The remote exploit is possible if such file is opened in
response to an event, for example, a web server document
stored in an aufs mountpoint.
This obviously takes more time - each i_readcount_inc() is
delayed by a remote access - but it may be sped up by many
attackers, say a DDoS, if it's possible to figure or brute
force which URLs lead to an aufs-backed file in the server.
(This can happen with Kubernetes/docker containers using
the aufs storage driver for container images for example,
with static document in the container image, and exposed
via a web server, say nginx, a very popular docker image.)
See the 'Problem Demonstration' section w/ this example.
Exploit / Remote:
---
The remote exploit is possible if such file is opened in
response to an event, for example, a web server document
stored in an aufs mountpoint.
This obviously takes more time - each i_readcount_inc() is
delayed by a remote access - but it may be sped up by many
attackers, say a DDoS, if it's possible to figure or brute
force which URLs lead to an aufs-backed file in the server.
(This can happen with Kubernetes/docker containers using
the aufs storage driver for container images for example,
with static document in the container image, and exposed
via a web server, say nginx, a very popular docker image.)
See the 'Problem Demonstration' section w/ this example.