-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
segmentation fault with podman and ocrmypdf #315
Comments
Further details:
|
Does this mean the issue is related to logging? By the nature of ocrmypdf, there will be (large) binary streams sent to STDOUT. Could it be that the construction of |
Is this related to #264? |
I might be seeing a similar or the same issue:
I get this error:
And see this seg fault in dmesg
Versions:
The error is from the built version of #264, same error with 2.0.30 too |
I'm also seeing this when building a dev environment for the kubevirt project. For whatever reason part of the current process is to dump a 40mb binary file to the stdout of a container before piping it into a local file:
|
I'm attempting an install of Openshift and see it on the control nodes. The EDIT: Looks like other projects are starting to work around the issue - openshift/machine-config-operator@cb76ecf |
There is currently a known conmon issue [1] when podman based containers dump large amounts of data to stdout. gocli would previously do this when copying the kubectl binary to the host machine. This change replaces that with a simple volume mount workaround when using podman until the underlying conmon issue is resolved. [1] containers/conmon#315 Signed-off-by: Lee Yarwood <lyarwood@redhat.com>
There is currently a known conmon issue [1] when podman based containers dump large amounts of data to stdout. gocli would previously do this when copying the kubectl binary to the host machine. This change replaces that with a simple volume mount workaround when using podman until the underlying conmon issue is resolved. [1] containers/conmon#315 Signed-off-by: Lee Yarwood <lyarwood@redhat.com>
There is currently a known conmon issue [1] when podman based containers dump large amounts of data to stdout. gocli would previously do this when copying the kubectl binary to the host machine. This change replaces that with a simple volume mount workaround when using podman until the underlying conmon issue is resolved. [1] containers/conmon#315 Signed-off-by: Lee Yarwood <lyarwood@redhat.com>
There is currently a known conmon issue [1] when podman based containers dump large amounts of data to stdout. gocli would previously do this when copying the kubectl binary to the host machine. This change replaces that with a simple volume mount workaround when using podman until the underlying conmon issue is resolved. [1] containers/conmon#315 Signed-off-by: Lee Yarwood <lyarwood@redhat.com>
There is currently a known conmon issue [1] when podman based containers dump large amounts of data to stdout. gocli would previously do this when copying the kubectl binary to the host machine. This change replaces that with a simple volume mount workaround when using podman until the underlying conmon issue is resolved. [1] containers/conmon#315 Signed-off-by: Lee Yarwood <lyarwood@redhat.com>
There is currently a known conmon issue [1] when podman based containers dump large amounts of data to stdout. gocli would previously do this when copying the kubectl binary to the host machine. This change replaces that with a simple volume mount workaround when using podman until the underlying conmon issue is resolved. [1] containers/conmon#315 Signed-off-by: Lee Yarwood <lyarwood@redhat.com>
There is currently a known conmon issue [1] when podman based containers dump large amounts of data to stdout. gocli would previously do this when copying the kubectl binary to the host machine. This change replaces that with a simple volume mount workaround when using podman until the underlying conmon issue is resolved. [1] containers/conmon#315 Signed-off-by: Lee Yarwood <lyarwood@redhat.com>
sorry for the delay folks I haven't had the bandwidth to work on this but it is on my list of things to look at |
Another report of this. One thing that seems to be consistent with all the reports is that we're all dumping data from the container over STDOUT. jess-sol's comment seems to be on the right track regarding size. I've tried to narrow down at what size it dies, but it seems to vary. For me it's somewhere around 1860000 bytes. Sometimes using 1860000 will be fine, and sometimes it'll segfault. If I go much higher it consistently segfaults. If I go much lower it consistently works. Though in my case, I can work around the issue by passing
|
I started using Anyway as far as I can tell Lines 296 to 300 in 9e416a2
It can be reproduced by building podman run fedora:36 bash -c 'printf "\0\n"' =================================================================
==119632==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002079 at pc 0x7f3a69c4d949 bp 0x7fffd73cb6f0 sp 0x7fffd73caea0
READ of size 10 at 0x602000002079 thread T0
#0 0x7f3a69c4d948 in __interceptor_memchr.part.0 (/lib64/libasan.so.8+0x4d948)
#1 0x7f3a69102a81 in sd_journal_sendv ../src/libsystemd/sd-journal/journal-send.c:278
#2 0x7f3a6910845a in sd_journal_sendv_with_location ../src/libsystemd/sd-journal/journal-send.c:580
#3 0x40e2e9 in write_journald ../src/ctr_logging.c:328
#4 0x40f3b5 in write_to_logs ../src/ctr_logging.c:230
#5 0x41bd0b in read_stdio ../src/ctr_stdio.c:138
#6 0x41bee8 in stdio_cb ../src/ctr_stdio.c:35
#7 0x7f3a69b18fae in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x54fae)
#8 0x7f3a69b6e2c7 in g_main_context_iterate.constprop.0 (/lib64/libglib-2.0.so.0+0xaa2c7)
#9 0x7f3a69b186ce in g_main_loop_run (/lib64/libglib-2.0.so.0+0x546ce)
#10 0x40996d in main ../src/conmon.c:453
#11 0x7f3a67e2950f in __libc_start_call_main (/lib64/libc.so.6+0x2950f)
#12 0x7f3a67e295c8 in __libc_start_main_impl (/lib64/libc.so.6+0x295c8)
#13 0x40aa74 in _start (/home/vagrant/conmon/build/conmon+0x40aa74)
