Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Port parsing can overflow (TOB-K8S-015: Overflows when using strconv.Atoi and downcasting the result) #81121
This issue was reported in the Kubernetes Security Audit Report
Figure 13.1: pkg/cloudprovider/providers/azure/azure_managedDiskController.go:105
Additionally, there are many code paths that parse ports, and do so differently and in a manner lacking checks for a proper port range. An example of this has been identified within kubectl when handling port values.
Kubectl has the ability to expose particular Pod ports through the use of kubectl expose. This command uses the function updatePodPorts, which uses strconv.Atoi to parse a string into an integer, then downcasts it to an int32 (Figure 2).
Figure 13.2: Relevant snippet of the updatePodPorts function.
This error has been operationalized into a crash within kubectl when overflowing provided ports. Starting with a standard deployment with no services, we can observe the expected behavior (Figure 3).
Figure 13.3: The deployment spec with service and Pod status.
To trigger the overflow, we can now update the deployment through the kubectl expose command with an overflown port, overflowing from 4294967377 to 81 (Figure 4).
Figure 13.4: Overflowing the port parameter.
We are now able to observe this overflown port when listing the services with kubectl get services (Figure 5). We are also able to access the service on the overflown port (Figure 6).
Figure 13.5: The overflown port got exposed.
Figure 13.6: The result of curling the overflown service port.
Furthering this issue, we are able to also overflow the target port. After deleting the service, we can attempt to overflow the target port as well, which will result in a panic in kubectl (Figure 7 and 8).
Figure 13.7: The deletion of the deployment.
Figure 13.8: The panic in kubectl when overflowing the target port.
Despite the panic from kubectl (visible in Figure 8), the service is still exposed (Figure 9) and accessible (Figure 10).
Figure 13.9: The service is exposed despite the kubectl panic and overflow.
Figure 13.10: The service is also accessible after overflow.
Long term, ensure the validity of data and types. Parse and validate values with common functions. For example the ParsePort (cmd/kubeadm/app/util/endpoint.go:117) utility function parses and validates TCP port values, but it is not well used across the codebase.
Anything else we need to know?:
See #81146 for current status of all issues created from these findings.
The vendor gave this issue an ID of TOB-K8S-015 and it was finding 13 of the report.
The vendor considers this issue Medium Severity.
To view the original finding, begin on page 42 of the Kubernetes Security Review Report
It looks like @vegemitecheesetoast poked first, so please give them a while to have first crack at it. Thanks! Who knew there was so much pent up demand to contribute! I will make it my personal mission to file more good-first-issue issues. Tim…
On Sat, Aug 10, 2019, 10:12 AM elieser1101 ***@***.***> wrote: i would like to work on this, let me know if you still need help! — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#81121?email_source=notifications&email_token=ABKWAVARKK6OPMEDVTFMIW3QD3ZG7A5CNFSM4IKFUZWKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4ARPRA#issuecomment-520165316>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABKWAVHBOCYERVFVRTPY3ULQD3ZG7ANCNFSM4IKFUZWA> .
I run a little variant analysis of this bug class on kubernetes and all their staging packages and I thought you might find the result useful:
"call to Atoi","Atoi() used in combination of a int wrapper could cause overflow - ","/home/nico/Semmle/Projects/Kubernetes/staging/apimachinery/revision-2019-August-10--09-40-29/src/pkg/util/intstr/intstr.go@63:46-63:48"
thockin@ let me know that we've added a util function for this: kubernetes/utils#107
Step one is to re-vendor this lib and then use that function:
I'm still trying to work out what re-vendoring is and figure out how to do this. Will report back in a few days when I get some progress.