From 631dd5330d438729a7a8f6e00b279386924de640 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Tue, 13 Oct 2020 18:58:01 -0700 Subject: Various website fixes - Formatting on the most recent blog post - Add a link to faq from containerd docs - Fix code in FAQ PiperOrigin-RevId: 337001738 --- g3doc/user_guide/FAQ.md | 2 +- g3doc/user_guide/containerd/quick_start.md | 3 +++ website/blog/2020-09-18-containing-a-real-vulnerability.md | 9 ++++++--- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/g3doc/user_guide/FAQ.md b/g3doc/user_guide/FAQ.md index 514fe3918..69033357c 100644 --- a/g3doc/user_guide/FAQ.md +++ b/g3doc/user_guide/FAQ.md @@ -111,7 +111,7 @@ Please recreate your cluster and set the `--cni-socket` option on kubeadm commands. For example: ```bash -kubeadm init --cni-socket=/var/run/containerd/containerd.sock` ... +kubeadm init --cni-socket=/var/run/containerd/containerd.sock ... ``` To fix an existing cluster edit the `/var/lib/kubelet/kubeadm-flags.env` file diff --git a/g3doc/user_guide/containerd/quick_start.md b/g3doc/user_guide/containerd/quick_start.md index 2f67eecb3..b6a3186d8 100644 --- a/g3doc/user_guide/containerd/quick_start.md +++ b/g3doc/user_guide/containerd/quick_start.md @@ -3,6 +3,9 @@ This document describes how to install and configure `containerd-shim-runsc-v1` using the containerd runtime handler support on `containerd` 1.2 or later. +> ⚠️ NOTE: If you are using Kubernetes and set up your cluster using kubeadm you +> may run into issues. See the [FAQ](../FAQ.md#runtime-handler) for details. + ## Requirements - **runsc** and **containerd-shim-runsc-v1**: See the diff --git a/website/blog/2020-09-18-containing-a-real-vulnerability.md b/website/blog/2020-09-18-containing-a-real-vulnerability.md index c1b06a996..8a6f7bbf1 100644 --- a/website/blog/2020-09-18-containing-a-real-vulnerability.md +++ b/website/blog/2020-09-18-containing-a-real-vulnerability.md @@ -48,7 +48,8 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, po->tp_reserve; } else { unsigned int maclen = skb_network_offset(skb); - // tp_reserve is unsigned int, netoff is unsigned short. Addition can overflow netoff + // tp_reserve is unsigned int, netoff is unsigned short. + // Addition can overflow netoff netoff = TPACKET_ALIGN(po->tp_hdrlen + (maclen < 16 ? 16 : maclen)) + po->tp_reserve; @@ -56,11 +57,13 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, netoff += sizeof(struct virtio_net_hdr); do_vnet = true; } - // Attacker controls netoff and can make macoff be smaller than sizeof(struct virtio_net_hdr) + // Attacker controls netoff and can make macoff be smaller + // than sizeof(struct virtio_net_hdr) macoff = netoff - maclen; } // ... - // "macoff - sizeof(struct virtio_net_hdr)" can be negative, resulting in a pointer before h.raw + // "macoff - sizeof(struct virtio_net_hdr)" can be negative, + // resulting in a pointer before h.raw if (do_vnet && virtio_net_hdr_from_skb(skb, h.raw + macoff - sizeof(struct virtio_net_hdr), -- cgit v1.2.3