diff --git a/containerd.spec b/containerd.spec index c2e3da8ec99f4256f65c0ed6a2864de39f362fe0..07d5f03f9ed2418ae37e0f45ca8a13ec970959c1 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.2.0 Name: containerd -Release: 202 +Release: 203 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -41,6 +41,12 @@ install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim %{_bindir}/containerd-shim %changelog +* Mon Jul 4 2022 zhongjiawei - 1.2.0-203 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC: Limit the response size of ExecSync to fix CVE-2022-31030 + * Tue Apr 26 2022 xiadanni - 1.2.0-202 - Type:bugfix - ID:NA diff --git a/patch/0070-containerd-Limit-the-response-size-of-ExecSync.patch b/patch/0070-containerd-Limit-the-response-size-of-ExecSync.patch new file mode 100644 index 0000000000000000000000000000000000000000..e17da504341a2c32c9f7a0233b29e1c22651439f --- /dev/null +++ b/patch/0070-containerd-Limit-the-response-size-of-ExecSync.patch @@ -0,0 +1,133 @@ +From cf3bde2b5a78d7ba8773eadcc3b28dfb0001aee0 Mon Sep 17 00:00:00 2001 +From: zhongjiawei +Date: Mon, 4 Jul 2022 14:34:23 +0800 +Subject: [PATCH] containerd: Limit the response size of ExecSync + +fix CVE-2022-31030 +upstream:https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382 +--- + .../cri/pkg/server/container_execsync.go | 45 ++++++++++++++++- + .../cri/pkg/server/container_execsync_test.go | 49 +++++++++++++++++++ + 2 files changed, 92 insertions(+), 2 deletions(-) + create mode 100644 vendor/github.com/containerd/cri/pkg/server/container_execsync_test.go + +diff --git a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go +index fd54120..1ef93e5 100644 +--- a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go ++++ b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go +@@ -37,14 +37,55 @@ import ( + "github.com/containerd/cri/pkg/util" + ) + ++type cappedWriter struct { ++ w io.WriteCloser ++ remain int ++} ++ ++func (cw *cappedWriter) Write(p []byte) (int, error) { ++ if cw.remain <= 0 { ++ return len(p), nil ++ } ++ ++ end := cw.remain ++ if end > len(p) { ++ end = len(p) ++ } ++ written, err := cw.w.Write(p[0:end]) ++ cw.remain -= written ++ ++ if err != nil { ++ return written, err ++ } ++ return len(p), nil ++} ++ ++func (cw *cappedWriter) Close() error { ++ return cw.w.Close() ++} ++ ++func (cw *cappedWriter) isFull() bool { ++ return cw.remain <= 0 ++} ++ + // ExecSync executes a command in the container, and returns the stdout output. + // If command exits with a non-zero exit code, an error is returned. + func (c *criService) ExecSync(ctx context.Context, r *runtime.ExecSyncRequest) (*runtime.ExecSyncResponse, error) { ++ const maxStreamSize = 1024 * 1024 * 16 ++ + var stdout, stderr bytes.Buffer ++ ++ // cappedWriter truncates the output. In that case, the size of ++ // the ExecSyncResponse will hit the CRI plugin's gRPC response limit. ++ // Thus the callers outside of the containerd process (e.g. Kubelet) never see ++ // the truncated output. ++ cout := &cappedWriter{w: cioutil.NewNopWriteCloser(&stdout), remain: maxStreamSize} ++ cerr := &cappedWriter{w: cioutil.NewNopWriteCloser(&stderr), remain: maxStreamSize} ++ + exitCode, err := c.execInContainer(ctx, r.GetContainerId(), execOptions{ + cmd: r.GetCmd(), +- stdout: cioutil.NewNopWriteCloser(&stdout), +- stderr: cioutil.NewNopWriteCloser(&stderr), ++ stdout: cout, ++ stderr: cerr, + timeout: time.Duration(r.GetTimeout()) * time.Second, + }) + if err != nil { +diff --git a/vendor/github.com/containerd/cri/pkg/server/container_execsync_test.go b/vendor/github.com/containerd/cri/pkg/server/container_execsync_test.go +new file mode 100644 +index 0000000..c8641d0 +--- /dev/null ++++ b/vendor/github.com/containerd/cri/pkg/server/container_execsync_test.go +@@ -0,0 +1,49 @@ ++/* ++ Copyright The containerd Authors. ++ Licensed under the Apache License, Version 2.0 (the "License"); ++ you may not use this file except in compliance with the License. ++ You may obtain a copy of the License at ++ http://www.apache.org/licenses/LICENSE-2.0 ++ Unless required by applicable law or agreed to in writing, software ++ distributed under the License is distributed on an "AS IS" BASIS, ++ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ See the License for the specific language governing permissions and ++ limitations under the License. ++*/ ++ ++package server ++ ++import ( ++ "bytes" ++ "testing" ++ ++ cioutil "github.com/containerd/containerd/pkg/ioutil" ++ "github.com/stretchr/testify/assert" ++) ++ ++func TestCWWrite(t *testing.T) { ++ var buf bytes.Buffer ++ cw := &cappedWriter{w: cioutil.NewNopWriteCloser(&buf), remain: 10} ++ ++ n, err := cw.Write([]byte("hello")) ++ assert.NoError(t, err) ++ assert.Equal(t, 5, n) ++ ++ n, err = cw.Write([]byte("helloworld")) ++ assert.NoError(t, err, "no errors even it hits the cap") ++ assert.Equal(t, 10, n, "no indication of partial write") ++ assert.True(t, cw.isFull()) ++ assert.Equal(t, []byte("hellohello"), buf.Bytes(), "the underlying writer is capped") ++ ++ _, err = cw.Write([]byte("world")) ++ assert.NoError(t, err) ++ assert.True(t, cw.isFull()) ++ assert.Equal(t, []byte("hellohello"), buf.Bytes(), "the underlying writer is capped") ++} ++ ++func TestCWClose(t *testing.T) { ++ var buf bytes.Buffer ++ cw := &cappedWriter{w: cioutil.NewNopWriteCloser(&buf), remain: 5} ++ err := cw.Close() ++ assert.NoError(t, err) ++} +-- +2.30.0 + diff --git a/series.conf b/series.conf index fe4a3d4f412f7b91be4cd108e396f840bd92b933..5586f877c349199ad7631f2290bd0f4ab3956c81 100644 --- a/series.conf +++ b/series.conf @@ -71,3 +71,4 @@ patch/0066-containerd-cleanup-dangling-shim-by-brand-new-context.patch patch/0067-containerd-fix-potential-panic-for-task-in-unknown-state.patch patch/0068-containerd-reduce-permissions-for-bundle-dir-to-fix-.patch patch/0069-containerd-Use-fs.RootPath-when-mounting-vo.patch +patch/0070-containerd-Limit-the-response-size-of-ExecSync.patch