cve: ./data/2022/0xxx/CVE-2022-0070.json Incomplete fix for CVE-2021-3100. The Apache Log4j hotpatch package starting with log4j-cve-2021-44228-hotpatch-1.1-16 will now explicitly mimic the Linux capabilities and cgroups of the target Java process that the hotpatch is applied to. analysis: 1. **分析是否与 namespace、cgroup、container 或容器、隔离相关** 该 CVE 描述提到 Log4j 的 hotpatch 包会显式模仿目标 Java 进程的 Linux capabilities 和 cgroups。因此,它确实与 cgroups 相关,但没有直接提及 namespace、容器或隔离机制。 2. **分析是否会影响其他容器或宿主机** 由于该漏洞涉及模仿目标 Java 进程的 cgroups,如果目标进程运行在容器中,而 hotpatch 的行为不当(例如权限提升或资源分配错误),可能会间接影响容器的隔离性。然而,根据描述,hotpatch 的设计目的是模仿目标进程的配置,理论上不会主动破坏容器隔离或影响宿主机。因此,从描述来看,直接影响其他容器或宿主机的风险较低。 3. **结论** 条件 1 满足(与 cgroups 相关),条件 2 不完全满足(无明确证据表明会影响其他容器或宿主机)。因此,返回以下分析结果: - 与 cgroups 相关,可能间接影响容器隔离性,但无明确证据表明会导致容器逃逸或影响宿主机。 cve: ./data/2022/0xxx/CVE-2022-0185.json A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system. analysis: 1. 该 CVE 信息与 namespace 相关。具体来说,问题涉及到“unprivileged user namespaces”功能。如果系统启用了非特权用户命名空间(unprivileged user namespaces),则攻击者可以利用此漏洞。此外,问题还涉及文件系统上下文(Filesystem Context)和参数解析逻辑。 2. 该 CVE 可能会影响容器的隔离性。在容器环境中(如 Docker),如果容器启用了 unprivileged user namespaces 或具有 namespaced CAP_SYS_ADMIN 权限,则攻击者可能利用此漏洞从容器内部进行权限提升,进而影响宿主机或其他容器的安全性。 因此,根据分析要求,条件 1 和 2 均满足。 cve: ./data/2022/0xxx/CVE-2022-0324.json There is a vulnerability in DHCPv6 packet parsing code that could be explored by remote attacker to craft a packet that could cause buffer overflow in a memcpy call, leading to out-of-bounds memory write that would cause dhcp6relay to crash. Dhcp6relay is a critical process and could cause dhcp relay docker to shutdown. Discovered by Eugene Lim of GovTech Singapore. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:** 是的,该 CVE 提及了 `dhcp relay docker` 会受到影响。这表明问题与 Docker 容器相关,并且可能影响到容器内的关键进程 (`dhcp6relay`)。 2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:** 根据描述,漏洞会导致 `dhcp6relay` 崩溃,进而导致 `dhcp relay docker` 关闭。这种影响似乎是局限于特定容器(`dhcp relay docker`)内部的,没有明确提到会对其他容器或宿主机造成直接影响。然而,如果 `dhcp relay docker` 是一个共享网络配置或提供关键服务的容器,它的崩溃可能会间接影响依赖它的其他容器或宿主机的服务稳定性。 3. **结论:** 条件 1 满足(与容器相关),条件 2 部分满足(虽然直接影响有限,但可能存在间接影响)。因此,返回分析结果而非 "N/A"。 cve: ./data/2022/0xxx/CVE-2022-0492.json A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly. analysis: 1. 该 CVE 信息与 namespace、cgroup、container 和隔离相关。描述中明确提到 cgroups v1 的 `release_agent` 功能,并且提到了可以绕过 namespace 的隔离。 2. 该 CVE 可能会导致容器(例如 Docker)在运行时影响其他容器或宿主机。通过利用 cgroups v1 的 `release_agent` 功能,攻击者可能能够突破容器的隔离机制,从而对宿主机或其他容器造成潜在威胁。 因此,条件 1 和 2 均满足。 cve: ./data/2022/0xxx/CVE-2022-0532.json An incorrect sysctls validation vulnerability was found in CRI-O 1.18 and earlier. The sysctls from the list of "safe" sysctls specified for the cluster will be applied to the host if an attacker is able to create a pod with a hostIPC and hostNetwork kernel namespace. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**: 是的,该CVE信息与namespace和容器隔离相关。描述中提到攻击者可以通过创建一个具有`hostIPC`和`hostNetwork`内核命名空间的Pod,导致指定的`sysctls`被应用到主机上。这表明问题涉及容器的命名空间配置以及其与宿主机的交互。 2. **是否会导致容器(如Docker等)在运行时影响其他容器或宿主机**: 是的,该漏洞可能导致容器影响宿主机。由于攻击者可以利用`hostIPC`和`hostNetwork`命名空间将`sysctls`应用到宿主机,这可能会破坏宿主机的安全性或稳定性,进而可能影响在同一宿主机上运行的其他容器。 3. **结论**: 该CVE满足条件1和条件2,因此不会返回"N/A"。 cve: ./data/2022/1xxx/CVE-2022-1055.json A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces. We recommend upgrading past commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5 analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**: 是的,该漏洞提到了“unprivileged user namespaces”,这表明它与用户命名空间(user namespace)有关。用户命名空间是Linux内核中用于隔离用户和组ID的一种机制,广泛应用于容器技术(如Docker)中以提供隔离性。 2. **是否会导致容器(例如Docker等)在运行时影响其他容器或宿主机**: 是的,该漏洞可能导致特权提升(privilege escalation)。由于其利用需要“unprivileged user namespaces”,而这些命名空间通常在容器环境中被启用,因此攻击者可能通过此漏洞从容器内部逃逸,影响其他容器或宿主机的安全性。 **结论**:满足条件1和条件2。 cve: ./data/2022/1xxx/CVE-2022-1833.json A flaw was found in AMQ Broker Operator 7.9.4 installed via UI using OperatorHub where a low-privilege user that has access to the namespace where the AMQ Operator is deployed has access to clusterwide edit rights by checking the secrets. The service account used for building the Operator gives more permission than expected and an attacker could benefit from it. This requires at least an already compromised low-privilege account or insider attack. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:** 是的,该 CVE 信息与 namespace 和容器隔离相关。问题发生在 AMQ Broker Operator 的部署中,低权限用户可以通过访问特定 namespace 中的秘密(secrets)获得集群范围的编辑权限。这表明在 namespace 层面的权限控制存在漏洞,可能导致隔离机制被破坏。 2. **是否会导致容器(如 Docker 等)在运行时影响其他容器或宿主机:** 可能会。由于服务账户的权限超出预期,攻击者可能利用此漏洞获取集群范围的编辑权限,进而影响其他容器或宿主机。例如,攻击者可以修改其他容器的配置、访问敏感数据,甚至对宿主机进行未授权的操作。 **结论:** 满足条件 1 和 2,因此返回上述分析结果。 cve: ./data/2022/23xxx/CVE-2022-23774.json Docker Desktop before 4.4.4 on Windows allows attackers to move arbitrary files. analysis: 1. 该 CVE 信息与 namespace、cgroup、container 或者容器相关。 原因:描述中明确提到 Docker Desktop,并且涉及文件移动操作,这可能与容器的文件系统隔离机制有关。 2. 该 CVE 可能会导致容器在运行时影响其他容器或宿主机。 原因:描述中提到“允许攻击者移动任意文件”,这意味着攻击者可能利用此漏洞突破容器的隔离限制,对宿主机或其他容器的文件系统进行未授权访问或修改。 **结论:满足条件 1 和 2。** cve: ./data/2022/24xxx/CVE-2022-24122.json kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:** 是的,该 CVE 与 namespace 相关。描述中明确提到“unprivileged user namespaces”,即非特权用户命名空间,这是 Linux 容器(如 Docker)实现隔离的重要机制之一。 2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:** 是的,可能会导致影响。由于存在 use-after-free 和权限提升漏洞,攻击者可以利用此漏洞突破容器的隔离机制,进而可能影响同一宿主机上的其他容器,甚至完全控制宿主机。 **结论:** 满足条件 1 和条件 2。 cve: ./data/2022/24xxx/CVE-2022-24769.json Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting. analysis: ### 分析结果: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关**: 是的,该 CVE 信息明确提到 Moby(Docker Engine)中的一个漏洞,涉及容器的启动行为以及 Linux 进程能力(capabilities)的设置。这直接影响了容器内的进程权限管理,因此与容器和隔离机制密切相关。 2. **是否会导致容器(如 Docker)在运行时影响其他容器或宿主机**: 该漏洞允许容器内的非特权用户或进程通过 inheritable file capabilities 提升权限,但这仅限于容器的 bounding set 范围内。由于 inheritable set 不会包含超出容器 bounding set 的能力,因此该漏洞不会直接突破容器的安全沙箱,也不会直接影响其他容器或宿主机的安全性。然而,它可能削弱容器内部基于用户和组的权限分离机制,从而间接增加攻击面。 ### 结论: - 满足条件 1 和 2 的部分分析要求。 - 该漏洞虽然不会直接影响宿主机或其他容器,但会对容器内部的权限隔离产生负面影响,需要关注并修复。 cve: ./data/2022/24xxx/CVE-2022-24778.json The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:** 是的,该 CVE 信息与容器和隔离相关。`imgcrypt` 是为 `containerd` 提供支持加密容器镜像的 API 扩展,并且涉及到 `ctd-decoder` 命令行工具用于解密加密的容器镜像。此外,描述中提到可以通过使用不同的命名空间(namespaces)作为解决方法之一,这表明该问题与容器隔离机制有关。 