GitXplorerGitXplorer
c

cve-2020-14386

public
43 stars
17 forks
0 issues

Commits

List of commits on branch master.
Unverified
2c4c8ef41203b55336be71fc5d26445277be14b5

Add a wrapper script to clarify status, fix restartPolicy

ccgwalters committed 4 years ago
Unverified
64cbd7a618642bab020ce7a5782a37aea60c9a1d

Add a

ccgwalters committed 4 years ago
Verified
eaee1ba45a6d6e70d3615db1c902bcfa056c8889

Merge pull request #1 from mrunalp/entrypoint

ccgwalters committed 4 years ago
Unverified
f5b454d9944f872fb1a09865afb5b06145438568

Use setcap and entrypoint in Dockerfile

mmrunalp committed 4 years ago
Unverified
854008fb8075970ef17b247d0d57611efd717db0

Some Dockerfile fixes

ccgwalters committed 4 years ago
Unverified
e8907f1e6ce2d0589baae246d0428091558573e3

README.md: Add usage

ccgwalters committed 4 years ago

README

The README file for this repository.

Reproducer for CVE-2020-14386

Pre-built container: registry.svc.ci.openshift.org/coreos/cve-2020-14386

You probably want to test against an explicit node, like this:

apiVersion: v1
kind: Pod
metadata:
  name: cve-2020-14386
spec:
  restartPolicy: Never
  nodeName: <yournode>
  containers:
  - name: cve-2020-14386
    image: registry.svc.ci.openshift.org/coreos/cve-2020-14386
    imagePullPolicy: Always

Replace yournode with a particular node you want to validate, then kubectl create -f pod.yaml from the content above. If your kernel is vulnerable, the node may crash or reboot; use e.g. kubectl get node/<nodename> and check if the node goes NotReady and reboots.

If the node is not vulnerable, then kubectl logs pod/cve-2020-14386 will show something like:

Running reproducer for CVE-2020-14386 in 5s - this may crash the node
Reproducer exited successfully - node probably not vulnerable