-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2019-5736]: fix only suit for kernel > 3.11 ? #1979
Comments
Yeah, this is going to be a problem.
If your kernel doesn't have |
There are quite a few circumstances where /proc/self/exe pointing to a pretty important container binary is a _bad_ thing, so to avoid this we have to make a copy (preferably doing self-clean-up and not being writeable). We require memfd_create(2) -- though there is an O_TMPFILE fallback -- but we can always extend this to use a scratch MNT_DETACH overlayfs or tmpfs. The main downside to this approach is no page-cache sharing for the runc binary (which overlayfs would give us) but this is far less complicated. This is only done during nsenter so that it happens transparently to the Go code, and any libcontainer users benefit from it. This also makes ExtraFiles and --preserve-fds handling trivial (because we don't need to worry about it). Fixes: CVE-2019-5736 Co-developed-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: Aleksa Sarai <asarai@suse.de>
Is el7.6's kernel effected? |
@kfox1111 , check your kernel version |
el based systems are notorious for back porting lots of patches from newer kernels. the version number rarely reflects its actual functionality. |
el7.6 kernel has the |
how to check kernel version 3.xx weather has the |
@xiaoding945 the easiest way is to write a simple C program that uses |
@giuseppe @xianlubird I learned it the hard way that the simple presence of In short:
|
0a8e411 is a good work to fix CVE-2019-5736, but I get some problem with the patch on kernel 3.10.
The background is that our production online use two major kernel 3.10 and 4.9. In patch,
memfd_create
supported until kernel 3.17, other method useO_TMPFILE
, it is supported until 3.11.the other confused me is that with these code
even I run code on kernel 2.6,
HAVE_MEMFD_CREATE
always been defined, butmemfd_create
not work.The text was updated successfully, but these errors were encountered: