hadoop-yarn-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Lowe (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (YARN-8207) Docker container launch use popen have risk of shell expansion
Date Fri, 04 May 2018 14:35:00 GMT

    [ https://issues.apache.org/jira/browse/YARN-8207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16463950#comment-16463950

Jason Lowe commented on YARN-8207:

bq. Args is array of strings. Null terminator is not required for array when we have length
of the array.

construct_docker_command may use an args structure internally, but it simply returns a char**
as a result with no specified length.  The code then passes that to execvp which needs the
NULL pointer terminator to know when the argument list ends (see the execvp manpage for details).

bq. Hence checking length > DOCKER_ARGS_MAX is fine.

No, it's not.  It's an off-by-one error.  reset_args only allocates DOCKER_ARGS_MAX elements
in the array.  add_to_args checks for out-of-bounds by checking index > DOCKER_ARGS_MAX.
 If index == DOCKER_ARGS_MAX then the bounds check will pass and the code will assign a value
to out[DOCKER_ARGS_MAX].  That store will then corrupt the heap as the memory allocated only
has space for DOCKER_ARGS_MAX elements in the array.

> Docker container launch use popen have risk of shell expansion
> --------------------------------------------------------------
>                 Key: YARN-8207
>                 URL: https://issues.apache.org/jira/browse/YARN-8207
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn-native-services
>    Affects Versions: 3.0.0, 3.1.0, 3.0.1, 3.0.2
>            Reporter: Eric Yang
>            Assignee: Eric Yang
>            Priority: Major
>              Labels: Docker
>         Attachments: YARN-8207.001.patch, YARN-8207.002.patch, YARN-8207.003.patch, YARN-8207.004.patch,
> Container-executor code utilize a string buffer to construct docker run command, and
pass the string buffer to popen for execution.  Popen spawn a shell to run the command.  Some
arguments for docker run are still vulnerable to shell expansion.  The possible solution is
to convert from char * buffer to string array for execv to avoid shell expansion.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org

View raw message