Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87va1pdsc9.fsf@oldenburg2.str.redhat.com>
Date: Tue, 12 Feb 2019 14:55:18 +0100
From: Florian Weimer <fweimer@...hat.com>
To: Aleksa Sarai <cyphar@...har.com>
Cc: oss-security@...ts.openwall.com,  dev@...ncontainers.org, Christian Brauner <christian.brauner@...ntu.com>
Subject: Re: CVE-2019-5736: runc container breakout (all versions)

* Aleksa Sarai:

> +	memfd = memfd_create(MEMFD_COMMENT, MFD_CLOEXEC|MFD_ALLOW_SEALING);
> +	if (memfd < 0)
> +		goto err_binfd;

Is it really necessary to use a memfd_create here?  Do you really need
sealing?  It's a bit odd to add a new system call dependency in a
security update.  The ability fexecve a memfd descriptor is also rather
odd.  I wouldn't have expected execute permissions on memfd descriptors,
so this sounds like a kernel bug (which now can't be fixed).

I saw some other patch with a O_TMPFILE replacement.  Does this really
work?  It's possible to create a new name with linkat, so that's not a
real win security-wise.  Could you just make a copy, under a different
owner, and not care how it is going to be modified?

Thanks,
Florian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.