sleepwithoutbz/cve
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
35e418a9c9097db833e5ceb1f7457ac95456daab
cve/general_result/22.log
sleepwithoutbz 79ae3fec86 Init commit.
2025-05-27 15:15:24 +08:00

976 lines
83 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

cve: ./data/2022/0xxx/CVE-2022-0070.json
Incomplete fix for CVE-2021-3100. The Apache Log4j hotpatch package starting with log4j-cve-2021-44228-hotpatch-1.1-16 will now explicitly mimic the Linux capabilities and cgroups of the target Java process that the hotpatch is applied to.
analysis: 1. **分析是否与 namespace、cgroup、container 或容器、隔离相关**
该 CVE 描述提到 Log4j 的 hotpatch 包会显式模仿目标 Java 进程的 Linux capabilities 和 cgroups。因此它确实与 cgroups 相关,但没有直接提及 namespace、容器或隔离机制。
2. **分析是否会影响其他容器或宿主机**
由于该漏洞涉及模仿目标 Java 进程的 cgroups如果目标进程运行在容器中而 hotpatch 的行为不当例如权限提升或资源分配错误可能会间接影响容器的隔离性。然而根据描述hotpatch 的设计目的是模仿目标进程的配置,理论上不会主动破坏容器隔离或影响宿主机。因此,从描述来看,直接影响其他容器或宿主机的风险较低。
3. **结论**
条件 1 满足(与 cgroups 相关),条件 2 不完全满足(无明确证据表明会影响其他容器或宿主机)。因此,返回以下分析结果:
- 与 cgroups 相关,可能间接影响容器隔离性,但无明确证据表明会导致容器逃逸或影响宿主机。
cve: ./data/2022/0xxx/CVE-2022-0185.json
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
analysis: 1. 该 CVE 信息与 namespace 相关。具体来说问题涉及到“unprivileged user namespaces”功能。如果系统启用了非特权用户命名空间unprivileged user namespaces则攻击者可以利用此漏洞。此外问题还涉及文件系统上下文Filesystem Context和参数解析逻辑。
2. 该 CVE 可能会影响容器的隔离性。在容器环境中(如 Docker如果容器启用了 unprivileged user namespaces 或具有 namespaced CAP_SYS_ADMIN 权限,则攻击者可能利用此漏洞从容器内部进行权限提升,进而影响宿主机或其他容器的安全性。
因此,根据分析要求,条件 1 和 2 均满足。
cve: ./data/2022/0xxx/CVE-2022-0324.json
There is a vulnerability in DHCPv6 packet parsing code that could be explored by remote attacker to craft a packet that could cause buffer overflow in a memcpy call, leading to out-of-bounds memory write that would cause dhcp6relay to crash. Dhcp6relay is a critical process and could cause dhcp relay docker to shutdown.
Discovered by Eugene Lim of GovTech Singapore.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:**
是的,该 CVE 提及了 `dhcp relay docker` 会受到影响。这表明问题与 Docker 容器相关,并且可能影响到容器内的关键进程 (`dhcp6relay`)。
2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:**
根据描述,漏洞会导致 `dhcp6relay` 崩溃,进而导致 `dhcp relay docker` 关闭。这种影响似乎是局限于特定容器(`dhcp relay docker`)内部的,没有明确提到会对其他容器或宿主机造成直接影响。然而,如果 `dhcp relay docker` 是一个共享网络配置或提供关键服务的容器,它的崩溃可能会间接影响依赖它的其他容器或宿主机的服务稳定性。
3. **结论:**
条件 1 满足(与容器相关),条件 2 部分满足(虽然直接影响有限,但可能存在间接影响)。因此,返回分析结果而非 "N/A"。
cve: ./data/2022/0xxx/CVE-2022-0492.json
A vulnerability was found in the Linux kernels cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
analysis: 1. 该 CVE 信息与 namespace、cgroup、container 和隔离相关。描述中明确提到 cgroups v1 的 `release_agent` 功能,并且提到了可以绕过 namespace 的隔离。
2. 该 CVE 可能会导致容器(例如 Docker在运行时影响其他容器或宿主机。通过利用 cgroups v1 的 `release_agent` 功能,攻击者可能能够突破容器的隔离机制,从而对宿主机或其他容器造成潜在威胁。
因此,条件 1 和 2 均满足。
cve: ./data/2022/0xxx/CVE-2022-0532.json
An incorrect sysctls validation vulnerability was found in CRI-O 1.18 and earlier. The sysctls from the list of "safe" sysctls specified for the cluster will be applied to the host if an attacker is able to create a pod with a hostIPC and hostNetwork kernel namespace.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的该CVE信息与namespace和容器隔离相关。描述中提到攻击者可以通过创建一个具有`hostIPC`和`hostNetwork`内核命名空间的Pod导致指定的`sysctls`被应用到主机上。这表明问题涉及容器的命名空间配置以及其与宿主机的交互。
2. **是否会导致容器如Docker等在运行时影响其他容器或宿主机**
是的,该漏洞可能导致容器影响宿主机。由于攻击者可以利用`hostIPC`和`hostNetwork`命名空间将`sysctls`应用到宿主机,这可能会破坏宿主机的安全性或稳定性,进而可能影响在同一宿主机上运行的其他容器。
3. **结论**
该CVE满足条件1和条件2因此不会返回"N/A"。
cve: ./data/2022/1xxx/CVE-2022-1055.json
A use-after-free exists in the Linux Kernel in tc_new_tfilter that could allow a local attacker to gain privilege escalation. The exploit requires unprivileged user namespaces. We recommend upgrading past commit 04c2a47ffb13c29778e2a14e414ad4cb5a5db4b5
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的该漏洞提到了“unprivileged user namespaces”这表明它与用户命名空间user namespace有关。用户命名空间是Linux内核中用于隔离用户和组ID的一种机制广泛应用于容器技术如Docker中以提供隔离性。
2. **是否会导致容器例如Docker等在运行时影响其他容器或宿主机**
是的该漏洞可能导致特权提升privilege escalation。由于其利用需要“unprivileged user namespaces”而这些命名空间通常在容器环境中被启用因此攻击者可能通过此漏洞从容器内部逃逸影响其他容器或宿主机的安全性。
**结论**满足条件1和条件2。
cve: ./data/2022/1xxx/CVE-2022-1833.json
A flaw was found in AMQ Broker Operator 7.9.4 installed via UI using OperatorHub where a low-privilege user that has access to the namespace where the AMQ Operator is deployed has access to clusterwide edit rights by checking the secrets. The service account used for building the Operator gives more permission than expected and an attacker could benefit from it. This requires at least an already compromised low-privilege account or insider attack.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:**
是的,该 CVE 信息与 namespace 和容器隔离相关。问题发生在 AMQ Broker Operator 的部署中,低权限用户可以通过访问特定 namespace 中的秘密secrets获得集群范围的编辑权限。这表明在 namespace 层面的权限控制存在漏洞,可能导致隔离机制被破坏。
2. **是否会导致容器(如 Docker 等)在运行时影响其他容器或宿主机:**
可能会。由于服务账户的权限超出预期,攻击者可能利用此漏洞获取集群范围的编辑权限,进而影响其他容器或宿主机。例如,攻击者可以修改其他容器的配置、访问敏感数据,甚至对宿主机进行未授权的操作。
**结论:**
满足条件 1 和 2因此返回上述分析结果。
cve: ./data/2022/23xxx/CVE-2022-23774.json
Docker Desktop before 4.4.4 on Windows allows attackers to move arbitrary files.
analysis: 1. 该 CVE 信息与 namespace、cgroup、container 或者容器相关。
原因:描述中明确提到 Docker Desktop并且涉及文件移动操作这可能与容器的文件系统隔离机制有关。
2. 该 CVE 可能会导致容器在运行时影响其他容器或宿主机。
原因:描述中提到“允许攻击者移动任意文件”,这意味着攻击者可能利用此漏洞突破容器的隔离限制,对宿主机或其他容器的文件系统进行未授权访问或修改。
**结论:满足条件 1 和 2。**
cve: ./data/2022/24xxx/CVE-2022-24122.json
kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivileged user namespaces are enabled, allows a use-after-free and privilege escalation because a ucounts object can outlive its namespace.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:**
是的,该 CVE 与 namespace 相关。描述中明确提到“unprivileged user namespaces”即非特权用户命名空间这是 Linux 容器(如 Docker实现隔离的重要机制之一。
2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:**
是的,可能会导致影响。由于存在 use-after-free 和权限提升漏洞,攻击者可以利用此漏洞突破容器的隔离机制,进而可能影响同一宿主机上的其他容器,甚至完全控制宿主机。
**结论:** 满足条件 1 和条件 2。
cve: ./data/2022/24xxx/CVE-2022-24769.json
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.
