Dmitry E. Oboukhov wrote:
qemu makes mount the directory /tmp/mount.$$. Attacker creates many symlinks /tmp/dir.\d+ -> /etc and if qemu (/usr/sbin/qemu-make-debian-root) starts then /etc goes out from root directory tree. The result: system is unusable.
I might be dense, but I don't get this.
Attacker does:
root@andean:/tmp# ln -s /etc /tmp/mount-1234
Then the genuine user does:
root@andean:/tmp# mkdir /tmp/mount-1234
mkdir: cannot create directory `/tmp/mount-1234': File exists
strace shows:
mkdir("/tmp/pmount-1234", 0777) = -1 EEXIST (File exists)
So, ok, this means the process can't continue any more (denial of
service attack), and if the process does continue this is a problem,
otherwise I can't see how this would bring the entire system down.
Brian May