2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:** 是的,该漏洞可能导致容器运行时的安全风险。由于 `CheckAuthorization` 函数的实现问题,如果某个用户之前在系统上解密了一个镜像,其他用户可能无需提供正确的密钥即可运行该镜像中的其他架构。这种行为破坏了容器之间的隔离性,可能会导致未经授权的访问或其他安全问题,进而影响其他容器或宿主机的安全性。 3. **结论:** 该 CVE 满足条件 1 和条件 2,因此需要返回上述分析内容,而不是 "N/A"。 cve: ./data/2022/25xxx/CVE-2022-25365.json Docker Desktop before 4.5.1 on Windows allows attackers to move arbitrary files. NOTE: this issue exists because of an incomplete fix for CVE-2022-23774. analysis: 1. 该 CVE 信息与 namespace、cgroup、container 或容器相关。原因是它明确提到了 Docker Desktop 在 Windows 上的问题,Docker 是一个容器化平台,因此该问题与容器技术直接相关。 2. 该 CVE 可能会导致容器在运行时影响其他容器或宿主机。根据描述,攻击者可以移动任意文件,这种行为可能突破容器的隔离性,进而对宿主机或其他容器造成潜在影响。 总结:条件 1 和 2 均满足。 cve: ./data/2022/26xxx/CVE-2022-26659.json Docker Desktop installer on Windows in versions before 4.6.0 allows an attacker to overwrite any administrator writable files by creating a symlink in place of where the installer writes its log file. Starting from version 4.6.0, the Docker Desktop installer, when run elevated, will write its log files to a location not writable by non-administrator users. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**: 该CVE描述的是Docker Desktop在Windows上的安装程序漏洞,涉及日志文件的写入位置以及符号链接(symlink)的滥用。虽然它与Docker相关,但并未直接涉及namespace、cgroup、容器运行时隔离等技术细节。 2. **是否会导致容器影响其他容器或宿主机**: 该漏洞发生在Docker Desktop的安装阶段,而不是容器运行时。攻击者可以通过创建符号链接覆盖管理员可写的文件,但这并不直接影响容器的运行时行为,也不会导致容器逃逸或影响其他容器。 3. **结论**: 条件1和条件2均不满足,因此返回: **N/A** cve: ./data/2022/27xxx/CVE-2022-27649.json A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**: 是的,该CVE信息明确提到了Podman和Moby(Docker Engine),这些都是与容器技术密切相关的项目。问题涉及容器启动时的权限配置错误,特别是Linux进程能力(capabilities)的处理不当,这直接影响了容器的隔离性。 2. **是否会导致容器运行时影响其他容器或宿主机**: 是的,由于容器被错误地赋予了非空的继承能力(inheritable Linux process capabilities),攻击者可以利用这些能力提升权限。这种权限提升可能会导致容器突破其隔离环境,从而影响同一宿主机上的其他容器或直接危害宿主机的安全。 **结论**:满足条件1和条件2。 cve: ./data/2022/27xxx/CVE-2022-27650.json A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**: 是的,该CVE与容器相关。描述中明确提到问题发生在 `crun` 和 `Moby (Docker Engine)` 中,这两个都是与容器运行时相关的组件。具体问题涉及容器启动时的权限配置不当。 2. **是否会导致容器在运行时影响其他容器或宿主机**: 是的,该漏洞可能导致容器内的攻击者提升权限,从而可能影响其他容器或宿主机。由于容器被错误地赋予了非空的继承能力(inheritable Linux process capabilities),攻击者可以利用这些能力通过 `execve(2)` 将其提升到允许的权限集(permitted set)。这种权限提升可能会突破容器的隔离机制,进而对宿主机或其他容器造成威胁。 **结论**:满足条件1和条件2,无需返回N/A。 cve: ./data/2022/27xxx/CVE-2022-27651.json A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**: 是的,该CVE与容器技术相关。描述中明确提到Buildah和Moby(Docker Engine),这些都是用于创建和管理容器的工具。问题涉及容器启动时的权限配置不当,可能影响容器的隔离性。 2. **是否会导致容器在运行时影响其他容器或宿主机**: 是的,可能会导致影响。由于容器被错误地赋予了非空的继承性Linux进程能力(inheritable Linux process capabilities),攻击者可以利用这些能力提升权限,从而可能突破容器的隔离机制,影响其他容器或宿主机的安全性。 3. **结论**: 条件1和条件2均满足,因此需要返回上述分析内容。 cve: ./data/2022/27xxx/CVE-2022-27652.json A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**: 是的,该CVE信息明确提到cri-o和Moby(Docker Engine),这些都是与容器技术相关的组件。问题涉及容器启动时的权限设置,特别是Linux进程能力(capabilities)的处理,这直接影响容器的隔离性。 2. **是否会导致容器在运行时影响其他容器或宿主机**: 是的,该漏洞可能导致容器内的攻击者提升权限,将继承的能力(inheritable capabilities)提升为允许的能力(permitted capabilities)。这种权限提升可能使攻击者突破容器的隔离,进而影响同一宿主机上的其他容器或直接危害宿主机的安全。 3. **结论**: 由于条件1和条件2均满足,因此返回分析结果而非"N/A"。 cve: ./data/2022/29xxx/CVE-2022-29180.json A vulnerability in which attackers could forge HTTP requests to manipulate the `charm` data directory to access or delete anything on the server. This has been patched and is available in release [v0.12.1](https://github.com/charmbracelet/charm/releases/tag/v0.12.1). We recommend that all users running self-hosted `charm` instances update immediately. This vulnerability was found in-house and we haven't been notified of any potential exploiters. ### Additional notes * Encrypted user data uploaded to the Charm server is safe as Charm servers cannot decrypt user data. This includes filenames, paths, and all key-value data. * Users running the official Charm [Docker images](https://github.com/charmbracelet/charm/blob/main/docker.md) are at minimal risk because the exploit is limited to the containerized filesystem. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:** 是的,该 CVE 提到使用官方 Charm Docker 镜像的用户风险较小,因为漏洞的利用被限制在容器化的文件系统中。这表明该问题与容器化环境(如 Docker)及其隔离机制有关。 2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:** 根据描述,使用官方 Charm Docker 镜像的用户风险较小,因为漏洞的利用被限制在容器化的文件系统中。这意味着该漏洞不会突破容器的隔离机制,从而影响其他容器或宿主机。 **结论:** 该 CVE 与容器隔离相关,但不会导致容器影响其他容器或宿主机。 cve: ./data/2022/2xxx/CVE-2022-2403.json A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. A malicious user could exploit this flaw by reading the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关:** 是的,该 CVE 信息与容器和 namespace 相关。问题发生在 OpenShift Container Platform 中,涉及 `oauth-serving-cert` ConfigMap 的存储位置以及其在 `openshift-config-managed` namespace 中的访问控制。 2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:** 这个漏洞不会直接影响其他容器或宿主机的运行时安全性,但它可能导致敏感信息(如私钥)泄露。如果恶意用户获取了外部集群证书的私钥,他们可以解密受该证书保护的网络流量,从而间接影响整个集群的安全性。虽然这不是一个直接的容器逃逸漏洞,但泄露的凭据可能被用于进一步攻击集群中的其他资源。 3. **结论:** 不满足条件 2,因此返回分析结果而非 "N/A"。 cve: ./data/2022/2xxx/CVE-2022-2837.json A flaw was found in coreDNS. This flaw allows a malicious user to redirect traffic intended for external top-level domains (TLD) to a pod they control by creating projects and namespaces that match the TLD. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:** 是的,该 CVE 信息与 namespace 和容器相关。问题描述中提到恶意用户可以通过创建特定的项目和命名空间(namespace)来劫持外部顶级域名(TLD)的流量,并将其重定向到他们控制的 Pod。这表明问题涉及 Kubernetes 中的命名空间(namespace)机制以及容器网络流量的路由。 2. **是否会导致容器(如 Docker 等)在运行时影响其他容器或宿主机:** 是的,该漏洞可能导致容器影响其他容器或宿主机。通过利用此漏洞,攻击者可以劫持原本发往外部 TLD 的流量并将其重定向到其控制的 Pod。这种行为可能会导致数据泄露、流量劫持或其他安全问题,从而破坏容器之间的隔离性,甚至可能间接影响宿主机的安全性。 **结论:** 满足条件 1 和 2,因此返回分析结果。 cve: ./data/2022/30xxx/CVE-2022-30137.json Executive Summary An Elevation of Privilege (EOP) vulnerability has been identified within Service Fabric clusters that run Docker containers. Exploitation of this EOP vulnerability requires an attacker to gain remote code execution within a container. All Service Fabric and Docker versions are impacted. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关**: 是的,该 CVE 明确提到与 Docker 容器相关,并且涉及 Service Fabric 集群中运行的容器。这表明它与容器技术及其隔离机制有关。 2. **是否会导致容器(例如 Docker)在运行时影响其他容器或宿主机**: 是的,根据描述,这是一个权限提升 (EOP) 漏洞。攻击者需要先在容器内获得远程代码执行能力,然后利用此漏洞进一步提升权限。这种类型的漏洞可能允许攻击者突破容器的隔离限制,从而影响其他容器或宿主机的安全性。 