[Bug 258287] [jail] Easily exhaust host kernel's numvnodes or dp_dirty_total in a jail which may cause Dos attack
Date: Sun, 05 Sep 2021 12:29:35 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=258287
Bug ID: 258287
Summary: [jail] Easily exhaust host kernel's numvnodes or
dp_dirty_total in a jail which may cause Dos attack
Product: Base System
Version: Unspecified
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: 1203405394@qq.com
Hello,we find two underlying jails security issues to exhaust host's kernel's
resources which may cause Dos attack.
The first one is we can easily exhaust the host's `numvnodes` and reach the
`maxvnodes` limit in a jail.
Thecsecond one is we can keep produce dirty data in a jail and make the
`dp_dirty_total` reachs `zfs_dirty_data_max` limit. As a result, other writing
request may delay.
Reproduction steps:
1. We set up jails following the FreeBSD's handbook.
2. Use `ezjail-admin create` commands to create a normal malicious jail.
3. For numvnodes, we just keep creating directories using `Mkdir` command in
the malicious jail. Host's numvnodes will keep rising until it reach the
maxvnodes limit.
4. For `dp_dirty_total`, we observed that the `zfs_dirty_data_max` limit is
800Mi, we keep writing data to a file at high speed. As a result, the host's
`dp_dirty_total` will reach the `zfs_dirty_data_max` limit and cause other
writing request being delayed.
Although it seems that there is no serious performance and functional impact on
host, I wonder if there should be some ways to limit the per-jail `vnodes` or
`dp_dirty_total` like `rctl` which can avoid malicious jails to launch Dos
attack.
--
You are receiving this mail because:
You are the assignee for the bug.