Browse code
Fix for CVE-2017-14992 causing DoS/OOM attack.
This commit fixes the CVE-2017-14992 preventing a maliciously \0 padded archive from taking up all the space in RAM to cause DoS attack by making the host unresponsive. The solution is to read the padded bytes in chunks.
Change-Id: Ifee53a4963531b7be0f59bd8a44e903f976fd1ad
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/5477
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Sharath George
dweepadvani authored on 2018/08/10 23:09:59Showing 2 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,72 @@ |
| 0 |
+diff -ru docker-ce/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go docker-ce-modified/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go |
|
| 1 |
+--- docker-ce/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go 2017-07-14 20:34:55.000000000 -0700 |
|
| 2 |
+@@ -2,7 +2,6 @@ |
|
| 3 |
+ |
|
| 4 |
+ import ( |
|
| 5 |
+ "io" |
|
| 6 |
+- "io/ioutil" |
|
| 7 |
+ |
|
| 8 |
+ "github.com/vbatts/tar-split/archive/tar" |
|
| 9 |
+ "github.com/vbatts/tar-split/tar/storage" |
|
| 10 |
+@@ -119,20 +118,34 @@ |
|
| 11 |
+ } |
|
| 12 |
+ } |
|
| 13 |
+ |
|
| 14 |
+- // it is allowable, and not uncommon that there is further padding on the |
|
| 15 |
+- // end of an archive, apart from the expected 1024 null bytes. |
|
| 16 |
+- remainder, err := ioutil.ReadAll(outputRdr) |
|
| 17 |
+- if err != nil && err != io.EOF {
|
|
| 18 |
+- pW.CloseWithError(err) |
|
| 19 |
+- return |
|
| 20 |
+- } |
|
| 21 |
+- _, err = p.AddEntry(storage.Entry{
|
|
| 22 |
+- Type: storage.SegmentType, |
|
| 23 |
+- Payload: remainder, |
|
| 24 |
+- }) |
|
| 25 |
+- if err != nil {
|
|
| 26 |
+- pW.CloseWithError(err) |
|
| 27 |
+- return |
|
| 28 |
++ // It is allowable, and not uncommon that there is further padding on |
|
| 29 |
++ // the end of an archive, apart from the expected 1024 null bytes. We |
|
| 30 |
++ // do this in chunks rather than in one go to avoid cases where a |
|
| 31 |
++ // maliciously crafted tar file tries to trick us into reading many GBs |
|
| 32 |
++ // into memory. |
|
| 33 |
++ const paddingChunkSize = 1024 * 1024 |
|
| 34 |
++ var paddingChunk [paddingChunkSize]byte |
|
| 35 |
++ for {
|
|
| 36 |
++ var isEOF bool |
|
| 37 |
++ n, err := outputRdr.Read(paddingChunk[:]) |
|
| 38 |
++ if err != nil {
|
|
| 39 |
++ if err != io.EOF {
|
|
| 40 |
++ pW.CloseWithError(err) |
|
| 41 |
++ return |
|
| 42 |
++ } |
|
| 43 |
++ isEOF = true |
|
| 44 |
++ } |
|
| 45 |
++ _, err = p.AddEntry(storage.Entry{
|
|
| 46 |
++ Type: storage.SegmentType, |
|
| 47 |
++ Payload: paddingChunk[:n], |
|
| 48 |
++ }) |
|
| 49 |
++ if err != nil {
|
|
| 50 |
++ pW.CloseWithError(err) |
|
| 51 |
++ return |
|
| 52 |
++ } |
|
| 53 |
++ if isEOF {
|
|
| 54 |
++ break |
|
| 55 |
++ } |
|
| 56 |
+ } |
|
| 57 |
+ pW.Close() |
|
| 58 |
+ }() |
|
| 59 |
+diff -ru docker-ce/components/engine/vendor.conf docker-ce-modified/components/engine/vendor.conf |
|
| 60 |
+--- docker-ce/components/engine/vendor.conf 2017-07-14 20:34:55.000000000 -0700 |
|
| 61 |
+@@ -50,7 +50,7 @@ |
|
| 62 |
+ |
|
| 63 |
+ # get graph and distribution packages |
|
| 64 |
+ github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621 |
|
| 65 |
+-github.com/vbatts/tar-split v0.10.1 |
|
| 66 |
++github.com/vbatts/tar-split v0.10.2 |
|
| 67 |
+ github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb |
|
| 68 |
+ |
|
| 69 |
+ # get go-zfs packages |
| ... | ... |
@@ -4,7 +4,7 @@ |
| 4 | 4 |
Summary: Docker |
| 5 | 5 |
Name: docker |
| 6 | 6 |
Version: 17.06.0 |
| 7 |
-Release: 5%{?dist}
|
|
| 7 |
+Release: 6%{?dist}
|
|
| 8 | 8 |
License: ASL 2.0 |
| 9 | 9 |
URL: http://docs.docker.com |
| 10 | 10 |
Group: Applications/File |
| ... | ... |
@@ -27,6 +27,7 @@ Source5: https://github.com/cpuguy83/go-md2man/tree/go-md2man-a65d4d2.tar |
| 27 | 27 |
%define sha1 go-md2man=e3d0865c583150f7c76e385a8b4a3f2432ca8ad8 |
| 28 | 28 |
Source6: default-disable.preset |
| 29 | 29 |
Patch0: remove-firewalld.patch |
| 30 |
+Patch1: CVE-2017-14992.patch |
|
| 30 | 31 |
|
| 31 | 32 |
BuildRequires: systemd |
| 32 | 33 |
BuildRequires: systemd-devel |
| ... | ... |
@@ -76,6 +77,7 @@ ln -s docker-ce/components/engine engine |
| 76 | 76 |
ln -s docker-ce/components/packaging packaging |
| 77 | 77 |
|
| 78 | 78 |
%patch0 -p2 |
| 79 |
+%patch1 -p2 |
|
| 79 | 80 |
|
| 80 | 81 |
mkdir -p /go/src/github.com |
| 81 | 82 |
cd /go/src/github.com |
| ... | ... |
@@ -223,6 +225,8 @@ rm -rf %{buildroot}/*
|
| 223 | 223 |
%{_datadir}/vim/vimfiles/syntax/dockerfile.vim
|
| 224 | 224 |
|
| 225 | 225 |
%changelog |
| 226 |
+* Wed Aug 08 2018 Dweep Advani <dadvani@vmware.com> 17.06.0-6 |
|
| 227 |
+- Patching for CVE-2017-14992 |
|
| 226 | 228 |
* Wed Jul 25 2018 Keerthana K <keerthanak@vmware.com> 17.06.0-5 |
| 227 | 229 |
- Updated BuildTags to include apparmor. |
| 228 | 230 |
* Fri Sep 22 2017 Bo Gan <ganb@vmware.com> 17.06.0-4 |