Bug 1982526 - containers/storage: creation of very deep directories in containers causes high memory usage triggering OOM killer
Summary: containers/storage: creation of very deep directories in containers causes hi...
Keywords:
Status: NEW
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1982531
Blocks: 1982529
TreeView+ depends on / blocked
 
Reported: 2021-07-15 06:13 UTC by Sam Fowler
Modified: 2023-07-07 08:35 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Sam Fowler 2021-07-15 06:13:19 UTC 
Creation of a very deep, nested directory structures inside a container leads to high inode usage, exhausting available system memory and triggering OOM killer. A malicious process inside a container can exploit this to cause a denial of service on the host system.
Comment 3 Sam Fowler 2021-07-15 07:35:09 UTC 
Additionally, CRI-O will fail to cleanup the malicious container as it's unable to remove the created deep directory. Both Go's stdlib and coreutils `rm` traverse the created directory structure during removal, increasing inode usage and causing system memory to spike, subsequently triggering OOM killer again.
Comment 6 Steve Whitehouse 2021-07-15 12:13:04 UTC 
Do we know exactly which filesystem(s) are affected? Or is this a VFS issue that will affect all of them?
Comment 36 Sam Fowler 2021-07-26 08:05:12 UTC 
Upstream issues (for container removal):

https://github.com/golang/go/issues/47390
https://github.com/cri-o/cri-o/issues/5126


Upstream PR (for inode quotas):

https://github.com/containers/storage/pull/970
Note You need to log in before you can comment on or make changes to this bug.