[Bugme-new] [Bug 10878] New: [security] VFS: DoSsable by user by holding open many /proc/$pid directories

bugme-daemon at bugzilla.kernel.org bugme-daemon at bugzilla.kernel.org
Fri Jun 6 14:36:24 PDT 2008 

http://bugzilla.kernel.org/show_bug.cgi?id=10878

           Summary: [security] VFS: DoSsable by user by holding open many
                    /proc/$pid directories
           Product: File System
           Version: 2.5
     KernelVersion: 2.6.25.4
          Platform: All
        OS/Version: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: VFS
        AssignedTo: fs_vfs at kernel-bugs.osdl.org
        ReportedBy: sliedes at cc.hut.fi


Latest working kernel version: 2.6.18 possibly works, at least could not
reproduce on one 2.6.18 machine
Earliest failing kernel version:
Distribution: Debian sid (unstable)
Hardware Environment: x86 qemu
Software Environment: Minimal Debian sid (unstable)
Problem Description:

A BUG() in the VFS code can be hit by a user, even with strict ulimits I
believe, forking new processes, opening the /proc/$pid directories for them and
then killing and wait()ing for the processes. A single process can only hold
open 1021 or so such directories, so several need to be run in order to do this
(15 seems to be enough). The attached program forks 15 processes that all do
this.

I'm not actually sure this is anything very /proc related, but this is what I
did to trigger the crash.

First, I get "VFS: file-max limit 11682 reached" in the dmesg. Then simply
typing ls in /root directory gives me the BUG().

Here's dmesg output:

----------
VFS: file-max limit 11682 reached
------------[ cut here ]------------
kernel BUG at fs/inode.c:1156!
invalid opcode: 0000 [#1]

Pid: 661, comm: bash Not tainted (2.6.25.4 #3)
EIP: 0060:[<c026f4b1>] EFLAGS: 00000246 CPU: 0
EIP is at iput+0x67/0x6b
EAX: c054cca0 EBX: c7420000 ECX: 00000001 EDX: 00000000
ESI: c60a6ab0 EDI: ffffffe9 EBP: c7afff58 ESP: c7afff54
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process bash (pid: 661, ti=c7afe000 task=c7af2ea0 task.ti=c7afe000)
Stack: c7420000 c7afff7c c02631ae c054c880 00000000 00000000 c05c8aa5 080ee9ac
       c7afffa0 bfef1458 c7afff98 c02631e1 c7afffa0 00000000 080ee9ac c7afffa0
       bfef1458 c7afffb0 c0205bb3 c7afffb0 c0207d88 080ee9ac 00000000 c7afe000
Call Trace:
 [<c02631ae>] ? create_write_pipe+0x13d/0x15f
 [<c02631e1>] ? do_pipe+0x11/0xac
 [<c0205bb3>] ? sys_pipe+0x12/0x3b
 [<c0207d88>] ? do_syscall_trace+0x8c/0xf9
 [<c0202cd2>] ? syscall_call+0x7/0xb
 =======================
Code: 00 85 c0 74 23 8b 83 04 01 00 00 8b 40 20 ba 4b 03 27 c0 85 c0 74 0d 8b
50 14 85 d2 b8 4b 03 27 c0 0f 44 d0 89 d8 ff d2 5b 5d c3 <0f> 0b eb fe 55 89 e5
56 53 83 ec 1c 8d 88 0c 02 00 00 8b 15 00
EIP: [<c026f4b1>] iput+0x67/0x6b SS:ESP 0068:c7afff54
---[ end trace 17ba5b2f93203a5e ]---
----------

Steps to reproduce:

1. Compile the attached program dos2.c with gcc dos2.c -o dos2 -O2
2. Run the program on the target computer as a normal user
3. Wait several seconds or more, depending on the speed of your computer, until
the VFS error appears in dmesg
4. Type "ls". You should get the BUG().


-- 
Configure bugmail: http://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the Bugme-new mailing list