Skip to content

Commit f12e6e1

Browse files
thaJeztahthaJeztah
committed
chrootarchive: remove redundant "init" mitigation for CVE-2019-14271
This init wasa added in [a316b10] to prevent libraries being loaded in memory from an untrusted environment. Later mitigations added in [e9bbc41], and [2b4db93] (following implementation of https://go.dev/issue/50102 in go1.23) made this init redundant, but the original patch was left in-place. In some situations, this init can cause delays, resulting in slow starts of containers; dockerd[165807]: init github.com/docker/docker/pkg/chrootarchive @11 ms, 20013 ms clock, 147808 bytes, 131 allocs Further looking into the mitigation, it's debatable if the defence-in-depth adds much value (see [1]); > From my point of view, the original fix (func init()) is only a workaround > instead of a proper fix (avoid populating user/group names). NSS loads DSOs > lazily, user.Lookup("docker") and net.LookupHost("localhost") can not guarantee > every DSOs are loaded. > > For example, in a sane environment (/etc/hosts contains an entry for localhost), > net.LookupHost("localhost") stops at libnss_files.so and will not load libnss_dns.so, > which makes it almost useless because libnss_files.so was already loaded due > to user.Lookup("docker"). This patch removes the init to prevent the possibility of adding delays, and because this mitigation became redundant. [a316b10]: moby/moby@a316b10 [e9bbc41]: moby/moby@e9bbc41 [2b4db93]: moby/moby@2b4db93 [1]: moby/moby#44540 (comment) Signed-off-by: Sebastiaan van Stijn <[email protected]>
1 parent 9ec1e6e commit f12e6e1

File tree

1 file changed

+0
-9
lines changed

1 file changed

+0
-9
lines changed

chrootarchive/archive_unix.go

Lines changed: 0 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -5,21 +5,12 @@ package chrootarchive
55
import (
66
"errors"
77
"io"
8-
"net"
9-
"os/user"
108
"path/filepath"
119
"strings"
1210

1311
"github.com/moby/go-archive"
1412
)
1513

16-
func init() {
17-
// initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
18-
// environment not in the chroot from untrusted files.
19-
_, _ = user.Lookup("docker")
20-
_, _ = net.LookupHost("localhost")
21-
}
22-
2314
func invokeUnpack(decompressedArchive io.Reader, dest string, options *archive.TarOptions, root string) error {
2415
relDest, err := resolvePathInChroot(root, dest)
2516
if err != nil {

0 commit comments

Comments
 (0)