From 5faee5d82556a6bf4dd1144d2a86e70d097ab200 Mon Sep 17 00:00:00 2001 From: Peter Hunt Date: Thu, 7 Dec 2023 16:07:12 -0500 Subject: [PATCH] allowed annotations: correctly filter prefixed annotations without this fix, a pod is able to gain access to experimental annotations that are prefixes of container names. The most problematic of these is io.kubernetes.cri-o.UnifiedCgroup, which allows a user to arbitrarily change the resources of the pod, potentially leading to OOM. Fixes CVE-2023-6476 Signed-off-by: Peter Hunt CVE: CVE-2023-6476 Upstream-Status: Backport [https://github.com/cri-o/cri-o/commit/5faee5d82556a6bf4dd1144d2a86e70d097ab200] Signed-off-by: Archana Polampalli --- pkg/config/workloads.go | 2 +- test/workloads.bats | 15 +++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/pkg/config/workloads.go b/pkg/config/workloads.go index d5eeaf1ef..37a22fe76 100644 --- a/pkg/config/workloads.go +++ b/pkg/config/workloads.go @@ -102,7 +102,7 @@ func (w Workloads) FilterDisallowedAnnotations(allowed []string, toFilter map[st for ann := range toFilter { for _, d := range disallowed { if strings.HasPrefix(ann, d) { - delete(toFilter, d) + delete(toFilter, ann) } } } diff --git a/test/workloads.bats b/test/workloads.bats index 6102d6326..0f4d6e4f0 100644 --- a/test/workloads.bats +++ b/test/workloads.bats @@ -327,3 +327,18 @@ function check_conmon_fields() { df=$(crictl exec --sync "$ctr_id" df | grep /dev/shm) [[ "$df" == *'16384'* ]] } + +@test "test workload pod should not be set if annotation not specified even if prefix" { + start_crio + + jq ' .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" | + .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \ + "$TESTDATA"/sandbox_config.json > "$sboxconfig" + + jq ' .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" | + .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \ + "$TESTDATA"/container_sleep.json > "$ctrconfig" + + ctr_id=$(crictl run "$ctrconfig" "$sboxconfig") + [[ $(crictl exec "$ctr_id" cat /sys/fs/cgroup/memory.max) != 4294967296 ]] +} -- 2.40.0