OpenVZ Forum

Home » General » Support » CVE-2016-7910 CVE-2016-7911 (Does these vulnerabilities affects simfs?)
CVE-2016-7910 CVE-2016-7911 [message #52660] Thu, 24 November 2016 09:07 Go to next message
wyckaoo is currently offline  wyckaoo
Messages: 4
Registered: November 2016
Junior Member
From: *
hi, CVE-2016-7910 and CVE-2016-7911 vulnerabilities are related to block devices.
As simsfs is layer between node block device and container. Does it theoretically allow to escape containers that are using simfs?
Re: CVE-2016-7910 CVE-2016-7911 [message #52661 is a reply to message #52660] Thu, 24 November 2016 09:58 Go to previous message
vaverin is currently offline  vaverin
Messages: 684
Registered: September 2005
Senior Member
From: *
CVE-2016-7910 and CVE-2016-7911 are fixed because they are marked as critical in Google security bulletin.
We do not understand how it's possible to use it for "execute arbitrary code within the context of the kernel."

Yes, theoretically it can allow an escape container,
and yes, I think simfs-based containers can be affected too.
However I doubt that someone outside Google understand how to exploit it in real life.
I even not sure that Google knows it, probably it is just an theoretical possibility.

However we think it can be used to crash host from inside container,
and it was enough for us to close this issue.

There are no according bugs in Red Hat bugzilla.
There are bugs in Novell bugzilla, but its severity is quite low, they also do not see how it can be use for the "gain privileges".

Thank you,
Vasily Averin
Previous Topic: SSL issue on
Next Topic: CUDA support inside containers
Goto Forum:

Current Time: Sun Feb 24 03:41:25 GMT 2019