New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix denial of service with large numbers in cpuset-cpus and cpuset-mems #37967
Conversation
ping @justincormack @AkihiroSuda @vdemeester PTAL 🤗 |
pkg/parsers/parsers.go
Outdated
@@ -31,7 +32,7 @@ func ParseKeyValueOpt(opt string) (string, string, error) { | |||
// 03,1-3 <- this is gonna get parsed as [1,2,3] | |||
// 3,2,1 | |||
// 0-2,3,1 | |||
func ParseUintList(val string) (map[int]bool, error) { | |||
func ParseUintList(val string, maximum int) (map[int]bool, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we keep the signature (for not breaking downstream-dependencies) and add a new method ParsUintListMaximum
or something ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, yes; I could add a new one.
Codecov Report
@@ Coverage Diff @@
## master #37967 +/- ##
=========================================
Coverage ? 36.1%
=========================================
Files ? 610
Lines ? 45155
Branches ? 0
=========================================
Hits ? 16302
Misses ? 26612
Partials ? 2241 |
@vdemeester pushed an extra commit; if it looks good, I'll squash, and update my backports 😅 |
8e3f241
to
20bee7b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🐯
Using a value such as `--cpuset-mems=1-9223372036854775807` would cause `dockerd` to run out of memory allocating a map of the values in the validation code. Set limits to the normal limit of the number of CPUs, and improve the error handling. Reported by Huawei PSIRT. Signed-off-by: Justin Cormack <justin.cormack@docker.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
20bee7b
to
f8e876d
Compare
Squashed; this should be ready to go ping @justincormack PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Backport of moby#37967 Fix BZ https://bugzilla.redhat.com/show_bug.cgi?id=1666565 Signed-off-by: Antonio Murdaca <runcom@linux.com>
Backport of moby#37967 Fix BZ https://bugzilla.redhat.com/show_bug.cgi?id=1666565 Signed-off-by: Antonio Murdaca <runcom@linux.com>
Backport of moby#37967 Fix BZ https://bugzilla.redhat.com/show_bug.cgi?id=1666565 Signed-off-by: Antonio Murdaca <runcom@linux.com>
Using a value such as
--cpuset-mems=1-9223372036854775807
would causedockerd
to run out of memory allocating a map of the values in thevalidation code. Set limits to the normal limit of the number of CPUs,
and improve the error handling.
Reported by Huawei PSIRT.
- Description for the changelog