|
|
Log in / Subscribe / Register

CVE-2019-5736: runc container breakout

CVE-2019-5736: runc container breakout

Posted Feb 14, 2019 10:59 UTC (Thu) by ibukanov (subscriber, #3942)
In reply to: CVE-2019-5736: runc container breakout by wahern
Parent article: CVE-2019-5736: runc container breakout

The code in question is a part of a long-running application that has non-trivial persistent state, not a microservice or CGI script.

In Linux realistically when realloc returns NULL, it is due to limits imposed on the application, not because the system is out of memory. Linux happily over commits and when the system does run out of memory, a process will be killed at an arbitrary point by OOM killer. In a production system this should not happen as it is extremely hard to write an application code that does not corrupt the state if the app can be killed at any point.

But if an application hits a memory policy limit, then waiting for the limit to be lifted is a reasonable behavior. First if the limit is imposed not on a single thread, but many threads/processes, then it makes sense to wait until the memory hog finishes. Second, many applications still may leave things in an inconsistent state if any memory allocation can call abort.

to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds