diff options
-rw-r--r-- | g3doc/user_guide/FAQ.md | 2 | ||||
-rw-r--r-- | g3doc/user_guide/containerd/quick_start.md | 3 | ||||
-rw-r--r-- | website/blog/2020-09-18-containing-a-real-vulnerability.md | 9 |
3 files changed, 10 insertions, 4 deletions
diff --git a/g3doc/user_guide/FAQ.md b/g3doc/user_guide/FAQ.md index 514fe3918..69033357c 100644 --- a/g3doc/user_guide/FAQ.md +++ b/g3doc/user_guide/FAQ.md @@ -111,7 +111,7 @@ Please recreate your cluster and set the `--cni-socket` option on kubeadm commands. For example: ```bash -kubeadm init --cni-socket=/var/run/containerd/containerd.sock` ... +kubeadm init --cni-socket=/var/run/containerd/containerd.sock ... ``` To fix an existing cluster edit the `/var/lib/kubelet/kubeadm-flags.env` file diff --git a/g3doc/user_guide/containerd/quick_start.md b/g3doc/user_guide/containerd/quick_start.md index 2f67eecb3..b6a3186d8 100644 --- a/g3doc/user_guide/containerd/quick_start.md +++ b/g3doc/user_guide/containerd/quick_start.md @@ -3,6 +3,9 @@ This document describes how to install and configure `containerd-shim-runsc-v1` using the containerd runtime handler support on `containerd` 1.2 or later. +> ⚠️ NOTE: If you are using Kubernetes and set up your cluster using kubeadm you +> may run into issues. See the [FAQ](../FAQ.md#runtime-handler) for details. + ## Requirements - **runsc** and **containerd-shim-runsc-v1**: See the diff --git a/website/blog/2020-09-18-containing-a-real-vulnerability.md b/website/blog/2020-09-18-containing-a-real-vulnerability.md index c1b06a996..8a6f7bbf1 100644 --- a/website/blog/2020-09-18-containing-a-real-vulnerability.md +++ b/website/blog/2020-09-18-containing-a-real-vulnerability.md @@ -48,7 +48,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, po->tp_reserve; } else { unsigned int maclen = skb_network_offset(skb); - // tp_reserve is unsigned int, netoff is unsigned short. Addition can overflow netoff + // tp_reserve is unsigned int, netoff is unsigned short. + // Addition can overflow netoff netoff = TPACKET_ALIGN(po->tp_hdrlen + (maclen < 16 ? 16 : maclen)) + po->tp_reserve; @@ -56,11 +57,13 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, netoff += sizeof(struct virtio_net_hdr); do_vnet = true; } - // Attacker controls netoff and can make macoff be smaller than sizeof(struct virtio_net_hdr) + // Attacker controls netoff and can make macoff be smaller + // than sizeof(struct virtio_net_hdr) macoff = netoff - maclen; } // ... - // "macoff - sizeof(struct virtio_net_hdr)" can be negative, resulting in a pointer before h.raw + // "macoff - sizeof(struct virtio_net_hdr)" can be negative, + // resulting in a pointer before h.raw if (do_vnet && virtio_net_hdr_from_skb(skb, h.raw + macoff - sizeof(struct virtio_net_hdr), |