analysis: ### 分析结果:
1. **是否与 namespace、cgroup、container 或者容器、隔离相关**
是的,该 CVE 信息明确提到 MobyDocker Engine中的一个漏洞涉及容器的启动行为以及 Linux 进程能力capabilities的设置。这直接影响了容器内的进程权限管理因此与容器和隔离机制密切相关。
2. **是否会导致容器(如 Docker在运行时影响其他容器或宿主机**
该漏洞允许容器内的非特权用户或进程通过 inheritable file capabilities 提升权限,但这仅限于容器的 bounding set 范围内。由于 inheritable set 不会包含超出容器 bounding set 的能力,因此该漏洞不会直接突破容器的安全沙箱,也不会直接影响其他容器或宿主机的安全性。然而,它可能削弱容器内部基于用户和组的权限分离机制,从而间接增加攻击面。
### 结论:
- 满足条件 1 和 2 的部分分析要求。
- 该漏洞虽然不会直接影响宿主机或其他容器,但会对容器内部的权限隔离产生负面影响,需要关注并修复。
cve: ./data/2022/24xxx/CVE-2022-24778.json
The imgcrypt library provides API exensions for containerd to support encrypted container images and implements the ctd-decoder command line tool for use by containerd to decrypt encrypted container images. The imgcrypt function `CheckAuthorization` is supposed to check whether the current used is authorized to access an encrypted image and prevent the user from running an image that another user previously decrypted on the same system. In versions prior to 1.1.4, a failure occurs when an image with a ManifestList is used and the architecture of the local host is not the first one in the ManifestList. Only the first architecture in the list was tested, which may not have its layers available locally since it could not be run on the host architecture. Therefore, the verdict on unavailable layers was that the image could be run anticipating that image run failure would occur later due to the layers not being available. However, this verdict to allow the image to run enabled other architectures in the ManifestList to run an image without providing keys if that image had previously been decrypted. A patch has been applied to imgcrypt 1.1.4. Workarounds may include usage of different namespaces for each remote user.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:**
是的,该 CVE 信息与容器和隔离相关。`imgcrypt` 是为 `containerd` 提供支持加密容器镜像的 API 扩展,并且涉及到 `ctd-decoder` 命令行工具用于解密加密的容器镜像。此外描述中提到可以通过使用不同的命名空间namespaces作为解决方法之一这表明该问题与容器隔离机制有关。
2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:**
是的,该漏洞可能导致容器运行时的安全风险。由于 `CheckAuthorization` 函数的实现问题,如果某个用户之前在系统上解密了一个镜像,其他用户可能无需提供正确的密钥即可运行该镜像中的其他架构。这种行为破坏了容器之间的隔离性,可能会导致未经授权的访问或其他安全问题,进而影响其他容器或宿主机的安全性。
3. **结论:**
该 CVE 满足条件 1 和条件 2因此需要返回上述分析内容而不是 "N/A"。
cve: ./data/2022/25xxx/CVE-2022-25365.json
Docker Desktop before 4.5.1 on Windows allows attackers to move arbitrary files. NOTE: this issue exists because of an incomplete fix for CVE-2022-23774.
analysis: 1. 该 CVE 信息与 namespace、cgroup、container 或容器相关。原因是它明确提到了 Docker Desktop 在 Windows 上的问题Docker 是一个容器化平台,因此该问题与容器技术直接相关。
2. 该 CVE 可能会导致容器在运行时影响其他容器或宿主机。根据描述,攻击者可以移动任意文件,这种行为可能突破容器的隔离性,进而对宿主机或其他容器造成潜在影响。
总结:条件 1 和 2 均满足。
cve: ./data/2022/26xxx/CVE-2022-26659.json
Docker Desktop installer on Windows in versions before 4.6.0 allows an attacker to overwrite any administrator writable files by creating a symlink in place of where the installer writes its log file. Starting from version 4.6.0, the Docker Desktop installer, when run elevated, will write its log files to a location not writable by non-administrator users.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
该CVE描述的是Docker Desktop在Windows上的安装程序漏洞涉及日志文件的写入位置以及符号链接symlink的滥用。虽然它与Docker相关但并未直接涉及namespace、cgroup、容器运行时隔离等技术细节。
2. **是否会导致容器影响其他容器或宿主机**
该漏洞发生在Docker Desktop的安装阶段而不是容器运行时。攻击者可以通过创建符号链接覆盖管理员可写的文件但这并不直接影响容器的运行时行为也不会导致容器逃逸或影响其他容器。
3. **结论**
条件1和条件2均不满足因此返回
**N/A**
cve: ./data/2022/27xxx/CVE-2022-27649.json
A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的该CVE信息明确提到了Podman和MobyDocker Engine这些都是与容器技术密切相关的项目。问题涉及容器启动时的权限配置错误特别是Linux进程能力capabilities的处理不当这直接影响了容器的隔离性。
2. **是否会导致容器运行时影响其他容器或宿主机**
是的由于容器被错误地赋予了非空的继承能力inheritable Linux process capabilities攻击者可以利用这些能力提升权限。这种权限提升可能会导致容器突破其隔离环境从而影响同一宿主机上的其他容器或直接危害宿主机的安全。
**结论**满足条件1和条件2。
cve: ./data/2022/27xxx/CVE-2022-27650.json
A flaw was found in crun where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的该CVE与容器相关。描述中明确提到问题发生在 `crun` 和 `Moby (Docker Engine)` 中,这两个都是与容器运行时相关的组件。具体问题涉及容器启动时的权限配置不当。
2. **是否会导致容器在运行时影响其他容器或宿主机**
是的该漏洞可能导致容器内的攻击者提升权限从而可能影响其他容器或宿主机。由于容器被错误地赋予了非空的继承能力inheritable Linux process capabilities攻击者可以利用这些能力通过 `execve(2)` 将其提升到允许的权限集permitted set。这种权限提升可能会突破容器的隔离机制进而对宿主机或其他容器造成威胁。
**结论**满足条件1和条件2无需返回N/A。
cve: ./data/2022/27xxx/CVE-2022-27651.json
A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的该CVE与容器技术相关。描述中明确提到Buildah和MobyDocker Engine这些都是用于创建和管理容器的工具。问题涉及容器启动时的权限配置不当可能影响容器的隔离性。
2. **是否会导致容器在运行时影响其他容器或宿主机**
是的可能会导致影响。由于容器被错误地赋予了非空的继承性Linux进程能力inheritable Linux process capabilities攻击者可以利用这些能力提升权限从而可能突破容器的隔离机制影响其他容器或宿主机的安全性。
3. **结论**
条件1和条件2均满足因此需要返回上述分析内容。
cve: ./data/2022/27xxx/CVE-2022-27652.json
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的该CVE信息明确提到cri-o和MobyDocker Engine这些都是与容器技术相关的组件。问题涉及容器启动时的权限设置特别是Linux进程能力capabilities的处理这直接影响容器的隔离性。
2. **是否会导致容器在运行时影响其他容器或宿主机**
是的该漏洞可能导致容器内的攻击者提升权限将继承的能力inheritable capabilities提升为允许的能力permitted capabilities。这种权限提升可能使攻击者突破容器的隔离进而影响同一宿主机上的其他容器或直接危害宿主机的安全。
3. **结论**
由于条件1和条件2均满足因此返回分析结果而非"N/A"。
cve: ./data/2022/29xxx/CVE-2022-29180.json
A vulnerability in which attackers could forge HTTP requests to manipulate the `charm` data directory to access or delete anything on the server. This has been patched and is available in release [v0.12.1](https://github.com/charmbracelet/charm/releases/tag/v0.12.1). We recommend that all users running self-hosted `charm` instances update immediately. This vulnerability was found in-house and we haven't been notified of any potential exploiters. ### Additional notes * Encrypted user data uploaded to the Charm server is safe as Charm servers cannot decrypt user data. This includes filenames, paths, and all key-value data. * Users running the official Charm [Docker images](https://github.com/charmbracelet/charm/blob/main/docker.md) are at minimal risk because the exploit is limited to the containerized filesystem.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:**
是的,该 CVE 提到使用官方 Charm Docker 镜像的用户风险较小,因为漏洞的利用被限制在容器化的文件系统中。这表明该问题与容器化环境(如 Docker及其隔离机制有关。
2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:**
根据描述,使用官方 Charm Docker 镜像的用户风险较小,因为漏洞的利用被限制在容器化的文件系统中。这意味着该漏洞不会突破容器的隔离机制,从而影响其他容器或宿主机。
**结论:**
该 CVE 与容器隔离相关,但不会导致容器影响其他容器或宿主机。
cve: ./data/2022/2xxx/CVE-2022-2403.json
A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. A malicious user could exploit this flaw by reading the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的,该 CVE 信息与容器和 namespace 相关。问题发生在 OpenShift Container Platform 中,涉及 `oauth-serving-cert` ConfigMap 的存储位置以及其在 `openshift-config-managed` namespace 中的访问控制。
2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:**
这个漏洞不会直接影响其他容器或宿主机的运行时安全性,但它可能导致敏感信息(如私钥)泄露。如果恶意用户获取了外部集群证书的私钥,他们可以解密受该证书保护的网络流量,从而间接影响整个集群的安全性。虽然这不是一个直接的容器逃逸漏洞,但泄露的凭据可能被用于进一步攻击集群中的其他资源。
3. **结论:**
不满足条件 2因此返回分析结果而非 "N/A"。
cve: ./data/2022/2xxx/CVE-2022-2837.json
A flaw was found in coreDNS. This flaw allows a malicious user to redirect traffic intended for external top-level domains (TLD) to a pod they control by creating projects and namespaces that match the TLD.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:**
是的,该 CVE 信息与 namespace 和容器相关。问题描述中提到恶意用户可以通过创建特定的项目和命名空间namespace来劫持外部顶级域名TLD的流量并将其重定向到他们控制的 Pod。这表明问题涉及 Kubernetes 中的命名空间namespace机制以及容器网络流量的路由。
2. **是否会导致容器(如 Docker 等)在运行时影响其他容器或宿主机:**
是的,该漏洞可能导致容器影响其他容器或宿主机。通过利用此漏洞,攻击者可以劫持原本发往外部 TLD 的流量并将其重定向到其控制的 Pod。这种行为可能会导致数据泄露、流量劫持或其他安全问题从而破坏容器之间的隔离性甚至可能间接影响宿主机的安全性。
**结论:**
满足条件 1 和 2因此返回分析结果。
cve: ./data/2022/30xxx/CVE-2022-30137.json
Executive Summary
An Elevation of Privilege (EOP) vulnerability has been identified within Service Fabric clusters that run Docker containers. Exploitation of this EOP vulnerability requires an attacker to gain remote code execution within a container. All Service Fabric and Docker versions are impacted.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关**
是的,该 CVE 明确提到与 Docker 容器相关,并且涉及 Service Fabric 集群中运行的容器。这表明它与容器技术及其隔离机制有关。
2. **是否会导致容器(例如 Docker在运行时影响其他容器或宿主机**
是的,根据描述,这是一个权限提升 (EOP) 漏洞。攻击者需要先在容器内获得远程代码执行能力,然后利用此漏洞进一步提升权限。这种类型的漏洞可能允许攻击者突破容器的隔离限制,从而影响其他容器或宿主机的安全性。
3. **结论**
由于条件 1 和条件 2 均满足,因此返回分析结果如下:
- 与容器和隔离机制相关。
- 可能导致容器突破隔离,影响其他容器或宿主机。
cve: ./data/2022/31xxx/CVE-2022-31214.json
A Privilege Context Switching issue was discovered in join.c in Firejail 0.9.68. By crafting a bogus Firejail container that is accepted by the Firejail setuid-root program as a join target, a local attacker can enter an environment in which the Linux user namespace is still the initial user namespace, the NO_NEW_PRIVS prctl is not activated, and the entered mount namespace is under the attacker's control. In this way, the filesystem layout can be adjusted to gain root privileges through execution of available setuid-root binaries such as su or sudo.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:**
是的,该 CVE 信息与 namespace 和容器隔离相关。问题出现在 Firejail 的 `join.c` 文件中Firejail 是一个用于沙盒化应用程序的工具,利用 Linux namespaces 提供隔离环境。漏洞描述中明确提到用户命名空间user namespace和挂载命名空间mount namespace并且涉及通过调整文件系统布局来突破隔离。
2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:**
虽然此漏洞是针对 Firejail 的,但其核心问题在于对命名空间的不当处理。如果类似的漏洞存在于其他容器运行时(如 Docker 的运行时),也可能导致攻击者突破容器隔离,进入初始用户命名空间,并可能进一步影响宿主机或其他容器。因此,从原理上讲,这种类型的漏洞有潜在风险影响容器运行时的安全性。
**结论:**
满足条件 1 和 2因此返回分析结果而非 "N/A"。
cve: ./data/2022/31xxx/CVE-2022-31647.json
Docker Desktop before 4.6.0 on Windows allows attackers to delete any file through the hyperv/destroy dockerBackendV2 API via a symlink in the DataFolder parameter, a different vulnerability than CVE-2022-26659.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:**
是的,该 CVE 与容器技术相关。它涉及 Docker Desktop 在 Windows 上的一个 API (`hyperv/destroy dockerBackendV2`)并且描述中提到可以通过符号链接symlink在 `DataFolder` 参数中进行操作。
2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:**
是的,该漏洞允许攻击者通过特定 API 删除宿主机上的任意文件。这表明攻击者可以利用此漏洞破坏宿主机的文件系统,从而影响整个系统的稳定性,甚至可能波及其他容器的正常运行。
**结论:** 该 CVE 满足条件 1 和 2。
cve: ./data/2022/32xxx/CVE-2022-32250.json
net/netfilter/nf_tables_api.c in the Linux kernel through 5.18.1 allows a local user (able to create user/net namespaces) to escalate privileges to root because an incorrect NFT_STATEFUL_EXPR check leads to a use-after-free.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关**
是的,该 CVE 提到 `user/net namespaces`,这表明它与 Linux 命名空间namespace机制相关。命名空间是容器技术如 Docker实现隔离的重要组成部分。
2. **是否会导致容器运行时影响其他容器或宿主机**
有可能。由于该漏洞允许本地用户通过错误的 `NFT_STATEFUL_EXPR` 检查导致 use-after-free从而实现权限提升到 root。如果攻击者在一个容器中利用此漏洞可能突破容器的隔离限制进而影响其他容器或宿主机的安全性。
**结论**:满足条件 1 和 2。
cve: ./data/2022/34xxx/CVE-2022-34292.json
Docker Desktop for Windows before 4.6.0 allows attackers to overwrite any file through a symlink attack on the hyperv/create dockerBackendV2 API by controlling the DataFolder parameter for DockerDesktop.vhdx, a similar issue to CVE-2022-31647.
analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关**
该 CVE 描述中提到 Docker Desktop for Windows 的 API 存在一个问题允许攻击者通过符号链接symlink攻击覆盖任意文件。这涉及到 Docker Desktop 的内部实现和虚拟磁盘文件(`DockerDesktop.vhdx`)的处理,因此与容器技术相关。然而,它并未直接涉及 namespace、cgroup 或容器隔离机制。
2. **分析是否会导致容器运行时影响其他容器或宿主机**
根据描述,攻击者可以通过控制 `DataFolder` 参数来覆盖宿主机上的任意文件。这种行为会直接影响宿主机的安全性,可能会导致数据损坏或恶意代码注入,从而对整个系统造成威胁。因此,该漏洞确实可能导致容器运行时影响宿主机。
**结论**
- 条件 1 满足:与容器技术相关。
- 条件 2 满足:会影响宿主机。
无需返回 "N/A"。
cve: ./data/2022/34xxx/CVE-2022-34372.json
Dell PowerProtect Cyber Recovery versions before 19.11.0.2 contain an authentication bypass vulnerability. A remote unauthenticated attacker may potentially access and interact with the docker registry API leading to an authentication bypass. The attacker may potentially alter the docker images leading to a loss of integrity and confidentiality
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的该CVE信息提到攻击者可以通过漏洞访问和交互 Docker Registry API这直接与容器技术Docker相关。此外提到攻击者可能篡改 Docker 镜像,这也涉及容器的完整性和机密性。
2. **是否会导致容器在运行时影响其他容器或宿主机**
是的,攻击者通过此漏洞篡改 Docker 镜像后,可能导致以下后果:
- 被篡改的镜像在运行时可能包含恶意代码,从而影响同一宿主机上的其他容器。
- 如果容器以特权模式运行或存在其他配置问题,可能进一步威胁到宿主机的安全。
因此,该漏洞可能间接导致容器之间的隔离被破坏,甚至威胁到宿主机的安全。
**结论**满足条件1和条件2。
cve: ./data/2022/34xxx/CVE-2022-34918.json
An issue was discovered in the Linux kernel through 5.18.9. A type confusion bug in nft_set_elem_init (leading to a buffer overflow) could be used by a local attacker to escalate privileges, a different vulnerability than CVE-2022-32250. (The attacker can obtain root access, but must start with an unprivileged user namespace to obtain CAP_NET_ADMIN access.) This can be fixed in nft_setelem_parse_data in net/netfilter/nf_tables_api.c.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关**
是的,此漏洞与 namespace 相关。描述中明确提到攻击者需要从一个非特权用户命名空间unprivileged user namespace开始以获取 `CAP_NET_ADMIN` 权限。这表明该漏洞利用了 Linux 命名空间的特性。
2. **是否会导致容器(如 Docker 等)在运行时影响其他容器或宿主机**
有可能。由于该漏洞允许本地攻击者通过类型混淆漏洞和缓冲区溢出实现权限提升(获得 root 访问权限),如果攻击者在一个容器内利用此漏洞,则可能突破容器的隔离机制,影响宿主机或其他容器的安全性。特别是当容器使用非特权用户命名空间时,攻击者仍可能通过此漏洞获取更高的权限。
**结论**:满足条件 1 和 2。
cve: ./data/2022/36xxx/CVE-2022-36109.json
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade, this problem can be worked around by not using the `"USER $USERNAME"` Dockerfile instruction. Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary groups will be set up properly.
analysis: 1. **是否与 namespace、cgroup、container 或容器、隔离相关:**
是的,该 CVE 与容器相关。MobyDocker Engine是一个用于实现软件容器化的项目问题涉及容器内的用户和组权限设置这直接影响容器的隔离特性。
2. **是否会导致容器(如 Docker 等)在运行时影响其他容器或宿主机:**
在这种情况下,攻击者需要直接访问一个容器并操纵其补充组权限。虽然这可能允许攻击者在受影响的容器内绕过某些限制(例如访问敏感信息或执行代码),但没有明确证据表明此漏洞可以直接突破容器隔离,影响其他容器或宿主机。因此,该漏洞的影响主要限于单个容器内部。
**结论:**
条件 1 满足,条件 2 不完全满足(影响限于单个容器)。
cve: ./data/2022/37xxx/CVE-2022-37326.json
Docker Desktop for Windows before 4.6.0 allows attackers to delete (or create) any file through the dockerBackendV2 windowscontainers/start API by controlling the pidfile field inside the DaemonJSON field in the WindowsContainerStartRequest class. This can indirectly lead to privilege escalation.
analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关**
该 CVE 提及了 Docker Desktop for Windows 的 `dockerBackendV2 windowscontainers/start API`,并且涉及对 `pidfile` 字段的控制。这表明问题与容器的启动配置和管理有关因此与容器技术container相关。
2. **分析是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机**
攻击者可以通过控制 `pidfile` 字段来删除或创建任意文件,这种行为可能会直接影响宿主机的文件系统。如果攻击者利用此漏洞修改关键系统文件,可能会导致宿主机被完全控制或容器之间的隔离机制被破坏。因此,该漏洞可能导致容器运行时影响宿主机的安全性。
3. **结论**
条件 1 和条件 2 均满足,因此返回以下分析结果:
- 与容器和隔离相关。
- 可能会导致容器运行时影响其他容器或宿主机。
cve: ./data/2022/38xxx/CVE-2022-38730.json
Docker Desktop for Windows before 4.6 allows attackers to overwrite any file through the windowscontainers/start dockerBackendV2 API by controlling the data-root field inside the DaemonJSON field in the WindowsContainerStartRequest class. This allows exploiting a symlink vulnerability in ..\dataRoot\network\files\local-kv.db because of a TOCTOU race condition.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的该CVE与容器技术相关。它涉及到Docker Desktop for Windows中的`dockerBackendV2 API`,并且通过控制`DaemonJSON`字段中的`data-root`,可以利用符号链接漏洞影响容器的文件系统配置。
2. **是否会导致容器例如Docker等在运行时影响其他容器或宿主机**
是的,该漏洞可能导致容器逃逸或影响宿主机。攻击者可以通过覆盖宿主机上的任意文件(如`local-kv.db`利用TOCTOUTime-of-check to time-of-use竞争条件漏洞进而可能影响其他容器或宿主机的安全性。
3. **结论**
由于条件1和条件2均满足因此不需要返回"N/A"。
cve: ./data/2022/39xxx/CVE-2022-39206.json
Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the Docker socket (e.g. /var/run/docker.sock on Linux) is mounted into each Docker step. Users that can define and trigger CI/CD jobs on a project could use this to control the Docker daemon on the host machine. This is a known dangerous pattern, as it can be used to break out of Docker containers and, in most cases, gain root privileges on the host system. This issue allows regular (non-admin) users to potentially take over the build infrastructure of a OneDev instance. Attackers need to have an account (or be able to register one) and need permission to create a project. Since code.onedev.io has the right preconditions for this to be exploited by remote attackers, it could have been used to hijack builds of OneDev itself, e.g. by injecting malware into the docker images that are built and pushed to Docker Hub. The impact is increased by this as described before. Users are advised to upgrade to 7.3.0 or higher. There are no known workarounds for this issue.
analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关**
该 CVE 描述中明确提到 Docker 容器的使用场景,尤其是 `/var/run/docker.sock` 被挂载到容器中。这涉及到容器的隔离性问题,因为通过访问 Docker 套接字,用户可以与宿主机上的 Docker 守护进程交互,从而突破容器的隔离。
2. **分析是否会导致容器(例如 Docker在运行时影响其他容器或宿主机**
是的,该漏洞会导致容器突破隔离,影响宿主机甚至其他容器。攻击者可以通过控制 Docker 守护进程,在宿主机上执行任意命令,或者创建、删除、修改其他容器。这种行为可能会导致宿主机被完全控制,并可能进一步影响同一宿主机上的其他容器。
3. **结论**
由于条件 1 和条件 2 都满足,因此返回以下分析结果:
- 与容器隔离相关:是
- 可能影响其他容器或宿主机:是
cve: ./data/2022/39xxx/CVE-2022-39321.json
GitHub Actions Runner is the application that runs a job from a GitHub Actions workflow. The actions runner invokes the docker cli directly in order to run job containers, service containers, or container actions. A bug in the logic for how the environment is encoded into these docker commands was discovered in versions prior to 2.296.2, 2.293.1, 2.289.4, 2.285.2, and 2.283.4 that allows an input to escape the environment variable and modify that docker command invocation directly. Jobs that use container actions, job containers, or service containers alongside untrusted user inputs in environment variables may be vulnerable. The Actions Runner has been patched, both on `github.com` and hotfixes for GHES and GHAE customers in versions 2.296.2, 2.293.1, 2.289.4, 2.285.2, and 2.283.4. GHES and GHAE customers may want to patch their instance in order to have their runners automatically upgrade to these new runner versions. As a workaround, users may consider removing any container actions, job containers, or service containers from their jobs until they are able to upgrade their runner versions.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的该CVE与容器相关。问题涉及GitHub Actions Runner在调用Docker CLI时由于环境变量编码逻辑的漏洞可能导致恶意输入篡改Docker命令的执行。这直接影响到容器的运行方式。
2. **是否会导致容器如Docker在运行时影响其他容器或宿主机**
是的该漏洞可能会影响其他容器或宿主机。如果攻击者能够利用此漏洞修改Docker命令的执行他们可能会绕过预期的隔离机制从而对宿主机或其他容器造成潜在威胁。例如通过篡改Docker命令攻击者可能注入恶意参数导致容器以非预期的方式运行甚至可能逃逸到宿主机。
3. **结论**
由于条件1和条件2均满足因此返回上述分析结果。
cve: ./data/2022/41xxx/CVE-2022-41737.json
IBM Storage Scale Container Native Storage Access 5.1.2.1 through 5.1.7.0 could allow a local attacker to initiate connections from a container outside the current namespace. IBM X-Force ID: 237811.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的该CVE明确提到“initiate connections from a container outside the current namespace”即从容器中发起连接到当前命名空间之外的目标。这直接涉及到了容器的命名空间namespace隔离机制。
2. **是否会导致容器在运行时影响其他容器或宿主机**
是的,由于该漏洞允许容器突破其当前的命名空间限制,可能会导致容器访问或影响其他容器或宿主机上的资源。这种行为破坏了容器之间的隔离性,可能带来安全风险。
因此该CVE满足条件1和条件2。
cve: ./data/2022/41xxx/CVE-2022-41939.json
knative.dev/func is is a client library and CLI enabling the development and deployment of Kubernetes functions. Developers using a malicious or compromised third-party buildpack could expose their registry credentials or local docker socket to a malicious `lifecycle` container. This issues has been patched in PR #1442, and is part of release 1.8.1. This issue only affects users who are using function buildpacks from third-parties; pinning the builder image to a specific content-hash with a valid `lifecycle` image will also mitigate the attack.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:**
是的,该 CVE 信息与容器和隔离相关。描述中提到“expose their registry credentials or local docker socket to a malicious `lifecycle` container”表明问题涉及将敏感信息如 Docker Socket暴露给恶意的容器。
2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:**
是的,这可能导致影响。如果攻击者利用此漏洞,通过恶意的 `lifecycle` 容器访问本地 Docker Socket他们可以进一步控制宿主机上的其他容器或直接对宿主机进行攻击。这种行为破坏了容器之间的隔离性并可能危及整个容器化环境的安全。
**结论:** 满足条件 1 和 2。
cve: ./data/2022/42xxx/CVE-2022-42919.json
Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关**
该 CVE 涉及 Linux 的机器本地网络命名空间machine local network namespace并且提到 Linux 抽象命名空间套接字abstract namespace sockets。虽然它提到了命名空间但这里的命名空间是指 Linux 的 socket 抽象命名空间,而不是与容器隔离直接相关的 mount namespace、PID namespace 等。因此,这个漏洞并不直接与容器或隔离技术(如 cgroup、namespace相关。
2. **分析是否会导致容器运行时影响其他容器或宿主机**
该漏洞主要影响使用 Python `multiprocessing` 库的程序,并且需要特定配置(`forkserver` 启动方法和抽象命名空间套接字)。此漏洞允许在相同机器上的用户通过反序列化 pickles 执行任意代码,从而实现权限提升。然而,这种攻击的前提是攻击者已经能够在目标机器上运行代码。在容器环境中,如果容器没有共享宿主机的网络命名空间(即容器有自己的独立网络命名空间),那么攻击范围将被限制在容器内部,不会直接影响其他容器或宿主机。因此,该漏洞在默认容器配置下不会直接导致容器影响其他容器或宿主机。
3. **结论**
根据以上分析,该 CVE 不满足条件 1 和条件 2因此返回
**N/A**
cve: ./data/2022/46xxx/CVE-2022-46167.json
Capsule is a multi-tenancy and policy-based framework for Kubernetes. Prior to version 0.1.3, a ServiceAccount deployed in a Tenant Namespace, when granted with `PATCH` capabilities on its own Namespace, is able to edit it and remove the Owner Reference, breaking the reconciliation of the Capsule Operator and removing all the enforcement like Pod Security annotations, Network Policies, Limit Range and Resource Quota items. An attacker could detach the Namespace from a Tenant that is forbidding starting privileged Pods using the Pod Security labels by removing the OwnerReference, removing the enforcement labels, and being able to start privileged containers that would be able to start a generic Kubernetes privilege escalation. Patches have been released for version 0.1.3. No known workarounds are available.
analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关:**
是的,此 CVE 与 namespace 和容器隔离相关。问题的核心在于 Kubernetes 的多租户框架 Capsule 中ServiceAccount 在特定权限下可以修改其所在 Namespace 的 Owner Reference从而破坏 Capsule Operator 的协调机制,并移除诸如 Pod Security 标签、网络策略等强制执行的安全措施。这直接影响了 namespace 的隔离性,使得攻击者可以在不受限制的情况下启动特权容器。
2. **分析是否会导致容器(如 Docker 等)在运行时影响其他容器或宿主机:**
是的,此漏洞可能导致容器运行时影响其他容器或宿主机。通过移除 Owner Reference 和安全标签,攻击者可以启动特权容器,这种容器能够突破默认的隔离机制,访问宿主机资源或干扰其他容器的正常运行。这可能会导致宿主机上的敏感信息泄露、资源滥用,甚至进一步的权限提升和系统控制。
**结论:满足条件 1 和 2。**
cve: ./data/2022/47xxx/CVE-2022-47952.json
lxc-user-nic in lxc through 5.0.1 is installed setuid root, and may allow local users to infer whether any file exists, even within a protected directory tree, because "Failed to open" often indicates that a file does not exist, whereas "does not refer to a network namespace path" often indicates that a file exists. NOTE: this is different from CVE-2018-6556 because the CVE-2018-6556 fix design was based on the premise that "we will report back to the user that the open() failed but the user has no way of knowing why it failed"; however, in many realistic cases, there are no plausible reasons for failing except that the file does not exist.
analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关:**
该 CVE 提到 `lxc-user-nic`,这是一个与 LXCLinux Containers相关的工具。LXC 是一种轻量级的容器技术,依赖于 Linux 的 namespaces 和 cgroups 实现隔离。因此,这个 CVE 明确与容器和 namespace 相关。
2. **分析是否会导致容器(如 Docker 等)在运行时影响其他容器或宿主机:**
根据描述,该漏洞允许本地用户通过错误消息推断某个文件是否存在。这种信息泄露可能会被攻击者利用来获取敏感路径的信息,但并没有提到直接的权限提升或对宿主机或其他容器的直接影响。然而,由于它涉及 LXC 的网络命名空间管理工具 (`lxc-user-nic`),如果攻击者能够利用此漏洞进一步探索系统,可能会间接威胁到容器隔离性或宿主机的安全性。
3. **结论:**
条件 1 和条件 2 部分满足,因此返回以下分析结果:
- 与 namespace 和容器技术相关。
- 可能间接影响容器隔离性,但需要结合其他攻击手段才能对宿主机或其他容器造成实质性威胁。
cve: ./data/2022/48xxx/CVE-2022-48638.json
In the Linux kernel, the following vulnerability has been resolved:
cgroup: cgroup_get_from_id() must check the looked-up kn is a directory
cgroup has to be one kernfs dir, otherwise kernel panic is caused,
especially cgroup id is provide from userspace.
analysis: 1. 该 CVE 信息与 namespace、cgroup、container 或容器、隔离相关。
- 描述中明确提到 `cgroup` 和 `kernfs dir`,并且涉及用户空间提供的 cgroup ID这表明它与 cgroup 的实现和使用有关。
- cgroup 是 Linux 容器(如 Docker实现资源限制和隔离的重要组成部分。
2. 该 CVE 可能会导致容器在运行时影响其他容器或宿主机。
- 如果 `cgroup_get_from_id()` 没有正确检查查找的 kernfs 节点是否为目录可能会导致内核崩溃kernel panic。这种问题可能被恶意用户利用通过提供无效或恶意构造的 cgroup ID 来触发内核崩溃。
- 在共享内核的容器环境中(如 Docker这种漏洞可能允许一个容器影响其他容器或宿主机的稳定性。
结论:满足条件 1 和 2。
cve: ./data/2022/48xxx/CVE-2022-48671.json
In the Linux kernel, the following vulnerability has been resolved:
cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()
syzbot is hitting percpu_rwsem_assert_held(&cpu_hotplug_lock) warning at
cpuset_attach() [1], for commit 4f7e7236435ca0ab ("cgroup: Fix
threadgroup_rwsem <-> cpus_read_lock() deadlock") missed that
cpuset_attach() is also called from cgroup_attach_task_all().
Add cpus_read_lock() like what cgroup_procs_write_start() does.
analysis: 1. 该 CVE 信息与 cgroup 相关,因为它涉及到 `cgroup_attach_task_all()` 函数以及 `cpus_read_lock()` 的使用。Cgroup 是 Linux 内核中的一个功能模块,用于限制、控制和隔离进程组的资源使用(如 CPU、内存等并且是容器技术如 Docker实现资源隔离的重要组成部分。
2. 尽管该漏洞涉及 cgroup但它主要是关于内核中锁机制的正确性问题`percpu_rwsem_assert_held(&cpu_hotplug_lock)` 警告)。从描述来看,这个问题并不会直接影响容器的隔离性或导致一个容器影响其他容器或宿主机。它更像是一个内核代码路径的健壮性修复,而不是安全漏洞。
**结论**: N/A
cve: ./data/2022/48xxx/CVE-2022-48757.json
In the Linux kernel, the following vulnerability has been resolved:
net: fix information leakage in /proc/net/ptype
In one net namespace, after creating a packet socket without binding
it to a device, users in other net namespaces can observe the new
`packet_type` added by this packet socket by reading `/proc/net/ptype`
file. This is minor information leakage as packet socket is
namespace aware.
Add a net pointer in `packet_type` to keep the net namespace of
of corresponding packet socket. In `ptype_seq_show`, this net pointer
must be checked when it is not NULL.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的该CVE与namespace相关。具体来说它涉及网络命名空间net namespace。问题发生在创建一个未绑定到设备的packet socket时其他网络命名空间中的用户可以观察到该packet socket添加的`packet_type`信息。
2. **是否会导致容器例如Docker等在运行时影响其他容器或宿主机**
该漏洞导致的是信息泄露问题,而非权限提升或直接破坏隔离性的问题。虽然其他网络命名空间中的用户可以观察到新增的`packet_type`,但这只是轻微的信息泄露,并不会直接影响其他容器或宿主机的安全性。然而,在多租户环境中,这种信息泄露可能会被用于推测某些敏感信息,因此仍需注意。
**结论**满足条件1和条件2的部分要求但影响程度有限。
cve: ./data/2022/48xxx/CVE-2022-48799.json
In the Linux kernel, the following vulnerability has been resolved:
perf: Fix list corruption in perf_cgroup_switch()
There's list corruption on cgrp_cpuctx_list. This happens on the
following path:
perf_cgroup_switch: list_for_each_entry(cgrp_cpuctx_list)
cpu_ctx_sched_in
ctx_sched_in
ctx_pinned_sched_in
merge_sched_in
perf_cgroup_event_disable: remove the event from the list
Use list_for_each_entry_safe() to allow removing an entry during
iteration.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关**
是的,这个 CVE 与 cgroup 相关。问题出现在 `perf_cgroup_switch()` 函数中,涉及到 `cgrp_cpuctx_list` 的列表操作。Cgroups控制组是 Linux 内核中的一个功能,用于限制、控制和隔离进程组的资源使用(如 CPU、内存、磁盘 I/O 等。Perf 工具利用 cgroups 来对性能事件进行分组管理。
2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机**
可能会。由于该漏洞涉及 cgroup 的列表操作如果出现列表损坏list corruption可能会导致以下后果
- 在多租户环境中(例如容器编排系统 Kubernetes 中),不同容器之间的资源监控和限制可能失效。
- 如果容器内的进程触发了该漏洞,可能会导致宿主机上的 cgroup 数据结构损坏,从而影响整个系统的稳定性,甚至可能导致宿主机崩溃。
- 攻击者可能利用此漏洞逃逸容器环境,影响宿主机或其他容器。
因此,该漏洞有可能影响容器的隔离性,并对宿主机和其他容器造成潜在威胁。
**结论**:满足条件 1 和条件 2。
cve: ./data/2022/48xxx/CVE-2022-48944.json
In the Linux kernel, the following vulnerability has been resolved:
sched: Fix yet more sched_fork() races
Where commit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an
invalid sched_task_group") fixed a fork race vs cgroup, it opened up a
race vs syscalls by not placing the task on the runqueue before it
gets exposed through the pidhash.
Commit 13765de8148f ("sched/fair: Fix fault in reweight_entity") is
trying to fix a single instance of this, instead fix the whole class
of issues, effectively reverting this commit.
analysis: 1. **分析是否与 namespace、cgroup、container 或者容器、隔离相关**
该 CVE 描述中提到 `sched_fork()` 函数中的竞争条件问题,并且明确提到了 `cgroup`(控制组)。因此,此漏洞与 cgroup 相关,而 cgroup 是容器技术(如 Docker实现资源隔离的重要组成部分。所以该 CVE 与容器和隔离机制有一定关联。
2. **分析是否会导致容器在运行时影响其他容器或宿主机**
该漏洞涉及 `sched_fork()` 函数的竞争条件问题,可能导致任务在被加入运行队列之前通过 `pidhash` 暴露出来。这种问题可能会影响调度器的行为,进而可能导致任务分配或资源管理的异常。由于 `cgroup` 是容器资源限制的核心机制,如果该漏洞被利用,可能会导致容器逃逸或影响宿主机的资源分配,从而影响其他容器或宿主机的安全性。
3. **结论**
根据以上分析,该 CVE 信息满足条件 1 和条件 2。
cve: ./data/2022/48xxx/CVE-2022-48988.json
In the Linux kernel, the following vulnerability has been resolved:
memcg: fix possible use-after-free in memcg_write_event_control()
memcg_write_event_control() accesses the dentry->d_name of the specified
control fd to route the write call. As a cgroup interface file can't be
renamed, it's safe to access d_name as long as the specified file is a
regular cgroup file. Also, as these cgroup interface files can't be
removed before the directory, it's safe to access the parent too.
Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a
call to __file_cft() which verified that the specified file is a regular
cgroupfs file before further accesses. The cftype pointer returned from
__file_cft() was no longer necessary and the commit inadvertently dropped
the file type check with it allowing any file to slip through. With the
invarients broken, the d_name and parent accesses can now race against
renames and removals of arbitrary files and cause use-after-free's.
Fix the bug by resurrecting the file type check in __file_cft(). Now that
cgroupfs is implemented through kernfs, checking the file operations needs
to go through a layer of indirection. Instead, let's check the superblock
and dentry type.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的,这个 CVE 信息与 cgroup 相关。问题出现在 `memcg_write_event_control()` 函数中,该函数用于处理 cgroup 的内存控制功能。具体来说,问题涉及对 cgroup 接口文件的操作,包括文件名访问 (`dentry->d_name`) 和父目录访问。
2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机**
可能会。由于该漏洞允许任意文件通过检查并可能导致竞争条件race condition从而引发 use-after-free 问题。如果攻击者能够利用此漏洞在容器环境中可能会影响其他容器或宿主机的安全性。例如use-after-free 漏洞可能会被利用来执行任意代码或导致系统崩溃。虽然 cgroup 本身主要用于资源限制和隔离,但这种类型的漏洞可能会破坏隔离机制,进而影响整个系统的稳定性或安全性。
因此,基于以上分析,该 CVE 满足条件 1 和条件 2。
cve: ./data/2022/49xxx/CVE-2022-49266.json
In the Linux kernel, the following vulnerability has been resolved:
block: fix rq-qos breakage from skipping rq_qos_done_bio()
a647a524a467 ("block: don't call rq_qos_ops->done_bio if the bio isn't
tracked") made bio_endio() skip rq_qos_done_bio() if BIO_TRACKED is not set.
While this fixed a potential oops, it also broke blk-iocost by skipping the
done_bio callback for merged bios.
Before, whether a bio goes through rq_qos_throttle() or rq_qos_merge(),
rq_qos_done_bio() would be called on the bio on completion with BIO_TRACKED
distinguishing the former from the latter. rq_qos_done_bio() is not called
for bios which wenth through rq_qos_merge(). This royally confuses
blk-iocost as the merged bios never finish and are considered perpetually
in-flight.
One reliably reproducible failure mode is an intermediate cgroup geting
stuck active preventing its children from being activated due to the
leaf-only rule, leading to loss of control. The following is from
resctl-bench protection scenario which emulates isolating a web server like
workload from a memory bomb run on an iocost configuration which should
yield a reasonable level of protection.
# cat /sys/block/nvme2n1/device/model
Samsung SSD 970 PRO 512GB
# cat /sys/fs/cgroup/io.cost.model
259:0 ctrl=user model=linear rbps=834913556 rseqiops=93622 rrandiops=102913 wbps=618985353 wseqiops=72325 wrandiops=71025
# cat /sys/fs/cgroup/io.cost.qos
259:0 enable=1 ctrl=user rpct=95.00 rlat=18776 wpct=95.00 wlat=8897 min=60.00 max=100.00
# resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1
...
Memory Hog Summary
==================
IO Latency: R p50=242u:336u/2.5m p90=794u:1.4m/7.5m p99=2.7m:8.0m/62.5m max=8.0m:36.4m/350m
W p50=221u:323u/1.5m p90=709u:1.2m/5.5m p99=1.5m:2.5m/9.5m max=6.9m:35.9m/350m
Isolation and Request Latency Impact Distributions:
min p01 p05 p10 p25 p50 p75 p90 p95 p99 max mean stdev
isol% 15.90 15.90 15.90 40.05 57.24 59.07 60.01 74.63 74.63 90.35 90.35 58.12 15.82
lat-imp% 0 0 0 0 0 4.55 14.68 15.54 233.5 548.1 548.1 53.88 143.6
Result: isol=58.12:15.82% lat_imp=53.88%:143.6 work_csv=100.0% missing=3.96%
The isolation result of 58.12% is close to what this device would show
without any IO control.
Fix it by introducing a new flag BIO_QOS_MERGED to mark merged bios and
calling rq_qos_done_bio() on them too. For consistency and clarity, rename
BIO_TRACKED to BIO_QOS_THROTTLED. The flag checks are moved into
rq_qos_done_bio() so that it's next to the code paths that set the flags.
With the patch applied, the above same benchmark shows:
# resctl-bench -m 29.6G -r out.json run protection::scenario=mem-hog,loops=1
...
Memory Hog Summary
==================
IO Latency: R p50=123u:84.4u/985u p90=322u:256u/2.5m p99=1.6m:1.4m/9.5m max=11.1m:36.0m/350m
W p50=429u:274u/995u p90=1.7m:1.3m/4.5m p99=3.4m:2.7m/11.5m max=7.9m:5.9m/26.5m
Isolation and Request Latency Impact Distributions:
min p01 p05 p10 p25 p50 p75 p90 p95 p99 max mean stdev
isol% 84.91 84.91 89.51 90.73 92.31 94.49 96.36 98.04 98.71 100.0 100.0 94.42 2.81
lat-imp% 0 0 0 0 0 2.81 5.73 11.11 13.92 17.53 22.61 4.10 4.68
Result: isol=94.42:2.81% lat_imp=4.10%:4.68 work_csv=58.34% missing=0%
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的这个CVE信息与`cgroup`和隔离相关。具体来说问题涉及到Linux内核块设备子系统中的`blk-iocost`功能该功能用于基于IO成本模型对IO进行控制和调度。问题的核心是由于`rq_qos_done_bio()`调用被跳过导致合并的bioblock IO在`blk-iocost`中被视为永久处于飞行状态从而影响了cgroup的正常行为。这可能会导致中间cgroup卡住无法正确激活其子cgroup从而破坏了资源隔离。
2. **是否会导致容器例如Docker等在运行时影响其他容器或宿主机**
有可能。由于该漏洞影响的是`blk-iocost`的正确性,而`blk-iocost`是Linux cgroup v2的一部分通常用于容器环境下的IO资源分配和隔离。如果某个容器的IO操作触发了这个问题可能导致其cgroup状态异常进而影响同一宿主机上其他容器的资源分配或隔离效果。此外宿主机本身的IO资源管理也可能受到影响。
3. **结论**
条件1和条件2均满足因此返回上述分析内容。
cve: ./data/2022/49xxx/CVE-2022-49394.json
In the Linux kernel, the following vulnerability has been resolved:
blk-iolatency: Fix inflight count imbalances and IO hangs on offline
iolatency needs to track the number of inflight IOs per cgroup. As this
tracking can be expensive, it is disabled when no cgroup has iolatency
configured for the device. To ensure that the inflight counters stay
balanced, iolatency_set_limit() freezes the request_queue while manipulating
the enabled counter, which ensures that no IO is in flight and thus all
counters are zero.
Unfortunately, iolatency_set_limit() isn't the only place where the enabled
counter is manipulated. iolatency_pd_offline() can also dec the counter and
trigger disabling. As this disabling happens without freezing the q, this
can easily happen while some IOs are in flight and thus leak the counts.
This can be easily demonstrated by turning on iolatency on an one empty
cgroup while IOs are in flight in other cgroups and then removing the
cgroup. Note that iolatency shouldn't have been enabled elsewhere in the
system to ensure that removing the cgroup disables iolatency for the whole
device.
The following keeps flipping on and off iolatency on sda:
echo +io > /sys/fs/cgroup/cgroup.subtree_control
while true; do
mkdir -p /sys/fs/cgroup/test
echo '8:0 target=100000' > /sys/fs/cgroup/test/io.latency
sleep 1
rmdir /sys/fs/cgroup/test
sleep 1
done
and there's concurrent fio generating direct rand reads:
fio --name test --filename=/dev/sda --direct=1 --rw=randread \
--runtime=600 --time_based --iodepth=256 --numjobs=4 --bs=4k
while monitoring with the following drgn script:
while True:
for css in css_for_each_descendant_pre(prog['blkcg_root'].css.address_of_()):
for pos in hlist_for_each(container_of(css, 'struct blkcg', 'css').blkg_list):
blkg = container_of(pos, 'struct blkcg_gq', 'blkcg_node')
pd = blkg.pd[prog['blkcg_policy_iolatency'].plid]
if pd.value_() == 0:
continue
iolat = container_of(pd, 'struct iolatency_grp', 'pd')
inflight = iolat.rq_wait.inflight.counter.value_()
if inflight:
print(f'inflight={inflight} {disk_name(blkg.q.disk).decode("utf-8")} '
f'{cgroup_path(css.cgroup).decode("utf-8")}')
time.sleep(1)
The monitoring output looks like the following:
inflight=1 sda /user.slice
inflight=1 sda /user.slice
...
inflight=14 sda /user.slice
inflight=13 sda /user.slice
inflight=17 sda /user.slice
inflight=15 sda /user.slice
inflight=18 sda /user.slice
inflight=17 sda /user.slice
inflight=20 sda /user.slice
inflight=19 sda /user.slice <- fio stopped, inflight stuck at 19
inflight=19 sda /user.slice
inflight=19 sda /user.slice
If a cgroup with stuck inflight ends up getting throttled, the throttled IOs
will never get issued as there's no completion event to wake it up leading
to an indefinite hang.
This patch fixes the bug by unifying enable handling into a work item which
is automatically kicked off from iolatency_set_min_lat_nsec() which is
called from both iolatency_set_limit() and iolatency_pd_offline() paths.
Punting to a work item is necessary as iolatency_pd_offline() is called
under spinlocks while freezing a request_queue requires a sleepable context.
This also simplifies the code reducing LOC sans the comments and avoids the
unnecessary freezes which were happening whenever a cgroup's latency target
is newly set or cleared.
analysis: 1. **分析是否与namespace、cgroup、container或者容器、隔离相关**
是的,这个 CVE 信息与 cgroup 直接相关。漏洞描述中提到 `iolatency` 是基于 cgroup 的机制,用于跟踪每个 cgroup 的 inflight IO 数量。此外,问题的核心在于 `iolatency_pd_offline()` 和 `iolatency_set_limit()` 操控 enabled 计数器时未正确同步,导致 inflight 计数不平衡。
2. **分析是否会导致容器(例如 Docker在运行时影响其他容器或宿主机**
可能会。由于该漏洞涉及 cgroup 的 IO 调度机制,如果一个容器的 cgroup 配置受到影响(例如 inflight 计数不平衡),可能会导致该容器的 IO 被错误地限制或挂起,从而间接影响宿主机或其他容器的正常运行。特别是当某个 cgroup 的 inflight 计数卡住时,可能导致 IO 挂起,进一步影响整个系统的稳定性。
3. **结论**
条件 1 和条件 2 均满足,因此需要返回上述分析内容。
cve: ./data/2022/49xxx/CVE-2022-49411.json
In the Linux kernel, the following vulnerability has been resolved:
bfq: Make sure bfqg for which we are queueing requests is online
Bios queued into BFQ IO scheduler can be associated with a cgroup that
was already offlined. This may then cause insertion of this bfq_group
into a service tree. But this bfq_group will get freed as soon as last
bio associated with it is completed leading to use after free issues for
service tree users. Fix the problem by making sure we always operate on
online bfq_group. If the bfq_group associated with the bio is not
online, we pick the first online parent.
analysis: 1. **是否与 namespace、cgroup、container 或者容器、隔离相关:**
是的,该 CVE 信息与 cgroup 相关。问题描述中提到 BFQ I/O 调度器中的 `bfq_group` 可能与一个已经被 offlined 的 cgroup 关联,这表明问题涉及到 cgroup 的生命周期管理。
2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机:**
这个漏洞可能导致 use-after-free 问题,从而可能引发系统不稳定或崩溃。虽然问题本身直接涉及的是 cgroup 和 I/O 调度器,但如果容器使用了受影响的 BFQ 调度器,并且其 cgroup 被 offlined可能会导致容器的 I/O 操作影响到宿主机或其他容器的稳定性。因此,这种漏洞在某些情况下可能会影响容器隔离性。
**结论:** 该 CVE 信息满足条件 1 和条件 2。
cve: ./data/2022/49xxx/CVE-2022-49412.json
In the Linux kernel, the following vulnerability has been resolved:
bfq: Avoid merging queues with different parents
It can happen that the parent of a bfqq changes between the moment we
decide two queues are worth to merge (and set bic->stable_merge_bfqq)
and the moment bfq_setup_merge() is called. This can happen e.g. because
the process submitted IO for a different cgroup and thus bfqq got
reparented. It can even happen that the bfqq we are merging with has
parent cgroup that is already offline and going to be destroyed in which
case the merge can lead to use-after-free issues such as:
BUG: KASAN: use-after-free in __bfq_deactivate_entity+0x9cb/0xa50
Read of size 8 at addr ffff88800693c0c0 by task runc:[2:INIT]/10544
CPU: 0 PID: 10544 Comm: runc:[2:INIT] Tainted: G E 5.15.2-0.g5fb85fd-default #1 openSUSE Tumbleweed (unreleased) f1f3b891c72369aebecd2e43e4641a6358867c70
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0x46/0x5a
print_address_description.constprop.0+0x1f/0x140
? __bfq_deactivate_entity+0x9cb/0xa50
kasan_report.cold+0x7f/0x11b
? __bfq_deactivate_entity+0x9cb/0xa50
__bfq_deactivate_entity+0x9cb/0xa50
? update_curr+0x32f/0x5d0
bfq_deactivate_entity+0xa0/0x1d0
bfq_del_bfqq_busy+0x28a/0x420
? resched_curr+0x116/0x1d0
? bfq_requeue_bfqq+0x70/0x70
? check_preempt_wakeup+0x52b/0xbc0
__bfq_bfqq_expire+0x1a2/0x270
bfq_bfqq_expire+0xd16/0x2160
? try_to_wake_up+0x4ee/0x1260
? bfq_end_wr_async_queues+0xe0/0xe0
? _raw_write_unlock_bh+0x60/0x60
? _raw_spin_lock_irq+0x81/0xe0
bfq_idle_slice_timer+0x109/0x280
? bfq_dispatch_request+0x4870/0x4870
__hrtimer_run_queues+0x37d/0x700
? enqueue_hrtimer+0x1b0/0x1b0
? kvm_clock_get_cycles+0xd/0x10
? ktime_get_update_offsets_now+0x6f/0x280
hrtimer_interrupt+0x2c8/0x740
Fix the problem by checking that the parent of the two bfqqs we are
merging in bfq_setup_merge() is the same.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的,该漏洞与 cgroup 相关。具体来说,问题出现在 I/O 调度器 BFQBudget Fair Queuing涉及到不同 cgroup 的队列合并操作。当一个进程为不同的 cgroup 提交 I/O 请求时,可能导致队列被重新分配父级 cgroup从而引发潜在的使用后释放use-after-free问题。
2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机**
是的,该漏洞可能会影响容器的隔离性。由于 cgroup 是容器资源隔离的核心机制之一BFQ 队列的错误合并可能导致对已销毁 cgroup 的引用,进而引发 use-after-free 问题。这可能会导致容器逃逸或影响宿主机的稳定性,尤其是在多租户环境中,不同容器共享同一宿主机的情况下。
3. **结论**
条件 1 和条件 2 均满足,因此需要返回上述分析内容。
cve: ./data/2022/49xxx/CVE-2022-49413.json
In the Linux kernel, the following vulnerability has been resolved:
bfq: Update cgroup information before merging bio
When the process is migrated to a different cgroup (or in case of
writeback just starts submitting bios associated with a different
cgroup) bfq_merge_bio() can operate with stale cgroup information in
bic. Thus the bio can be merged to a request from a different cgroup or
it can result in merging of bfqqs for different cgroups or bfqqs of
already dead cgroups and causing possible use-after-free issues. Fix the
problem by updating cgroup information in bfq_merge_bio().
analysis: 1. 该 CVE 信息与 namespace、cgroup、container 或容器、隔离相关。
分析:漏洞描述中明确提到 cgroup控制组的概念并且问题出现在当进程迁移到不同的 cgroup 或者与不同 cgroup 关联的 bio 提交时,可能导致错误的合并操作。这表明问题直接涉及 cgroup 的管理。
2. 该 CVE 不会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机。
分析:虽然该漏洞涉及 cgroup但其影响主要集中在 I/O 调度器 BFQBudget Fair Queuing的实现上。具体来说问题是由于过时的 cgroup 信息导致 bio 合并错误,可能引发 use-after-free 问题。然而,这种问题的影响范围限制在内核的 I/O 调度逻辑中,不会直接影响容器之间的隔离性或对宿主机的安全性造成威胁。
结论:满足条件 1但不满足条件 2。
cve: ./data/2022/49xxx/CVE-2022-49567.json
In the Linux kernel, the following vulnerability has been resolved:
mm/mempolicy: fix uninit-value in mpol_rebind_policy()
mpol_set_nodemask()(mm/mempolicy.c) does not set up nodemask when
pol->mode is MPOL_LOCAL. Check pol->mode before access
pol->w.cpuset_mems_allowed in mpol_rebind_policy()(mm/mempolicy.c).
BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:352 [inline]
BUG: KMSAN: uninit-value in mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368
mpol_rebind_policy mm/mempolicy.c:352 [inline]
mpol_rebind_task+0x2ac/0x2c0 mm/mempolicy.c:368
cpuset_change_task_nodemask kernel/cgroup/cpuset.c:1711 [inline]
cpuset_attach+0x787/0x15e0 kernel/cgroup/cpuset.c:2278
cgroup_migrate_execute+0x1023/0x1d20 kernel/cgroup/cgroup.c:2515
cgroup_migrate kernel/cgroup/cgroup.c:2771 [inline]
cgroup_attach_task+0x540/0x8b0 kernel/cgroup/cgroup.c:2804
__cgroup1_procs_write+0x5cc/0x7a0 kernel/cgroup/cgroup-v1.c:520
cgroup1_tasks_write+0x94/0xb0 kernel/cgroup/cgroup-v1.c:539
cgroup_file_write+0x4c2/0x9e0 kernel/cgroup/cgroup.c:3852
kernfs_fop_write_iter+0x66a/0x9f0 fs/kernfs/file.c:296
call_write_iter include/linux/fs.h:2162 [inline]
new_sync_write fs/read_write.c:503 [inline]
vfs_write+0x1318/0x2030 fs/read_write.c:590
ksys_write+0x28b/0x510 fs/read_write.c:643
__do_sys_write fs/read_write.c:655 [inline]
__se_sys_write fs/read_write.c:652 [inline]
__x64_sys_write+0xdb/0x120 fs/read_write.c:652
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Uninit was created at:
slab_post_alloc_hook mm/slab.h:524 [inline]
slab_alloc_node mm/slub.c:3251 [inline]
slab_alloc mm/slub.c:3259 [inline]
kmem_cache_alloc+0x902/0x11c0 mm/slub.c:3264
mpol_new mm/mempolicy.c:293 [inline]
do_set_mempolicy+0x421/0xb70 mm/mempolicy.c:853
kernel_set_mempolicy mm/mempolicy.c:1504 [inline]
__do_sys_set_mempolicy mm/mempolicy.c:1510 [inline]
__se_sys_set_mempolicy+0x44c/0xb60 mm/mempolicy.c:1507
__x64_sys_set_mempolicy+0xd8/0x110 mm/mempolicy.c:1507
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
KMSAN: uninit-value in mpol_rebind_task (2)
https://syzkaller.appspot.com/bug?id=d6eb90f952c2a5de9ea718a1b873c55cb13b59dc
This patch seems to fix below bug too.
KMSAN: uninit-value in mpol_rebind_mm (2)
https://syzkaller.appspot.com/bug?id=f2fecd0d7013f54ec4162f60743a2b28df40926b
The uninit-value is pol->w.cpuset_mems_allowed in mpol_rebind_policy().
When syzkaller reproducer runs to the beginning of mpol_new(),
mpol_new() mm/mempolicy.c
do_mbind() mm/mempolicy.c
kernel_mbind() mm/mempolicy.c
`mode` is 1(MPOL_PREFERRED), nodes_empty(*nodes) is `true` and `flags`
is 0. Then
mode = MPOL_LOCAL;
...
policy->mode = mode;
policy->flags = flags;
will be executed. So in mpol_set_nodemask(),
mpol_set_nodemask() mm/mempolicy.c
do_mbind()
kernel_mbind()
pol->mode is 4 (MPOL_LOCAL), that `nodemask` in `pol` is not initialized,
which will be accessed in mpol_rebind_policy().
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的,这个 CVE 信息与 cgroup 相关。在调用栈中可以看到 `cpuset_change_task_nodemask` 和 `cpuset_attach` 函数,这些函数属于 Linux 内核中的 cgroup 子系统(具体是 cpuset 控制组。Cgroup 是容器技术(如 Docker实现资源隔离的重要组成部分。
2. **是否会导致容器(例如 Docker 等)在运行时影响其他容器或宿主机**
从描述来看,该漏洞涉及未初始化的值 (`uninit-value`) 在内存策略 (`mempolicy`) 中被访问。这种问题可能会导致内核崩溃或其他不可预测的行为。如果攻击者能够触发此漏洞,可能会影响整个系统的稳定性,包括宿主机和其他容器的正常运行。因此,该漏洞有可能被利用来破坏容器之间的隔离性,甚至影响宿主机。
3. **结论**
由于条件 1 和 2 均满足,因此需要返回分析结果,而不是 "N/A"。
cve: ./data/2022/49xxx/CVE-2022-49647.json
In the Linux kernel, the following vulnerability has been resolved:
cgroup: Use separate src/dst nodes when preloading css_sets for migration
Each cset (css_set) is pinned by its tasks. When we're moving tasks around
across csets for a migration, we need to hold the source and destination
csets to ensure that they don't go away while we're moving tasks about. This
is done by linking cset->mg_preload_node on either the
mgctx->preloaded_src_csets or mgctx->preloaded_dst_csets list. Using the
same cset->mg_preload_node for both the src and dst lists was deemed okay as
a cset can't be both the source and destination at the same time.
Unfortunately, this overloading becomes problematic when multiple tasks are
involved in a migration and some of them are identity noop migrations while
others are actually moving across cgroups. For example, this can happen with
the following sequence on cgroup1:
#1> mkdir -p /sys/fs/cgroup/misc/a/b
#2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs
#3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS &
#4> PID=$!
#5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks
#6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs
the process including the group leader back into a. In this final migration,
non-leader threads would be doing identity migration while the group leader
is doing an actual one.
After #3, let's say the whole process was in cset A, and that after #4, the
leader moves to cset B. Then, during #6, the following happens:
1. cgroup_migrate_add_src() is called on B for the leader.
2. cgroup_migrate_add_src() is called on A for the other threads.
3. cgroup_migrate_prepare_dst() is called. It scans the src list.
4. It notices that B wants to migrate to A, so it tries to A to the dst
list but realizes that its ->mg_preload_node is already busy.
5. and then it notices A wants to migrate to A as it's an identity
migration, it culls it by list_del_init()'ing its ->mg_preload_node and
putting references accordingly.
6. The rest of migration takes place with B on the src list but nothing on
the dst list.
This means that A isn't held while migration is in progress. If all tasks
leave A before the migration finishes and the incoming task pins it, the
cset will be destroyed leading to use-after-free.
This is caused by overloading cset->mg_preload_node for both src and dst
preload lists. We wanted to exclude the cset from the src list but ended up
inadvertently excluding it from the dst list too.
This patch fixes the issue by separating out cset->mg_preload_node into
->mg_src_preload_node and ->mg_dst_preload_node, so that the src and dst
preloadings don't interfere with each other.
analysis: 1. **是否与namespace、cgroup、container或者容器、隔离相关**
是的,该 CVE 信息明确与 cgroup控制组相关。cgroup 是 Linux 内核中的一个特性,用于限制、记录和隔离进程组的资源(如 CPU、内存、磁盘 I/O 等)。此漏洞涉及 cgroup 的迁移逻辑,特别是 css_setcontrol group subsystem set在任务迁移时的处理问题。
2. **是否会导致容器(例如 Docker在运行时影响其他容器或宿主机**
可能会。由于此漏洞涉及到 cgroup 的任务迁移逻辑,而 cgroup 是容器技术(如 Docker、Kubernetes 等)实现资源隔离的核心机制之一,因此如果漏洞被利用,可能会导致以下问题:
- 在多租户环境中,一个容器内的任务迁移操作可能会影响其他容器的任务迁移逻辑,进而可能导致资源分配错误或隔离失效。
- 如果宿主机上的 cgroup 配置受到影响,可能会间接影响到宿主机的稳定性或安全性,例如导致资源竞争或内核崩溃。
3. **结论**
根据上述分析,条件 1 和条件 2 均满足,因此返回分析结果而非 "N/A"。
Reference in New Issue View Git Blame Copy Permalink