diff options
Diffstat (limited to 'website')
| -rw-r--r-- | website/BUILD | 12 | ||||
| -rw-r--r-- | website/blog/2020-09-18-containing-a-real-vulnerability.md | 9 | ||||
| -rwxr-xr-x | website/import.sh | 27 |
3 files changed, 11 insertions, 37 deletions
diff --git a/website/BUILD b/website/BUILD index 6d92d9103..f3642b903 100644 --- a/website/BUILD +++ b/website/BUILD @@ -1,17 +1,15 @@ load("//tools:defs.bzl", "bzl_library", "pkg_tar") load("//website:defs.bzl", "doc", "docs") +load("//images:defs.bzl", "docker_image") package(licenses = ["notice"]) -# website is the full container image. Note that this actually just collects -# other dependendcies and runs Docker locally to import and tag the image. -sh_binary( +docker_image( name = "website", - srcs = ["import.sh"], data = [":files"], - tags = [ - "local", - "manual", + statements = [ + "EXPOSE 8080/tcp", + 'ENTRYPOINT ["/server"]', ], ) diff --git a/website/blog/2020-09-18-containing-a-real-vulnerability.md b/website/blog/2020-09-18-containing-a-real-vulnerability.md index c1b06a996..8a6f7bbf1 100644 --- a/website/blog/2020-09-18-containing-a-real-vulnerability.md +++ b/website/blog/2020-09-18-containing-a-real-vulnerability.md @@ -48,7 +48,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, po->tp_reserve; } else { unsigned int maclen = skb_network_offset(skb); - // tp_reserve is unsigned int, netoff is unsigned short. Addition can overflow netoff + // tp_reserve is unsigned int, netoff is unsigned short. + // Addition can overflow netoff netoff = TPACKET_ALIGN(po->tp_hdrlen + (maclen < 16 ? 16 : maclen)) + po->tp_reserve; @@ -56,11 +57,13 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, netoff += sizeof(struct virtio_net_hdr); do_vnet = true; } - // Attacker controls netoff and can make macoff be smaller than sizeof(struct virtio_net_hdr) + // Attacker controls netoff and can make macoff be smaller + // than sizeof(struct virtio_net_hdr) macoff = netoff - maclen; } // ... - // "macoff - sizeof(struct virtio_net_hdr)" can be negative, resulting in a pointer before h.raw + // "macoff - sizeof(struct virtio_net_hdr)" can be negative, + // resulting in a pointer before h.raw if (do_vnet && virtio_net_hdr_from_skb(skb, h.raw + macoff - sizeof(struct virtio_net_hdr), diff --git a/website/import.sh b/website/import.sh deleted file mode 100755 index e1350e83d..000000000 --- a/website/import.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash - -# Copyright 2018 The gVisor Authors. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -set -xeuo pipefail - -if [[ -d $0.runfiles ]]; then - cd $0.runfiles -fi - -exec docker import \ - -c "EXPOSE 8080/tcp" \ - -c "ENTRYPOINT [\"/server\"]" \ - $(find . -name files.tgz) \ - gvisor.dev/images/website |