-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mount: access to automounted volumes can lock up #15221
Comments
A duplicate of #14294? |
Is this reproducible on current systemd? rhel7/rhel8 is very old, and we fixed a lot of stuff since then. We only track issues in current systemd here... |
@w-simon is it possible to reproduce the issue from regular user (non root)? |
Hello, we found this problem in some kata container environment (they have long mount paths), and then found that it can trigger a DoS. We have not yet tried whether non-root users can produce similar failures. However, nfs supports non-root user mounting, and similar scenarios may be constructed. |
You mean in the kernel inside the VM which runs the container?
You would still need a privileged user to mark the mount entry in /etc/fstab, wouldn't you? |
@w-simon Hi! Just wanted to ping you for #15221 (comment) . So far it does not seem there is a clear way for unprivileged users to trigger this, so I don't think it deserves a CVE (unless proven otherwise of course). If you feel otherwise, please provide examples so we can reproduce as unprivileged user or show there is a cross of privileged boundaries. In any case since the issue is now public it would be better to request the CVE to MITRE, if needed. |
Hi, thank you very much for your comments. Sorry for the delay. We found that this issue occurs on some servers, many kata containers running on these servers, and these containers have some very long path, such as (/run/kata-containers/shared/sandboxes/f0ea3efdb417f442128830e86118cf216d1d236d6f970205a680972bcd062f74/f0ea3efdb417f442128830e86118cf216d1d236d6f970205a680972bcd062f74-a1bed3c11a474518-xxxxxx_yyyyy_mix) . We are not security professionals, and have not found a way for unprivileged users to trigger it. |
Whenever we pick up a new line in /proc/self/mountinfo and want to synthesize a new mount unit from it, let's say which one it is. Moreover, downgrade the log message when we encounter a mount point with an overly long name to LOG_WARNING, since it's generally fine to ignore such mount points. Also, attach a catalog entry to explain the situation further. Prompted-By: systemd#15221
Whenever we pick up a new line in /proc/self/mountinfo and want to synthesize a new mount unit from it, let's say which one it is. Moreover, downgrade the log message when we encounter a mount point with an overly long name to LOG_WARNING, since it's generally fine to ignore such mount points. Also, attach a catalog entry to explain the situation further. Prompted-By: systemd#15221
systemd version the issue has been seen with
The maximum unit_name currently supported by systemd is only 256 bytes,
but the name of the mount is generated by the path, and the maximum path can be 4k bytes.
This may cause systemd to fail to setup mount units.
Also due to #10874 , a mount point fails, the error will be passed upward from mount_setup_unit(),
and eventually mount_shutdown () will be called, and the monitored /proc/1/mountinfo file will be closed.
So, we may trigger a denial of service failure similar to CVE-2018-1049, as follows:
This patch may fix this DoS error:
commit ba0d56f ("mount: don't propagate errors from mount_setup_unit() further up")
However, in a container environment, some mount paths are indeed very long,
so the limit of 256 bytes of the unit name may not be appropriate,
and we may also need to expand the unit name to 4k.
The text was updated successfully, but these errors were encountered: