oss-sec mailing list archives
Re: CVE-2019-5736: runc container breakout (all versions)
From: Florian Weimer <fweimer () redhat com>
Date: Tue, 12 Feb 2019 14:55:18 +0100
* Aleksa Sarai:
+ memfd = memfd_create(MEMFD_COMMENT, MFD_CLOEXEC|MFD_ALLOW_SEALING); + if (memfd < 0) + goto err_binfd;
Is it really necessary to use a memfd_create here? Do you really need sealing? It's a bit odd to add a new system call dependency in a security update. The ability fexecve a memfd descriptor is also rather odd. I wouldn't have expected execute permissions on memfd descriptors, so this sounds like a kernel bug (which now can't be fixed). I saw some other patch with a O_TMPFILE replacement. Does this really work? It's possible to create a new name with linkat, so that's not a real win security-wise. Could you just make a copy, under a different owner, and not care how it is going to be modified? Thanks, Florian
Current thread:
- CVE-2019-5736: runc container breakout (all versions) Aleksa Sarai (Feb 11)
- Re: CVE-2019-5736: runc container breakout (all versions) Florian Weimer (Feb 12)
- Re: CVE-2019-5736: runc container breakout (all versions) Aleksa Sarai (Feb 12)
- Re: CVE-2019-5736: runc container breakout (all versions) Steve Grubb (Feb 12)
- Re: CVE-2019-5736: runc container breakout (all versions) Aleksa Sarai (Feb 12)
- Re: CVE-2019-5736: runc container breakout (all versions) Solar Designer (Feb 12)
- Re: CVE-2019-5736: runc container breakout (all versions) Aleksa Sarai (Feb 13)
- Re: CVE-2019-5736: runc container breakout (all versions) Loganaden Velvindron (Feb 13)
- Re: CVE-2019-5736: runc container breakout (all versions) Aleksa Sarai (Feb 13)
- Re: CVE-2019-5736: runc container breakout (all versions) Aleksa Sarai (Feb 13)
- Re: CVE-2019-5736: runc container breakout (all versions) Florian Weimer (Feb 12)