1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
From 5faee5d82556a6bf4dd1144d2a86e70d097ab200 Mon Sep 17 00:00:00 2001
From: Peter Hunt <pehunt@redhat.com>
Date: Thu, 7 Dec 2023 16:07:12 -0500
Subject: [PATCH] allowed annotations: correctly filter prefixed annotations
without this fix, a pod is able to gain access to experimental annotations that are prefixes of container names.
The most problematic of these is io.kubernetes.cri-o.UnifiedCgroup, which allows a user to arbitrarily
change the resources of the pod, potentially leading to OOM.
Fixes CVE-2023-6476
Signed-off-by: Peter Hunt <pehunt@redhat.com>
CVE: CVE-2023-6476
Upstream-Status: Backport [https://github.com/cri-o/cri-o/commit/5faee5d82556a6bf4dd1144d2a86e70d097ab200]
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
pkg/config/workloads.go | 2 +-
test/workloads.bats | 15 +++++++++++++++
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/pkg/config/workloads.go b/pkg/config/workloads.go
index d5eeaf1ef..37a22fe76 100644
--- a/pkg/config/workloads.go
+++ b/pkg/config/workloads.go
@@ -102,7 +102,7 @@ func (w Workloads) FilterDisallowedAnnotations(allowed []string, toFilter map[st
for ann := range toFilter {
for _, d := range disallowed {
if strings.HasPrefix(ann, d) {
- delete(toFilter, d)
+ delete(toFilter, ann)
}
}
}
diff --git a/test/workloads.bats b/test/workloads.bats
index 6102d6326..0f4d6e4f0 100644
--- a/test/workloads.bats
+++ b/test/workloads.bats
@@ -327,3 +327,18 @@ function check_conmon_fields() {
df=$(crictl exec --sync "$ctr_id" df | grep /dev/shm)
[[ "$df" == *'16384'* ]]
}
+
+@test "test workload pod should not be set if annotation not specified even if prefix" {
+ start_crio
+
+ jq ' .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" |
+ .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \
+ "$TESTDATA"/sandbox_config.json > "$sboxconfig"
+
+ jq ' .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" |
+ .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \
+ "$TESTDATA"/container_sleep.json > "$ctrconfig"
+
+ ctr_id=$(crictl run "$ctrconfig" "$sboxconfig")
+ [[ $(crictl exec "$ctr_id" cat /sys/fs/cgroup/memory.max) != 4294967296 ]]
+}
--
2.40.0
|
