Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-19921 re-introduction/regression #3751

Closed
Beuc opened this issue Feb 24, 2023 · 11 comments · Fixed by #3773 or kubernetes-sigs/vsphere-csi-driver#2326
Closed

CVE-2019-19921 re-introduction/regression #3751

Beuc opened this issue Feb 24, 2023 · 11 comments · Fixed by #3773 or kubernetes-sigs/vsphere-csi-driver#2326

Comments

@Beuc
Copy link

Beuc commented Feb 24, 2023

Hi,

I'm part of the Debian Long Term Support (LTS) team, and I'm currently working on an update for package runc.

As explained in #2197 (comment) , while working on fixing CVE-2019-19921, I noticed the fix was apparently broken by the one for CVE-2021-30465 (0ca91f4).

I can reproduce the issue with branch main, using the original reproducer from #2197 (host's proc/sys/kernel/core_pattern overwritten from container-2 after a few tries).

Because various GNU/Linux distributions have incorporated the initial fix (or upgraded runc), and marked the security issue "fixed", I would recommend registering a new CVE to indicate that a follow-up fix is needed.
Do you confirm?

Thanks and best regards.

@thaJeztah
Copy link
Member

/cc @samuelkarp @opencontainers/runc-maintainers

@carnil
Copy link

carnil commented Mar 4, 2023

CVE-2023-27561 is the new CVE.

@AkihiroSuda
Copy link
Member

Thank you for reporting this, but next time please follow https://github.com/opencontainers/runc/blob/main/SECURITY.md before disclosure.

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Mar 4, 2023

Trying to follow the repro steps in https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9 , but still I can't repro locally. (EDIT: reproducible on Ubuntu too, after attempting hundreds of times)

Tested the current main branch 69225fa and v1.1.4, on Ubuntu 22.10 (kernel 5.19.0-31-generic), amd64.

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Mar 4, 2023

Seems reproducible on Debian 11 (kernel 5.10.0-21-amd64). Maybe related to the kernel version?
(EDIT: reproducible on Ubuntu too, after attempting hundreds of times)

@g0dA
Copy link

g0dA commented Mar 5, 2023

No, I don't think it has anything to do with the kernel version, it's just because SYS_renameat2 was successfully executed through competition before the execution of readonlyPath()

  1. Delay the execution of readonlyPath() by modifying the source code
  2. Executing SYS_renameat2 twice can successfully reproduce

@g0dA
Copy link

g0dA commented Mar 5, 2023

Ps. Add the test steps that I did not modify the code

v1.1.4, on Arch(kernel 6.1.9-arch1-1)
follow the repro steps in https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9

  1. run pwn in container-1
  2. then create container-2 in other shell
for i in {0..150}
sudo runc create test-${i}
  1. runc list
ID            PID         STATUS      BUNDLE                                    CREATED                          OWNER
container-1   3094        created     /home/lang/Desktop/seccheck/container-1   2023-03-05T04:41:32.637528085Z   root
test-132      11887       created     /home/lang/Desktop/seccheck/container-2   2023-03-05T05:35:55.707083185Z   root
test-137      11972       created     /home/lang/Desktop/seccheck/container-2   2023-03-05T05:35:55.822176563Z   root
test-33       0           stopped     /home/lang/Desktop/seccheck/container-2   2023-03-05T05:35:53.207528822Z   root
test-82       0           stopped     /home/lang/Desktop/seccheck/container-2   2023-03-05T05:35:54.477270492Z   root
test-96       0           stopped     /home/lang/Desktop/seccheck/container-2   2023-03-05T05:35:54.831671262Z   root

There are two things to note:

  1. The permissions of /tmp/poc will cause SYS_renameat2 to fail
  2. The continuous operation of pwn will affect the already created container-2 to fail

@ssst0n3
Copy link

ssst0n3 commented Mar 6, 2023

@AkihiroSuda
Copy link
Member

AkihiroSuda commented Mar 6, 2023

Why there's no advisory under https://github.com/opencontainers/runc/security/advisories ?

Because the CVE was published by somebody outside us, and we haven't released the fix (#3756 #3773) yet.

@Beuc
Copy link
Author

Beuc commented Mar 25, 2023

Works for me (behavior back to filesystem \\\\\\\"proc\\\\\\\" must be mounted on ordinary directory), thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment