 }
/*-----------------------------------------------*/
The code at line 147 could be triggered by syscalls
timerfd_create/pipe/open etc. Besides, there are no Linux control
groups or Linux namespaces that can limit or isolate the struct file
resources. Is there necessary to create a new control group or
namespace to defend against this attack?
Looking forward to your reply!
Nanzi Yang
^ permalink raw reply [flat|nested] 2+ messages in thread
* Report Bug to Linux Control Group
@ 2021-04-20 9:11 杨男子
0 siblings, 0 replies; 2+ messages in thread
From: 杨男子 @ 2021-04-20 9:11 UTC (permalink / raw)
To: tj-DgEjT+Ai2ygdnm+yROfE0A, lizefan.x-EC8Uxl6Npydl57MIdRCFDg,
hannes-druUgvl0LCNAfugRpC6u6w
Cc: cgroups
Hi, our team has found a problem in fs system on Linux kernel v5.10, leading to DoS attacks.
The struct file can be exhausted by normal users by calling multiple syscalls such as timerfd_create/pipe/open etc. Although the rlimit limits the max fds could opened by a single process. A normal user can fork multiple processes, repeatedly make the timerfd_create/pipe/open syscalls and exhaust all struct files. As a result, all struct-file-allocation related operations of all other uses will fail.
In fact, we try this attack inside a deprivileged docker container without any capabilities. The processes in the docker can exhaust all struct-file on the host kernel. We use a machine with 16G memory. We start 2000 processes, each processes with a 1024 limit. In total, around 1613400 number of struct-file are consumed and there are no available struct-file in the kernel. The total consumed memory is less than 2G , which is small, so memory control group can not help.
They are caused by the code snippets listed below:
/*----------------fs/file_table.c----------------*/
......
134 struct file *alloc_empty_file(int flags, const struct cred *cred)
135 {
......
142 if (get_nr_files() >= files_stat.max_files && !capable(CAP_SYS_ADMIN)) {
......
147 if (percpu_counter_sum_positive(&nr_files) >= files_stat.max_files)
148 goto over;
149 }
......
157 over:
......
163 return ERR_PTR(-ENFILE);
164 }
/*-----------------------------------------------*/
The code at line 147 could be triggered by syscalls timerfd_create/pipe/open etc. Besides, there are no Linux control groups or Linux namespaces can limit or isolate the struct file resources. Is there necessary to create a new control group or namespace to defend against this attack?
Looking forward to your reply!
Nanzi Yang
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-20 9:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-20 9:48 Report Bug to Linux Control Group nanzi yang
-- strict thread matches above, loose matches on Subject: below --
2021-04-20 9:11 杨男子
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.