3. **结论**: 由于条件 1 和条件 2 均满足,因此返回分析结果如下: - 与容器和隔离机制相关。 - 可能导致容器突破隔离,影响其他容器或宿主机。 cve: ./data/2022/31xxx/CVE-2022-31214.json A Privilege Context Switching issue was discovered in join.c in Firejail 0.9.68. By crafting a bogus Firejail container that is accepted by the Firejail setuid-root program as a join target, a local attacker can enter an environment in which the Linux user namespace is still the initial user namespace, the NO_NEW_PRIVS prctl is not activated, and the entered mount namespace is under the attacker's control. In this way, the filesystem layout can be adjusted to gain root privileges through execution of available setuid-root binaries such as su or sudo. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:** 是的,该 CVE 信息与 namespace 和容器隔离相关。问题出现在 Firejail 的 `join.c` 文件中,Firejail 是一个用于沙盒化应用程序的工具,利用 Linux namespaces 提供隔离环境。漏洞描述中明确提到用户命名空间(user namespace)和挂载命名空间(mount namespace),并且涉及通过调整文件系统布局来突破隔离。 2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:** 虽然此漏洞是针对 Firejail 的,但其核心问题在于对命名空间的不当处理。如果类似的漏洞存在于其他容器运行时(如 Docker 的运行时),也可能导致攻击者突破容器隔离,进入初始用户命名空间,并可能进一步影响宿主机或其他容器。因此,从原理上讲,这种类型的漏洞有潜在风险影响容器运行时的安全性。 **结论:** 满足条件 1 和 2,因此返回分析结果而非 "N/A"。 cve: ./data/2022/31xxx/CVE-2022-31647.json Docker Desktop before 4.6.0 on Windows allows attackers to delete any file through the hyperv/destroy dockerBackendV2 API via a symlink in the DataFolder parameter, a different vulnerability than CVE-2022-26659. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:** 是的,该 CVE 与容器技术相关。它涉及 Docker Desktop 在 Windows 上的一个 API (`hyperv/destroy dockerBackendV2`),并且描述中提到可以通过符号链接(symlink)在 `DataFolder` 参数中进行操作。 2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:** 是的,该漏洞允许攻击者通过特定 API 删除宿主机上的任意文件。这表明攻击者可以利用此漏洞破坏宿主机的文件系统,从而影响整个系统的稳定性,甚至可能波及其他容器的正常运行。 **结论:** 该 CVE 满足条件 1 和 2。 cve: ./data/2022/32xxx/CVE-2022-32250.json net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关**: 是的,该 CVE 提到 `user/net namespaces`,这表明它与 Linux 命名空间(namespace)机制相关。命名空间是容器技术(如 Docker)实现隔离的重要组成部分。 2. **是否会导致容器运行时影响其他容器或宿主机**: 有可能。由于该漏洞允许本地用户通过错误的 `NFT_STATEFUL_EXPR` 检查导致 use-after-free,从而实现权限提升到 root。如果攻击者在一个容器中利用此漏洞,可能突破容器的隔离限制,进而影响其他容器或宿主机的安全性。 **结论**:满足条件 1 和 2。 cve: ./data/2022/34xxx/CVE-2022-34292.json Docker Desktop for Windows before 4.6.0 allows attackers to overwrite any file through a symlink attack on the hyperv/create dockerBackendV2 API by controlling the DataFolder parameter for DockerDesktop.vhdx, a similar issue to CVE-2022-31647. analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关**: 该 CVE 描述中提到 Docker Desktop for Windows 的 API 存在一个问题,允许攻击者通过符号链接(symlink)攻击覆盖任意文件。这涉及到 Docker Desktop 的内部实现和虚拟磁盘文件(`DockerDesktop.vhdx`)的处理,因此与容器技术相关。然而,它并未直接涉及 namespace、cgroup 或容器隔离机制。 2. **分析是否会导致容器运行时影响其他容器或宿主机**: 根据描述,攻击者可以通过控制 `DataFolder` 参数来覆盖宿主机上的任意文件。这种行为会直接影响宿主机的安全性,可能会导致数据损坏或恶意代码注入,从而对整个系统造成威胁。因此,该漏洞确实可能导致容器运行时影响宿主机。 **结论**: - 条件 1 满足:与容器技术相关。 - 条件 2 满足:会影响宿主机。 无需返回 "N/A"。 cve: ./data/2022/34xxx/CVE-2022-34372.json Dell PowerProtect Cyber Recovery versions before 19.11.0.2 contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially access and interact with the docker registry API leading to an authentication bypass. The attacker may potentially alter the docker images leading to a loss of integrity and confidentiality analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**: 是的,该CVE信息提到攻击者可以通过漏洞访问和交互 Docker Registry API,这直接与容器技术(Docker)相关。此外,提到攻击者可能篡改 Docker 镜像,这也涉及容器的完整性和机密性。 2. **是否会导致容器在运行时影响其他容器或宿主机**: 是的,攻击者通过此漏洞篡改 Docker 镜像后,可能导致以下后果: - 被篡改的镜像在运行时可能包含恶意代码,从而影响同一宿主机上的其他容器。 - 如果容器以特权模式运行或存在其他配置问题,可能进一步威胁到宿主机的安全。 因此,该漏洞可能间接导致容器之间的隔离被破坏,甚至威胁到宿主机的安全。 **结论**:满足条件1和条件2。 cve: ./data/2022/34xxx/CVE-2022-34918.json An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关**: 是的,此漏洞与 namespace 相关。描述中明确提到攻击者需要从一个非特权用户命名空间(unprivileged user namespace)开始,以获取 `CAP_NET_ADMIN` 权限。这表明该漏洞利用了 Linux 命名空间的特性。 2. **是否会导致容器(如 Docker 等)在运行时影响其他容器或宿主机**: 有可能。由于该漏洞允许本地攻击者通过类型混淆漏洞和缓冲区溢出实现权限提升(获得 root 访问权限),如果攻击者在一个容器内利用此漏洞,则可能突破容器的隔离机制,影响宿主机或其他容器的安全性。特别是当容器使用非特权用户命名空间时,攻击者仍可能通过此漏洞获取更高的权限。 **结论**:满足条件 1 和 2。 cve: ./data/2022/36xxx/CVE-2022-36109.json Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly. analysis: 1. **是否与 namespace、cgroup、container 或容器、隔离相关:** 是的,该 CVE 与容器相关。Moby(Docker Engine)是一个用于实现软件容器化的项目,问题涉及容器内的用户和组权限设置,这直接影响容器的隔离特性。 2. **是否会导致容器(如 Docker 等)在运行时影响其他容器或宿主机:** 在这种情况下,攻击者需要直接访问一个容器并操纵其补充组权限。虽然这可能允许攻击者在受影响的容器内绕过某些限制(例如访问敏感信息或执行代码),但没有明确证据表明此漏洞可以直接突破容器隔离,影响其他容器或宿主机。因此,该漏洞的影响主要限于单个容器内部。 **结论:** 条件 1 满足,条件 2 不完全满足(影响限于单个容器)。 cve: ./data/2022/37xxx/CVE-2022-37326.json Docker Desktop for Windows before 4.6.0 allows attackers to delete (or create) any file through the dockerBackendV2 windowscontainers/start API by controlling the pidfile field inside the DaemonJSON field in the WindowsContainerStartRequest class. This can indirectly lead to privilege escalation. analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关**: 该 CVE 提及了 Docker Desktop for Windows 的 `dockerBackendV2 windowscontainers/start API`,并且涉及对 `pidfile` 字段的控制。这表明问题与容器的启动配置和管理有关,因此与容器技术(container)相关。 2. **分析是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机**: 攻击者可以通过控制 `pidfile` 字段来删除或创建任意文件,这种行为可能会直接影响宿主机的文件系统。如果攻击者利用此漏洞修改关键系统文件,可能会导致宿主机被完全控制或容器之间的隔离机制被破坏。因此,该漏洞可能导致容器运行时影响宿主机的安全性。 3. **结论**: 条件 1 和条件 2 均满足,因此返回以下分析结果: - 与容器和隔离相关。 - 可能会导致容器运行时影响其他容器或宿主机。 cve: ./data/2022/38xxx/CVE-2022-38730.json Docker Desktop for Windows before 4.6 allows attackers to overwrite any file through the windowscontainers/start dockerBackendV2 API by controlling the data-root field inside the DaemonJSON field in the WindowsContainerStartRequest class. This allows exploiting a symlink vulnerability in ..\dataRoot\network\files\local-kv.db because of a TOCTOU race condition. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**: 是的,该CVE与容器技术相关。它涉及到Docker Desktop for Windows中的`dockerBackendV2 API`,并且通过控制`DaemonJSON`字段中的`data-root`,可以利用符号链接漏洞影响容器的文件系统配置。 2. **是否会导致容器(例如Docker等)在运行时影响其他容器或宿主机**: 是的,该漏洞可能导致容器逃逸或影响宿主机。攻击者可以通过覆盖宿主机上的任意文件(如`local-kv.db`),利用TOCTOU(Time-of-check to time-of-use)竞争条件漏洞,进而可能影响其他容器或宿主机的安全性。 3. **结论**: 由于条件1和条件2均满足,因此不需要返回"N/A"。 cve: ./data/2022/39xxx/CVE-2022-39206.json Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daemon on the host machine. This is a known dangerous pattern, as it can be used to break out of Docker containers and, in most cases, gain root privileges on the host system. This issue allows regular (non-admin) users to potentially take over the build infrastructure of a OneDev instance. Attackers need to have an account (or be able to register one) and need permission to create a project. Since code.onedev.io has the right preconditions for this to be exploited by remote attackers, it could have been used to hijack builds of OneDev itself, e.g. by injecting malware into the docker images that are built and pushed to Docker Hub. The impact is increased by this as described before. Users are advised to upgrade to 7.3.0 or higher. There are no known workarounds for this issue. analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关**: 该 CVE 描述中明确提到 Docker 容器的使用场景,尤其是 `/var/run/docker.sock` 被挂载到容器中。这涉及到容器的隔离性问题,因为通过访问 Docker 套接字,用户可以与宿主机上的 Docker 守护进程交互,从而突破容器的隔离。 2. **分析是否会导致容器(例如 Docker)在运行时影响其他容器或宿主机**: 是的,该漏洞会导致容器突破隔离,影响宿主机甚至其他容器。攻击者可以通过控制 Docker 守护进程,在宿主机上执行任意命令,或者创建、删除、修改其他容器。这种行为可能会导致宿主机被完全控制,并可能进一步影响同一宿主机上的其他容器。 3. **结论**: 由于条件 1 和条件 2 都满足,因此返回以下分析结果: - 与容器隔离相关:是 - 可能影响其他容器或宿主机:是 cve: ./data/2022/39xxx/CVE-2022-39321.json GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands was discovered in versions prior to 2.296.2, 2.293.1, 2.289.4, 2.285.2, and 2.283.4 that allows an input to escape the environment variable and modify that docker command invocation directly. Jobs that use container actions, job containers, or service containers alongside untrusted user inputs in environment variables may be vulnerable. The Actions Runner has been patched, both on `github.com` and hotfixes for GHES and GHAE customers in versions 2.296.2, 2.293.1, 2.289.4, 2.285.2, and 2.283.4. GHES and GHAE customers may want to patch their instance in order to have their runners automatically upgrade to these new runner versions. As a workaround, users may consider removing any container actions, job containers, or service containers from their jobs until they are able to upgrade their runner versions. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**: 是的,该CVE与容器相关。问题涉及GitHub Actions Runner在调用Docker CLI时,由于环境变量编码逻辑的漏洞,可能导致恶意输入篡改Docker命令的执行。这直接影响到容器的运行方式。 2. **是否会导致容器(如Docker)在运行时影响其他容器或宿主机**: 是的,该漏洞可能会影响其他容器或宿主机。如果攻击者能够利用此漏洞修改Docker命令的执行,他们可能会绕过预期的隔离机制,从而对宿主机或其他容器造成潜在威胁。例如,通过篡改Docker命令,攻击者可能注入恶意参数,导致容器以非预期的方式运行,甚至可能逃逸到宿主机。 3. **结论**: 由于条件1和条件2均满足,因此返回上述分析结果。 cve: ./data/2022/41xxx/CVE-2022-41737.json IBM Storage Scale Container Native Storage Access 5.1.2.1 through 5.1.7.0 could allow a local attacker to initiate connections from a container outside the current namespace. IBM X-Force ID: 237811. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**: 是的,该CVE明确提到“initiate connections from a container outside the current namespace”,即从容器中发起连接到当前命名空间之外的目标。这直接涉及到了容器的命名空间(namespace)隔离机制。 2. **是否会导致容器在运行时影响其他容器或宿主机**: 是的,由于该漏洞允许容器突破其当前的命名空间限制,可能会导致容器访问或影响其他容器或宿主机上的资源。这种行为破坏了容器之间的隔离性,可能带来安全风险。 因此,该CVE满足条件1和条件2。 cve: ./data/2022/41xxx/CVE-2022-41939.json knative.dev/func is is a client library and CLI enabling the development and deployment of Kubernetes functions. Developers using a malicious or compromised third-party buildpack could expose their registry credentials or local docker socket to a malicious `lifecycle` container. This issues has been patched in PR #1442, and is part of release 1.8.1. This issue only affects users who are using function buildpacks from third-parties; pinning the builder image to a specific content-hash with a valid `lifecycle` image will also mitigate the attack. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:** 是的,该 CVE 信息与容器和隔离相关。描述中提到“expose their registry credentials or local docker socket to a malicious `lifecycle` container”,表明问题涉及将敏感信息(如 Docker Socket)暴露给恶意的容器。 2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:** 是的,这可能导致影响。如果攻击者利用此漏洞,通过恶意的 `lifecycle` 容器访问本地 Docker Socket,他们可以进一步控制宿主机上的其他容器或直接对宿主机进行攻击。这种行为破坏了容器之间的隔离性,并可能危及整个容器化环境的安全。 **结论:** 满足条件 1 和 2。 cve: ./data/2022/42xxx/CVE-2022-42919.json Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9. analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关**: 该 CVE 涉及 Linux 的机器本地网络命名空间(machine local network namespace),并且提到 Linux 抽象命名空间套接字(abstract namespace sockets)。虽然它提到了命名空间,但这里的命名空间是指 Linux 的 socket 抽象命名空间,而不是与容器隔离直接相关的 mount namespace、PID namespace 等。因此,这个漏洞并不直接与容器或隔离技术(如 cgroup、namespace)相关。 2. **分析是否会导致容器运行时影响其他容器或宿主机**: 该漏洞主要影响使用 Python `multiprocessing` 库的程序,并且需要特定配置(`forkserver` 启动方法和抽象命名空间套接字)。此漏洞允许在相同机器上的用户通过反序列化 pickles 执行任意代码,从而实现权限提升。然而,这种攻击的前提是攻击者已经能够在目标机器上运行代码。在容器环境中,如果容器没有共享宿主机的网络命名空间(即容器有自己的独立网络命名空间),那么攻击范围将被限制在容器内部,不会直接影响其他容器或宿主机。因此,该漏洞在默认容器配置下不会直接导致容器影响其他容器或宿主机。 3. **结论**: 根据以上分析,该 CVE 不满足条件 1 和条件 2,因此返回: **N/A** cve: ./data/2022/46xxx/CVE-2022-46167.json Capsule is a multi-tenancy and policy-based framework for Kubernetes. Prior to version 0.1.3, a ServiceAccount deployed in a Tenant Namespace, when granted with `PATCH` capabilities on its own Namespace, is able to edit it and remove the Owner Reference, breaking the reconciliation of the Capsule Operator and removing all the enforcement like Pod Security annotations, Network Policies, Limit Range and Resource Quota items. An attacker could detach the Namespace from a Tenant that is forbidding starting privileged Pods using the Pod Security labels by removing the OwnerReference, removing the enforcement labels, and being able to start privileged containers that would be able to start a generic Kubernetes privilege escalation. Patches have been released for version 0.1.3. No known workarounds are available. analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关:** 是的,此 CVE 与 namespace 和容器隔离相关。问题的核心在于 Kubernetes 的多租户框架 Capsule 中,ServiceAccount 在特定权限下可以修改其所在 Namespace 的 Owner Reference,从而破坏 Capsule Operator 的协调机制,并移除诸如 Pod Security 标签、网络策略等强制执行的安全措施。这直接影响了 namespace 的隔离性,使得攻击者可以在不受限制的情况下启动特权容器。 2. **分析是否会导致容器(如 Docker 等)在运行时影响其他容器或宿主机:** 是的,此漏洞可能导致容器运行时影响其他容器或宿主机。通过移除 Owner Reference 和安全标签,攻击者可以启动特权容器,这种容器能够突破默认的隔离机制,访问宿主机资源或干扰其他容器的正常运行。这可能会导致宿主机上的敏感信息泄露、资源滥用,甚至进一步的权限提升和系统控制。 **结论:满足条件 1 和 2。** cve: ./data/2022/47xxx/CVE-2022-47952.json lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that "we will report back to the user that the open() failed but the user has no way of knowing why it failed"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist. analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关:** 该 CVE 提到 `lxc-user-nic`,这是一个与 LXC(Linux Containers)相关的工具。LXC 是一种轻量级的容器技术,依赖于 Linux 的 namespaces 和 cgroups 实现隔离。因此,这个 CVE 明确与容器和 namespace 相关。 2. **分析是否会导致容器(如 Docker 等)在运行时影响其他容器或宿主机:** 根据描述,该漏洞允许本地用户通过错误消息推断某个文件是否存在。这种信息泄露可能会被攻击者利用来获取敏感路径的信息,但并没有提到直接的权限提升或对宿主机或其他容器的直接影响。然而,由于它涉及 LXC 的网络命名空间管理工具 (`lxc-user-nic`),如果攻击者能够利用此漏洞进一步探索系统,可能会间接威胁到容器隔离性或宿主机的安全性。 3. **结论:** 条件 1 和条件 2 部分满足,因此返回以下分析结果: - 与 namespace 和容器技术相关。 - 可能间接影响容器隔离性,但需要结合其他攻击手段才能对宿主机或其他容器造成实质性威胁。 cve: ./data/2022/48xxx/CVE-2022-48638.json In the Linux kernel, the following vulnerability has been resolved: cgroup: cgroup_get_from_id() must check the looked-up kn is a directory cgroup has to be one kernfs dir, otherwise kernel panic is caused, especially cgroup id is provide from userspace. analysis: 1. 该 CVE 信息与 namespace、cgroup、container 或容器、隔离相关。 - 描述中明确提到 `cgroup` 和 `kernfs dir`,并且涉及用户空间提供的 cgroup ID,这表明它与 cgroup 的实现和使用有关。 - cgroup 是 Linux 容器(如 Docker)实现资源限制和隔离的重要组成部分。 2. 该 CVE 可能会导致容器在运行时影响其他容器或宿主机。 - 如果 `cgroup_get_from_id()` 没有正确检查查找的 kernfs 节点是否为目录,可能会导致内核崩溃(kernel panic)。这种问题可能被恶意用户利用,通过提供无效或恶意构造的 cgroup ID 来触发内核崩溃。 - 在共享内核的容器环境中(如 Docker),这种漏洞可能允许一个容器影响其他容器或宿主机的稳定性。 结论:满足条件 1 和 2。 cve: ./data/2022/48xxx/CVE-2022-48671.json In the Linux kernel, the following vulnerability has been resolved: cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() syzbot is hitting percpu_rwsem_assert_held(&cpu_hotplug_lock) warning at cpuset_attach() [1], for commit 4f7e7236435ca0ab ("cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock") missed that cpuset_attach() is also called from cgroup_attach_task_all(). Add cpus_read_lock() like what cgroup_procs_write_start() does. analysis: 1. 该 CVE 信息与 cgroup 相关,因为它涉及到 `cgroup_attach_task_all()` 函数以及 `cpus_read_lock()` 的使用。Cgroup 是 Linux 内核中的一个功能模块,用于限制、控制和隔离进程组的资源使用(如 CPU、内存等),并且是容器技术(如 Docker)实现资源隔离的重要组成部分。 2. 尽管该漏洞涉及 cgroup,但它主要是关于内核中锁机制的正确性问题(`percpu_rwsem_assert_held(&cpu_hotplug_lock)` 警告)。从描述来看,这个问题并不会直接影响容器的隔离性或导致一个容器影响其他容器或宿主机。它更像是一个内核代码路径的健壮性修复,而不是安全漏洞。 **结论**: N/A cve: ./data/2022/48xxx/CVE-2022-48757.json In the Linux kernel, the following vulnerability has been resolved: net: fix information leakage in /proc/net/ptype In one net namespace, after creating a packet socket without binding it to a device, users in other net namespaces can observe the new `packet_type` added by this packet socket by reading `/proc/net/ptype` file. This is minor information leakage as packet socket is namespace aware. Add a net pointer in `packet_type` to keep the net namespace of of corresponding packet socket. In `ptype_seq_show`, this net pointer must be checked when it is not NULL. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**: 是的,该CVE与namespace相关。具体来说,它涉及网络命名空间(net namespace)。问题发生在创建一个未绑定到设备的packet socket时,其他网络命名空间中的用户可以观察到该packet socket添加的`packet_type`信息。 2. **是否会导致容器(例如Docker等)在运行时影响其他容器或宿主机**: 该漏洞导致的是信息泄露问题,而非权限提升或直接破坏隔离性的问题。虽然其他网络命名空间中的用户可以观察到新增的`packet_type`,但这只是轻微的信息泄露,并不会直接影响其他容器或宿主机的安全性。然而,在多租户环境中,这种信息泄露可能会被用于推测某些敏感信息,因此仍需注意。 **结论**:满足条件1和条件2的部分要求,但影响程度有限。 cve: ./data/2022/48xxx/CVE-2022-48799.json In the Linux kernel, the following vulnerability has been resolved: perf: Fix list corruption in perf_cgroup_switch() There's list corruption on cgrp_cpuctx_list. This happens on the following path: perf_cgroup_switch: list_for_each_entry(cgrp_cpuctx_list) cpu_ctx_sched_in ctx_sched_in ctx_pinned_sched_in merge_sched_in perf_cgroup_event_disable: remove the event from the list Use list_for_each_entry_safe() to allow removing an entry during iteration. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关**: 是的,这个 CVE 与 cgroup 相关。问题出现在 `perf_cgroup_switch()` 函数中,涉及到 `cgrp_cpuctx_list` 的列表操作。Cgroups(控制组)是 Linux 内核中的一个功能,用于限制、控制和隔离进程组的资源使用(如 CPU、内存、磁盘 I/O 等)。Perf 工具利用 cgroups 来对性能事件进行分组管理。 2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机**: 可能会。由于该漏洞涉及 cgroup 的列表操作,如果出现列表损坏(list corruption),可能会导致以下后果: - 在多租户环境中(例如容器编排系统 Kubernetes 中),不同容器之间的资源监控和限制可能失效。 - 如果容器内的进程触发了该漏洞,可能会导致宿主机上的 cgroup 数据结构损坏,从而影响整个系统的稳定性,甚至可能导致宿主机崩溃。 - 攻击者可能利用此漏洞逃逸容器环境,影响宿主机或其他容器。 因此,该漏洞有可能影响容器的隔离性,并对宿主机和其他容器造成潜在威胁。 **结论**:满足条件 1 和条件 2。 cve: ./data/2022/48xxx/CVE-2022-48944.json In the Linux kernel, the following vulnerability has been resolved: sched: Fix yet more sched_fork() races Where commit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an invalid sched_task_group") fixed a fork race vs cgroup, it opened up a race vs syscalls by not placing the task on the runqueue before it gets exposed through the pidhash. Commit 13765de8148f ("sched/fair: Fix fault in reweight_entity") is trying to fix a single instance of this, instead fix the whole class of issues, effectively reverting this commit. analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关** 该 CVE 描述中提到 `sched_fork()` 函数中的竞争条件问题,并且明确提到了 `cgroup`(控制组)。因此,此漏洞与 cgroup 相关,而 cgroup 是容器技术(如 Docker)实现资源隔离的重要组成部分。所以,该 CVE 与容器和隔离机制有一定关联。 2. **分析是否会导致容器在运行时影响其他容器或宿主机** 该漏洞涉及 `sched_fork()` 函数的竞争条件问题,可能导致任务在被加入运行队列之前通过 `pidhash` 暴露出来。这种问题可能会影响调度器的行为,进而可能导致任务分配或资源管理的异常。由于 `cgroup` 是容器资源限制的核心机制,如果该漏洞被利用,可能会导致容器逃逸或影响宿主机的资源分配,从而影响其他容器或宿主机的安全性。 3. **结论** 根据以上分析,该 CVE 信息满足条件 1 和条件 2。 cve: ./data/2022/48xxx/CVE-2022-48988.json In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). Now that cgroupfs is implemented through kernfs, checking the file operations needs to go through a layer of indirection. Instead, let's check the superblock and dentry type. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关** 是的,这个 CVE 信息与 cgroup 相关。问题出现在 `memcg_write_event_control()` 函数中,该函数用于处理 cgroup 的内存控制功能。具体来说,问题涉及对 cgroup 接口文件的操作,包括文件名访问 (`dentry->d_name`) 和父目录访问。 2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机** 可能会。由于该漏洞允许任意文件通过检查,并可能导致竞争条件(race condition),从而引发 use-after-free 问题。如果攻击者能够利用此漏洞,在容器环境中可能会影响其他容器或宿主机的安全性。例如,use-after-free 漏洞可能会被利用来执行任意代码或导致系统崩溃。虽然 cgroup 本身主要用于资源限制和隔离,但这种类型的漏洞可能会破坏隔离机制,进而影响整个系统的稳定性或安全性。 因此,基于以上分析,该 CVE 满足条件 1 和条件 2。 cve: ./data/2022/49xxx/CVE-2022-49266.json In the Linux kernel, the following vulnerability has been resolved: block: fix rq-qos breakage from skipping rq_qos_done_bio() a647a524a467 ("block: don't call rq_qos_ops->done_bio if the bio isn't tracked") made bio_endio() skip rq_qos_done_bio() if BIO_TRACKED is not set. While this fixed a potential oops, it also broke blk-iocost by skipping the done_bio callback for merged bios. Before, whether a bio goes through rq_qos_throttle() or rq_qos_merge(), rq_qos_done_bio() would be called on the bio on completion with BIO_TRACKED distinguishing the former from the latter. rq_qos_done_bio() is not called for bios which wenth through rq_qos_merge(). This royally confuses blk-iocost as the merged bios never finish and are considered perpetually in-flight. One reliably reproducible failure mode is an intermediate cgroup geting stuck active preventing its children from being activated due to the leaf-only rule, leading to loss of control. The following is from resctl-bench protection scenario which emulates isolating a web server like workload from a memory bomb run on an iocost configuration which should yield a reasonable level of protection. # cat /sys/block/nvme2n1/device/model Samsung SSD 970 PRO 512GB # cat /sys/fs/cgroup/io.cost.model 259:0 ctrl=user model=linear rbps=834913556 rseqiops=93622 rrandiops=102913 wbps=618985353 wseqiops=72325 wrandiops=71025 # cat /sys/fs/cgroup/io.cost.qos 259:0 enable=1 ctrl=user rpct=95.00 rlat=18776 wpct=95.00 wlat=8897 min=60.00 max=100.00 # resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1 ... Memory Hog Summary ================== IO Latency: R p50=242u:336u/2.5m p90=794u:1.4m/7.5m p99=2.7m:8.0m/62.5m max=8.0m:36.4m/350m W p50=221u:323u/1.5m p90=709u:1.2m/5.5m p99=1.5m:2.5m/9.5m max=6.9m:35.9m/350m Isolation and Request Latency Impact Distributions: min p01 p05 p10 p25 p50 p75 p90 p95 p99 max mean stdev isol% 15.90 15.90 15.90 40.05 57.24 59.07 60.01 74.63 74.63 90.35 90.35 58.12 15.82 lat-imp% 0 0 0 0 0 4.55 14.68 15.54 233.5 548.1 548.1 53.88 143.6 Result: isol=58.12:15.82% lat_imp=53.88%:143.6 work_csv=100.0% missing=3.96% The isolation result of 58.12% is close to what this device would show without any IO control. Fix it by introducing a new flag BIO_QOS_MERGED to mark merged bios and calling rq_qos_done_bio() on them too. For consistency and clarity, rename BIO_TRACKED to BIO_QOS_THROTTLED. The flag checks are moved into rq_qos_done_bio() so that it's next to the code paths that set the flags. With the patch applied, the above same benchmark shows: # resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1 ... Memory Hog Summary ================== IO Latency: R p50=123u:84.4u/985u p90=322u:256u/2.5m p99=1.6m:1.4m/9.5m max=11.1m:36.0m/350m W p50=429u:274u/995u p90=1.7m:1.3m/4.5m p99=3.4m:2.7m/11.5m max=7.9m:5.9m/26.5m Isolation and Request Latency Impact Distributions: min p01 p05 p10 p25 p50 p75 p90 p95 p99 max mean stdev isol% 84.91 84.91 89.51 90.73 92.31 94.49 96.36 98.04 98.71 100.0 100.0 94.42 2.81 lat-imp% 0 0 0 0 0 2.81 5.73 11.11 13.92 17.53 22.61 4.10 4.68 Result: isol=94.42:2.81% lat_imp=4.10%:4.68 work_csv=58.34% missing=0% analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关** 是的,这个CVE信息与`cgroup`和隔离相关。具体来说,问题涉及到Linux内核块设备子系统中的`blk-iocost`功能,该功能用于基于IO成本模型对IO进行控制和调度。问题的核心是由于`rq_qos_done_bio()`调用被跳过,导致合并的bio(block IO)在`blk-iocost`中被视为永久处于飞行状态,从而影响了cgroup的正常行为。这可能会导致中间cgroup卡住,无法正确激活其子cgroup,从而破坏了资源隔离。 2. **是否会导致容器(例如Docker等)在运行时影响其他容器或宿主机** 有可能。由于该漏洞影响的是`blk-iocost`的正确性,而`blk-iocost`是Linux cgroup v2的一部分,通常用于容器环境下的IO资源分配和隔离。如果某个容器的IO操作触发了这个问题,可能导致其cgroup状态异常,进而影响同一宿主机上其他容器的资源分配或隔离效果。此外,宿主机本身的IO资源管理也可能受到影响。 3. **结论** 条件1和条件2均满足,因此返回上述分析内容。 cve: ./data/2022/49xxx/CVE-2022-49394.json In the Linux kernel, the following vulnerability has been resolved: blk-iolatency: Fix inflight count imbalances and IO hangs on offline iolatency needs to track the number of inflight IOs per cgroup. As this tracking can be expensive, it is disabled when no cgroup has iolatency configured for the device. To ensure that the inflight counters stay balanced, iolatency_set_limit() freezes the request_queue while manipulating the enabled counter, which ensures that no IO is in flight and thus all counters are zero. Unfortunately, iolatency_set_limit() isn't the only place where the enabled counter is manipulated. iolatency_pd_offline() can also dec the counter and trigger disabling. As this disabling happens without freezing the q, this can easily happen while some IOs are in flight and thus leak the counts. This can be easily demonstrated by turning on iolatency on an one empty cgroup while IOs are in flight in other cgroups and then removing the cgroup. Note that iolatency shouldn't have been enabled elsewhere in the system to ensure that removing the cgroup disables iolatency for the whole device. The following keeps flipping on and off iolatency on sda: echo +io > /sys/fs/cgroup/cgroup.subtree_control while true; do mkdir -p /sys/fs/cgroup/test echo '8:0 target=100000' > /sys/fs/cgroup/test/io.latency sleep 1 rmdir /sys/fs/cgroup/test sleep 1 done and there's concurrent fio generating direct rand reads: fio --name test --filename=/dev/sda --direct=1 --rw=randread \ --runtime=600 --time_based --iodepth=256 --numjobs=4 --bs=4k while monitoring with the following drgn script: while True: for css in css_for_each_descendant_pre(prog['blkcg_root'].css.address_of_()): for pos in hlist_for_each(container_of(css, 'struct blkcg', 'css').blkg_list): blkg = container_of(pos, 'struct blkcg_gq', 'blkcg_node') pd = blkg.pd[prog['blkcg_policy_iolatency'].plid] if pd.value_() == 0: continue iolat = container_of(pd, 'struct iolatency_grp', 'pd') inflight = iolat.rq_wait.inflight.counter.value_() if inflight: print(f'inflight={inflight} {disk_name(blkg.q.disk).decode("utf-8")} ' f'{cgroup_path(css.cgroup).decode("utf-8")}') time.sleep(1) The monitoring output looks like the following: inflight=1 sda /user.slice inflight=1 sda /user.slice ... inflight=14 sda /user.slice inflight=13 sda /user.slice inflight=17 sda /user.slice inflight=15 sda /user.slice inflight=18 sda /user.slice inflight=17 sda /user.slice inflight=20 sda /user.slice inflight=19 sda /user.slice <- fio stopped, inflight stuck at 19 inflight=19 sda /user.slice inflight=19 sda /user.slice If a cgroup with stuck inflight ends up getting throttled, the throttled IOs will never get issued as there's no completion event to wake it up leading to an indefinite hang. This patch fixes the bug by unifying enable handling into a work item which is automatically kicked off from iolatency_set_min_lat_nsec() which is called from both iolatency_set_limit() and iolatency_pd_offline() paths. Punting to a work item is necessary as iolatency_pd_offline() is called under spinlocks while freezing a request_queue requires a sleepable context. This also simplifies the code reducing LOC sans the comments and avoids the unnecessary freezes which were happening whenever a cgroup's latency target is newly set or cleared. analysis: 1. **分析是否与namespace、cgroup、container或者容器、隔离相关**: 是的,这个 CVE 信息与 cgroup 直接相关。漏洞描述中提到 `iolatency` 是基于 cgroup 的机制,用于跟踪每个 cgroup 的 inflight IO 数量。此外,问题的核心在于 `iolatency_pd_offline()` 和 `iolatency_set_limit()` 操控 enabled 计数器时未正确同步,导致 inflight 计数不平衡。 2. **分析是否会导致容器(例如 Docker)在运行时影响其他容器或宿主机**: 可能会。由于该漏洞涉及 cgroup 的 IO 调度机制,如果一个容器的 cgroup 配置受到影响(例如 inflight 计数不平衡),可能会导致该容器的 IO 被错误地限制或挂起,从而间接影响宿主机或其他容器的正常运行。特别是当某个 cgroup 的 inflight 计数卡住时,可能导致 IO 挂起,进一步影响整个系统的稳定性。 3. **结论**: 条件 1 和条件 2 均满足,因此需要返回上述分析内容。 cve: ./data/2022/49xxx/CVE-2022-49411.json In the Linux kernel, the following vulnerability has been resolved: bfq: Make sure bfqg for which we are queueing requests is online Bios queued into BFQ IO scheduler can be associated with a cgroup that was already offlined. This may then cause insertion of this bfq_group into a service tree. But this bfq_group will get freed as soon as last bio associated with it is completed leading to use after free issues for service tree users. Fix the problem by making sure we always operate on online bfq_group. If the bfq_group associated with the bio is not online, we pick the first online parent. analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:** 是的,该 CVE 信息与 cgroup 相关。问题描述中提到 BFQ I/O 调度器中的 `bfq_group` 可能与一个已经被 offlined 的 cgroup 关联,这表明问题涉及到 cgroup 的生命周期管理。 2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:** 这个漏洞可能导致 use-after-free 问题,从而可能引发系统不稳定或崩溃。虽然问题本身直接涉及的是 cgroup 和 I/O 调度器,但如果容器使用了受影响的 BFQ 调度器,并且其 cgroup 被 offlined,可能会导致容器的 I/O 操作影响到宿主机或其他容器的稳定性。因此,这种漏洞在某些情况下可能会影响容器隔离性。 **结论:** 该 CVE 信息满足条件 1 和条件 2。 cve: ./data/2022/49xxx/CVE-2022-49412.json In the Linux kernel, the following vulnerability has been resolved: bfq: Avoid merging queues with different parents It can happen that the parent of a bfqq changes between the moment we decide two queues are worth to merge (and set bic->stable_merge_bfqq) and the moment bfq_setup_merge() is called. This can happen e.g. because the process submitted IO for a different cgroup and thus bfqq got reparented. It can even happen that the bfqq we are merging with has parent cgroup that is already offline and going to be destroyed in which case the merge can lead to use-after-free issues such as: BUG: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50 Read of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544 CPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G E 5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 Call Trace: dump_stack_lvl+0x46/0x5a print_address_description.constprop.0+0x1f/0x140 ? __bfq_deactivate_entity+0x9cb/0xa50 kasan_report.cold+0x7f/0x11b ? __bfq_deactivate_entity+0x9cb/0xa50 __bfq_deactivate_entity+0x9cb/0xa50 ? update_curr+0x32f/0x5d0 bfq_deactivate_entity+0xa0/0x1d0 bfq_del_bfqq_busy+0x28a/0x420 ? resched_curr+0x116/0x1d0 ? bfq_requeue_bfqq+0x70/0x70 ? check_preempt_wakeup+0x52b/0xbc0 __bfq_bfqq_expire+0x1a2/0x270 bfq_bfqq_expire+0xd16/0x2160 ? try_to_wake_up+0x4ee/0x1260 ? bfq_end_wr_async_queues+0xe0/0xe0 ? _raw_write_unlock_bh+0x60/0x60 ? _raw_spin_lock_irq+0x81/0xe0 bfq_idle_slice_timer+0x109/0x280 ? bfq_dispatch_request+0x4870/0x4870 __hrtimer_run_queues+0x37d/0x700 ? enqueue_hrtimer+0x1b0/0x1b0 ? kvm_clock_get_cycles+0xd/0x10 ? ktime_get_update_offsets_now+0x6f/0x280 hrtimer_interrupt+0x2c8/0x740 Fix the problem by checking that the parent of the two bfqqs we are merging in bfq_setup_merge() is the same. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关** 是的,该漏洞与 cgroup 相关。具体来说,问题出现在 I/O 调度器 BFQ(Budget Fair Queuing)中,涉及到不同 cgroup 的队列合并操作。当一个进程为不同的 cgroup 提交 I/O 请求时,可能导致队列被重新分配父级 cgroup,从而引发潜在的使用后释放(use-after-free)问题。 2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机** 是的,该漏洞可能会影响容器的隔离性。由于 cgroup 是容器资源隔离的核心机制之一,BFQ 队列的错误合并可能导致对已销毁 cgroup 的引用,进而引发 use-after-free 问题。这可能会导致容器逃逸或影响宿主机的稳定性,尤其是在多租户环境中,不同容器共享同一宿主机的情况下。 3. **结论** 条件 1 和条件 2 均满足,因此需要返回上述分析内容。 cve: ./data/2022/49xxx/CVE-2022-49413.json In the Linux kernel, the following vulnerability has been resolved: bfq: Update cgroup information before merging bio When the process is migrated to a different cgroup (or in case of writeback just starts submitting bios associated with a different cgroup) bfq_merge_bio() can operate with stale cgroup information in bic. Thus the bio can be merged to a request from a different cgroup or it can result in merging of bfqqs for different cgroups or bfqqs of already dead cgroups and causing possible use-after-free issues. Fix the problem by updating cgroup information in bfq_merge_bio(). analysis: 1. 该 CVE 信息与 namespace、cgroup、container 或容器、隔离相关。 分析:漏洞描述中明确提到 cgroup(控制组)的概念,并且问题出现在当进程迁移到不同的 cgroup 或者与不同 cgroup 关联的 bio 提交时,可能导致错误的合并操作。这表明问题直接涉及 cgroup 的管理。 2. 该 CVE 不会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机。 分析:虽然该漏洞涉及 cgroup,但其影响主要集中在 I/O 调度器 BFQ(Budget Fair Queuing)的实现上。具体来说,问题是由于过时的 cgroup 信息导致 bio 合并错误,可能引发 use-after-free 问题。然而,这种问题的影响范围限制在内核的 I/O 调度逻辑中,不会直接影响容器之间的隔离性或对宿主机的安全性造成威胁。 结论:满足条件 1,但不满足条件 2。 cve: ./data/2022/49xxx/CVE-2022-49567.json In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix uninit-value in mpol_rebind_policy() mpol_set_nodemask()(mm/mempolicy.c) does not set up nodemask when pol->mode is MPOL_LOCAL. Check pol->mode before access pol->w.cpuset_mems_allowed in mpol_rebind_policy()(mm/mempolicy.c). BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:352 [inline] BUG: KMSAN: uninit-value in mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368 mpol_rebind_policy mm/mempolicy.c:352 [inline] mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368 cpuset_change_task_nodemask kernel/cgroup/cpuset.c:1711 [inline] cpuset_attach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278 cgroup_migrate_execute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515 cgroup_migrate kernel/cgroup/cgroup.c:2771 [inline] cgroup_attach_task+0x540/0x8b0 kernel/cgroup/cgroup.c:2804 __cgroup1_procs_write+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520 cgroup1_tasks_write+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539 cgroup_file_write+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852 kernfs_fop_write_iter+0x66a/0x9f0 fs/kernfs/file.c:296 call_write_iter include/linux/fs.h:2162 [inline] new_sync_write fs/read_write.c:503 [inline] vfs_write+0x1318/0x2030 fs/read_write.c:590 ksys_write+0x28b/0x510 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0xdb/0x120 fs/read_write.c:652 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] slab_alloc mm/slub.c:3259 [inline] kmem_cache_alloc+0x902/0x11c0 mm/slub.c:3264 mpol_new mm/mempolicy.c:293 [inline] do_set_mempolicy+0x421/0xb70 mm/mempolicy.c:853 kernel_set_mempolicy mm/mempolicy.c:1504 [inline] __do_sys_set_mempolicy mm/mempolicy.c:1510 [inline] __se_sys_set_mempolicy+0x44c/0xb60 mm/mempolicy.c:1507 __x64_sys_set_mempolicy+0xd8/0x110 mm/mempolicy.c:1507 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x44/0xae KMSAN: uninit-value in mpol_rebind_task (2) https://syzkaller.appspot.com/bug?id=d6eb90f952c2a5de9ea718a1b873c55cb13b59dc This patch seems to fix below bug too. KMSAN: uninit-value in mpol_rebind_mm (2) https://syzkaller.appspot.com/bug?id=f2fecd0d7013f54ec4162f60743a2b28df40926b The uninit-value is pol->w.cpuset_mems_allowed in mpol_rebind_policy(). When syzkaller reproducer runs to the beginning of mpol_new(), mpol_new() mm/mempolicy.c do_mbind() mm/mempolicy.c kernel_mbind() mm/mempolicy.c `mode` is 1(MPOL_PREFERRED), nodes_empty(*nodes) is `true` and `flags` is 0. Then mode = MPOL_LOCAL; ... policy->mode = mode; policy->flags = flags; will be executed. So in mpol_set_nodemask(), mpol_set_nodemask() mm/mempolicy.c do_mbind() kernel_mbind() pol->mode is 4 (MPOL_LOCAL), that `nodemask` in `pol` is not initialized, which will be accessed in mpol_rebind_policy(). analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**: 是的,这个 CVE 信息与 cgroup 相关。在调用栈中可以看到 `cpuset_change_task_nodemask` 和 `cpuset_attach` 函数,这些函数属于 Linux 内核中的 cgroup 子系统(具体是 cpuset 控制组)。Cgroup 是容器技术(如 Docker)实现资源隔离的重要组成部分。 2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机**: 从描述来看,该漏洞涉及未初始化的值 (`uninit-value`) 在内存策略 (`mempolicy`) 中被访问。这种问题可能会导致内核崩溃或其他不可预测的行为。如果攻击者能够触发此漏洞,可能会影响整个系统的稳定性,包括宿主机和其他容器的正常运行。因此,该漏洞有可能被利用来破坏容器之间的隔离性,甚至影响宿主机。 3. **结论**: 由于条件 1 和 2 均满足,因此需要返回分析结果,而不是 "N/A"。 cve: ./data/2022/49xxx/CVE-2022-49647.json In the Linux kernel, the following vulnerability has been resolved: cgroup: Use separate src/dst nodes when preloading css_sets for migration Each cset (css_set) is pinned by its tasks. When we're moving tasks around across csets for a migration, we need to hold the source and destination csets to ensure that they don't go away while we're moving tasks about. This is done by linking cset->mg_preload_node on either the mgctx->preloaded_src_csets or mgctx->preloaded_dst_csets list. Using the same cset->mg_preload_node for both the src and dst lists was deemed okay as a cset can't be both the source and destination at the same time. Unfortunately, this overloading becomes problematic when multiple tasks are involved in a migration and some of them are identity noop migrations while others are actually moving across cgroups. For example, this can happen with the following sequence on cgroup1: #1> mkdir -p /sys/fs/cgroup/misc/a/b #2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs #3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS & #4> PID=$! #5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks #6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs the process including the group leader back into a. In this final migration, non-leader threads would be doing identity migration while the group leader is doing an actual one. After #3, let's say the whole process was in cset A, and that after #4, the leader moves to cset B. Then, during #6, the following happens: 1. cgroup_migrate_add_src() is called on B for the leader. 2. cgroup_migrate_add_src() is called on A for the other threads. 3. cgroup_migrate_prepare_dst() is called. It scans the src list. 4. It notices that B wants to migrate to A, so it tries to A to the dst list but realizes that its ->mg_preload_node is already busy. 5. and then it notices A wants to migrate to A as it's an identity migration, it culls it by list_del_init()'ing its ->mg_preload_node and putting references accordingly. 6. The rest of migration takes place with B on the src list but nothing on the dst list. This means that A isn't held while migration is in progress. If all tasks leave A before the migration finishes and the incoming task pins it, the cset will be destroyed leading to use-after-free. This is caused by overloading cset->mg_preload_node for both src and dst preload lists. We wanted to exclude the cset from the src list but ended up inadvertently excluding it from the dst list too. This patch fixes the issue by separating out cset->mg_preload_node into ->mg_src_preload_node and ->mg_dst_preload_node, so that the src and dst preloadings don't interfere with each other. analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关** 是的,该 CVE 信息明确与 cgroup(控制组)相关。cgroup 是 Linux 内核中的一个特性,用于限制、记录和隔离进程组的资源(如 CPU、内存、磁盘 I/O 等)。此漏洞涉及 cgroup 的迁移逻辑,特别是 css_set(control group subsystem set)在任务迁移时的处理问题。 2. **是否会导致容器(例如 Docker)在运行时影响其他容器或宿主机** 可能会。由于此漏洞涉及到 cgroup 的任务迁移逻辑,而 cgroup 是容器技术(如 Docker、Kubernetes 等)实现资源隔离的核心机制之一,因此如果漏洞被利用,可能会导致以下问题: - 在多租户环境中,一个容器内的任务迁移操作可能会影响其他容器的任务迁移逻辑,进而可能导致资源分配错误或隔离失效。 - 如果宿主机上的 cgroup 配置受到影响,可能会间接影响到宿主机的稳定性或安全性,例如导致资源竞争或内核崩溃。 3. **结论** 根据上述分析,条件 1 和条件 2 均满足,因此返回分析结果而非 "N/A"。