0x602000002079 is located 0 bytes to the right of 9-byte region [0x602000002070,0x602000002079)
allocated by thread T0 here:
#0 0x7f3a69cba68f in __interceptor_malloc (/lib64/libasan.so.8+0xba68f)
#1 0x7f3a67e81ce7 in __vasprintf_internal (/lib64/libc.so.6+0x81ce7)
#2 0x5144348b7aad34ff (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.8+0x4d948) in __interceptor_memchr.part.0
Shadow bytes around the buggy address:
0x0c047fff83b0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x0c047fff83c0: fa fa 00 00 fa fa fd fd fa fa 00 fa fa fa 00 fa
0x0c047fff83d0: fa fa 00 fa fa fa 07 fa fa fa 00 fa fa fa 00 fa
0x0c047fff83e0: fa fa 00 fa fa fa 04 fa fa fa 00 00 fa fa 04 fa
0x0c047fff83f0: fa fa 00 00 fa fa fd fd fa fa fd fa fa fa fd fa
=>0x0c047fff8400: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00[01]
0x0c047fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==119632==ABORTING |
msg_len doesn't take into account NUL bytes that could be present in the buffer, while g_strdup_printf("MESSAGE=%s%s", partial_buf, buf) does and would stop writing the string once it finds a NUL byte. This would lead to read after the buffer end. Build the message string manually so that the calculated length reflects the buffer size. Closes: containers#315 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
I've opened a PR here: #361 |
msg_len doesn't take into account NUL bytes that could be present in the buffer, while g_strdup_printf("MESSAGE=%s%s", partial_buf, buf) does and would stop writing the string once it finds a NUL byte. This would lead to read after the buffer end. Build the message string manually so that the calculated length reflects the buffer size. Closes: containers#315 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
msg_len doesn't take into account NUL bytes that could be present in the buffer, while g_strdup_printf("MESSAGE=%s%s", partial_buf, buf) does and would stop writing the string once it finds a NUL byte. This would lead to read after the buffer end. Build the message string manually so that the calculated length reflects the buffer size. Closes: #315 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
I am trying to determine the security impact of this flaw. Could anyone help by answering these questions and/or confirming my assumptions
|
I don't think
I don't think it would. One container can crash only its own
I think it depends on what they do. If they try to write data to file descriptors that are supposed to be managed by
If there is a way to supply images or Dockerfiles used to build and run containers there I think it's possible to trigger that remotely.
I think whatever runs those containers needs to be authenticated one way or another. The question would be where all the images and Dockerfiles come from. If they are pulled from registries or say GitHub it isn't necessary to have a cloud service account. For example there are testing services where Dockerfiles are provided by random GitHub users and those users don't have to have access to the testing infrastructure directly.
Yes. The easiest (but not the fastest) way to trigger it reliably without ASan would be to
I think it depends. If containers are pulled/built and run fully automatically user interaction isn't required. |
I seem to have misunderstood the question. I was talking about "crashing" containers (with my use case where a bunch of homogeneous containers do the same thing). The question seems to have been about the other containers (running in parallel and doing something else). Those other containers should be fine as far as I can tell. Sorry about that. |
The risk is that Podman would loose track of the container processes, so it would not easily be able to kill the container. |
Manual operations would still work ( |
Thanks all, that info helps narrow it down. From my reading, the effects are limited to a single "attacking" container. So here is how I would rate the impact 3.5/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L |
I think all in all it's more of a reliability issue in the sense that legitimate containers that happen to spew zero bytes here and there would go down and the conmon crash would prevent them from being restarted normally (and in that case A would be H). That same crash would prevent "malicious" containers from being restarted for eternity (which is a good thing I think) so I think the security impact is low and the vector seems to reflect that. |
Just to clarify as far as I can tell the worst thing that malicious containers can do is to dodge timeouts, restarts and so on and go about their business until they are somehow detected and stopped manually with, say, |
Worth noting that this can potentially be used to obfuscate other malicious actions in the container - by killing Conmon, all logging of the container is also stopped. |
On the bright side when
should still end up in kmsg and the journal and make it possible to at least detect that. |
I originally filed the issue in ocrmypdf: ocrmypdf/OCRmyPDF#889
Essentially, when doing
the output hangs, and I see a segfault in conmon in dmesg:
Address within libc: 0x00007f025e26d9b5 - 0x7f025e11e000 = 0x14F9B5
Running the same with log-level=debug, I see
Searching for this on the net brought up a potential fix on https://issueexplorer.com/issue/containers/conmon/251
Of this suggestion, only the first part made it into your code.
It is also worth noting that this does not happen all the time, but that is probably due to the output of ocrmypdf not being deterministic. Additionally, when this happens, podman logs contains some content that should go to stdout in stderr (and vice-versa).
This is executed on:
The text was updated successfully, but these errors were encountered: