Files
runc/libcontainer/specconv
Aleksa Sarai dde509df4e specconv: do not permit null bytes in mount fields
Using null bytes as control characters for sending strings via netlink
opens us up to a user explicitly putting a null byte in a mount string
(which JSON will happily let you do) and then causing us to open a mount
path different to the one expected.

In practice this is more of an issue in an environment such as
Kubernetes where you may have path-based access control policies (which
are more susceptible to these kinds of flaws).

Found by Google Project Zero.

Fixes: 9c444070ec ("Open bind mount sources from the host userns")
Reported-by: Felix Wilhelm <fwilhelm@google.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2021-11-19 11:41:05 +11:00
..
2021-04-20 12:35:40 -07:00
2021-11-17 17:32:28 -08:00