-
Notifications
You must be signed in to change notification settings - Fork 424
[18.09] backport fix denial of service with large numbers in cpuset-cpus and cpuset-mems #70
[18.09] backport fix denial of service with large numbers in cpuset-cpus and cpuset-mems #70
Conversation
Need to update this one with the latest changes (after review comments on the upstream PR) |
Using a value such as `--cpuset-mems=1-9223372036854775807` would cause `dockerd` to run out of memory allocating a map of the values in the validation code. Set limits to the normal limit of the number of CPUs, and improve the error handling. Reported by Huawei PSIRT. Signed-off-by: Justin Cormack <[email protected]> Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit f8e876d) Signed-off-by: Sebastiaan van Stijn <[email protected]>
73b5df7
to
0922d32
Compare
Updated; PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🐸
This is CVE-2018-20699. However, I do not believe this issue deserves a CVE, as it does not allow an attacker to do anything he can't already do. To run such docker command you have to be root/high-privileged and if you are already root/high-privileged, there's no need to use this issue to stop dockerd or cause other more serious damages. I'd like to ask MITRE to reject this flaw for the mentioned reasons. Anybody from upstream has a different opinion? Or if you are of the same idea, please do share your agreement to make MITRE decision easier. |
Yes, if you have access to the Docker remote API, you're effectively |
Lots of people run the Docker API with some lock down, and the denial of service is unexpected, so I don't think it makes sense to reject it totally, even if in many cases it is not important. Also our experience with getting MITRE to reject even obviously incorrect CVEs is not good. |
What do you mean by “some lock down”? |
Our previous experience was we just managed to get a "disputed" note added https://www.cvedetails.com/cve/CVE-2016-6595/ By "some lock down" I mean authz plugins or other means of narrowing the API. |
Plugins that would allow them to run a new container without giving them the root-like permissions to cause other similar issues? |
@justincormack If I understand correctly, both I guess what you were suggesting is that it may be possible to filter the previous commands to make them safe through plugins? E.g. limiting the |
Backport of moby#37967 for 18.09
cherry-pick was clean; no conflicts
Using a value such as
--cpuset-mems=1-9223372036854775807
would causedockerd
to run out of memory allocating a map of the values in thevalidation code. Set limits to the normal limit of the number of CPUs,
and improve the error handling.
Reported by Huawei PSIRT.
- Description for the changelog