[lxc-devel] [lxc/lxc] 68a196: lxc_clone: pass non-stack allocated stack to clone
Christian Brauner
noreply at github.com
Thu Jun 13 14:07:43 UTC 2019
Branch: refs/heads/stable-3.0
Home: https://github.com/lxc/lxc
Commit: 68a1966d0eab9495fd7fe542ca82f8eaf2bc2e40
https://github.com/lxc/lxc/commit/68a1966d0eab9495fd7fe542ca82f8eaf2bc2e40
Author: Tycho Andersen <tycho at tycho.ws>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M src/lxc/namespace.c
Log Message:
-----------
lxc_clone: pass non-stack allocated stack to clone
There are two problems with this code:
1. The math is wrong. We allocate a char *foo[__LXC_STACK_SIZE]; which
means it's really sizeof(char *) * __LXC_STACK_SIZE, instead of just
__LXC_STACK SIZE.
2. We can't actually allocate it on our stack. When we use CLONE_VM (which
we do in the shared ns case) that means that the new thread is just
running one page lower on the stack, but anything that allocates a page
on the stack may clobber data. This is a pretty short race window since
we just do the shared ns stuff and then do a clone without CLONE_VM.
However, it does point out an interesting possible privilege escalation if
things aren't configured correctly: do_share_ns() sets up namespaces while
it shares the address space of the task that spawned it; once it enters the
pid ns of the thing it's sharing with, the thing it's sharing with can
ptrace it and write stuff into the host's address space. Since the function
that does the clone() is lxc_spawn(), it has a struct cgroup_ops* on the
stack, which itself has function pointers called later in the function, so
it's possible to allocate shellcode in the address space of the host and
run it fairly easily.
ASLR doesn't mitigate this since we know exactly the stack offsets; however
this patch has the kernel allocate a new stack, which will help. Of course,
the attacker could just check /proc/pid/maps to find the location of the
stack, but they'd still have to guess where to write stuff in.
The thing that does prevent this is the default configuration of apparmor.
Since the apparmor profile is set in the second clone, and apparmor
prevents ptracing things under a different profile, attackers confined by
apparmor can't do this. However, if users are using a custom configuration
with shared namespaces, care must be taken to avoid this race.
Shared namespaces aren't widely used now, so perhaps this isn't a problem,
but with the advent of crio-lxc for k8s, this functionality will be used
more.
Signed-off-by: Tycho Andersen <tycho at tycho.ws>
Commit: 4f7e281fc2c18c23c5c854cb3eaafa69fb33349d
https://github.com/lxc/lxc/commit/4f7e281fc2c18c23c5c854cb3eaafa69fb33349d
Author: Tycho Andersen <tycho at tycho.ws>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M doc/lxc.container.conf.sgml.in
Log Message:
-----------
doc: add a little note about shared ns + LSMs
We should add a little not about the race in the previous patch.
Signed-off-by: Tycho Andersen <tycho at tycho.ws>
Commit: 8a545679076e2aabf205bd920b9e28d3cfb9ab6d
https://github.com/lxc/lxc/commit/8a545679076e2aabf205bd920b9e28d3cfb9ab6d
Author: Tycho Andersen <tycho at tycho.ws>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M src/lxc/namespace.c
Log Message:
-----------
lxc_clone: get rid of some indirection
We have a do_clone(), which just calls a void f(void *) that it gets
passed. We build up a struct consisting of two args that are just the
actual arg and actual function. Let's just have the syscall do this for us.
Signed-off-by: Tycho Andersen <tycho at tycho.ws>
Commit: ada49c36601042abc7c1a816d5078d0cddcf0161
https://github.com/lxc/lxc/commit/ada49c36601042abc7c1a816d5078d0cddcf0161
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M src/lxc/cgroups/cgfsng.c
Log Message:
-----------
cgroups: handle offline cpus in v1 hierarchy
Handle offline cpus in v1 hierarchy.
In addition to isolated cpus we also need to account for offline cpus when our
ancestor cgroup is the root cgroup and we have not been initialized yet.
Closes #2953.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 0b96d4ab55b3caf17e9aac71bcbf6dc0593fc22f
https://github.com/lxc/lxc/commit/0b96d4ab55b3caf17e9aac71bcbf6dc0593fc22f
Author: Alexander Kriventsov <akriventsov at nic.ru>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M src/lxc/cmd/lxc_user_nic.c
Log Message:
-----------
fix issue 2765
Signed-off-by: Alexander Kriventsov <akriventsov at nic.ru>
Commit: 5874424117395e6cd31fae53ff4f0effb78106c6
https://github.com/lxc/lxc/commit/5874424117395e6cd31fae53ff4f0effb78106c6
Author: Tycho Andersen <tycho at tycho.ws>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M src/lxc/namespace.c
Log Message:
-----------
lxc_clone: bump stack size to 8MB
This is the default thread size for glibc, so it is reasonable to match
that when we clone().
Mostly this is a science experiment suggested by brauner, and who doesn't
love science?
Signed-off-by: Tycho Andersen <tycho at tycho.ws>
Commit: f6032bf5a559aceda03f730d86d147429b4b996b
https://github.com/lxc/lxc/commit/f6032bf5a559aceda03f730d86d147429b4b996b
Author: Tycho Andersen <tycho at tycho.ws>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M src/lxc/namespace.c
Log Message:
-----------
lxc_clone: add a comment about stack size
Signed-off-by: Tycho Andersen <tycho at tycho.ws>
Commit: 04220c0cf234cc9910a879de6e3bcee4faec6040
https://github.com/lxc/lxc/commit/04220c0cf234cc9910a879de6e3bcee4faec6040
Author: Alexander Kriventsov <akriventsov at nic.ru>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M src/lxc/cmd/lxc_user_nic.c
M src/lxc/utils.h
Log Message:
-----------
getgrgid_r fails with ERANGE if buffer is too small. Retry with a larger buffer.
Signed-off-by: Alexander Kriventsov <akriventsov at nic.ru>
Commit: 12d6e2b1e199c92ca6d24c6d08a1ccb0cb19dfb8
https://github.com/lxc/lxc/commit/12d6e2b1e199c92ca6d24c6d08a1ccb0cb19dfb8
Author: Brian McQueen <bmcqueen at linkedin.com>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M src/lxc/cmd/lxc_usernsexec.c
Log Message:
-----------
lxc_usernsexec: continuing after unshare fails leads to confusing and misleading error messages
Signed-off-by: Brian McQueen <bmcqueen at linkedin.com>
Commit: 26a376518a3a59f5dbb3aadfb8962f7947b33733
https://github.com/lxc/lxc/commit/26a376518a3a59f5dbb3aadfb8962f7947b33733
Author: LiFeng <lifeng68 at huawei.com>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M src/lxc/start.c
Log Message:
-----------
start: fix handler memory leak at lxc_init failed
Signed-off-by: LiFeng <lifeng68 at huawei.com>
Commit: 4f4a49765fc9c9a883145a98427b4b883775be3c
https://github.com/lxc/lxc/commit/4f4a49765fc9c9a883145a98427b4b883775be3c
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M src/lxc/cgroups/cgfsng.c
Log Message:
-----------
cgroups: prevent segfault
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Commit: 925bcb126b532aad2a53c0c2d42714601cca714c
https://github.com/lxc/lxc/commit/925bcb126b532aad2a53c0c2d42714601cca714c
Author: Rachid Koucha <47061324+Rachid-Koucha at users.noreply.github.com>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M templates/lxc-busybox.in
Log Message:
-----------
Make /tmp accessible to any user
/tmp created with "rwxrwxrwt" mode
Signed-off-by: Rachid Koucha <rachid.koucha at gmail.com>
Commit: 436253a745b1fbf8aa08dcf78f5cecd8fd337bba
https://github.com/lxc/lxc/commit/436253a745b1fbf8aa08dcf78f5cecd8fd337bba
Author: Paul Romlow <paul at romlow.com>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M src/lxc/lxccontainer.c
Log Message:
-----------
proposed fix for #2892 - fix lxcbasename in lxc/lxccontainer.c
Signed-off-by: Paul Romlow <paul at romlow.com>
Commit: 0847afdf8beab8396cfcc2450560a64135151b97
https://github.com/lxc/lxc/commit/0847afdf8beab8396cfcc2450560a64135151b97
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2019-06-13 (Thu, 13 Jun 2019)
Changed paths:
M src/lxc/Makefile.am
M src/lxc/conf.c
A src/lxc/uuid.c
A src/lxc/uuid.h
Log Message:
-----------
start: generate new boot id on container start
Closes #3027.
BugLink: https://bugs.launchpad.net/bugs/1831258
Cc: Dimitri John Ledkov <xnox at ubuntu.com>
Cc: Scott Moser <smoser at ubuntu.com>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
Compare: https://github.com/lxc/lxc/compare/f9bbc96e3b3b...0847afdf8bea
More information about the lxc-devel
mailing list