From 846018621c0068f69bd16213b631d0ad9f362f85 Mon Sep 17 00:00:00 2001 From: zhongjiawei Date: Thu, 22 Sep 2022 19:16:02 +0800 Subject: [PATCH] containerd: bugfix and add CGO security build option (cherry picked from commit eb136438cf63fae5754c31920a6bf8afaeded135) --- containerd.spec | 8 +- git-commit | 2 +- ...t-manifest-provided-URLs-differently.patch | 65 ++++++++++ ...-Use-chmod-path-for-checking-symlink.patch | 30 +++++ ...089-containerd-Add-lock-for-ListPids.patch | 31 +++++ ...idate-document-type-before-unmarshal.patch | 117 ++++++++++++++++++ ...1-schema1-reject-ambiguous-documents.patch | 43 +++++++ ...nerd-add-CGO-sercurity-build-options.patch | 38 ++++++ series.conf | 6 + 9 files changed, 338 insertions(+), 2 deletions(-) create mode 100644 patch/0087-containerd-treat-manifest-provided-URLs-differently.patch create mode 100644 patch/0088-containerd-Use-chmod-path-for-checking-symlink.patch create mode 100644 patch/0089-containerd-Add-lock-for-ListPids.patch create mode 100644 patch/0090-images-validate-document-type-before-unmarshal.patch create mode 100644 patch/0091-schema1-reject-ambiguous-documents.patch create mode 100644 patch/0092-containerd-add-CGO-sercurity-build-options.patch diff --git a/containerd.spec b/containerd.spec index d617fb1..625299b 100644 --- a/containerd.spec +++ b/containerd.spec @@ -2,7 +2,7 @@ %global debug_package %{nil} Version: 1.2.0 Name: containerd -Release: 303 +Release: 304 Summary: An industry-standard container runtime License: ASL 2.0 URL: https://containerd.io @@ -52,6 +52,12 @@ install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim %{_bindir}/containerd-shim %changelog +* Thu Sep 22 2022 zhongjiawei - 1.2.0-304 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC: bugfix and add CGO security build option + * Mon Jul 4 2022 zhongjiawei - 1.2.0-303 - Type:bugfix - ID:NA diff --git a/git-commit b/git-commit index b319817..c3e5843 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -1493659ef0808b8f3a5b920b0f0661833af2782e +12d183fff48f375fac852537ae9677c0efa407ec diff --git a/patch/0087-containerd-treat-manifest-provided-URLs-differently.patch b/patch/0087-containerd-treat-manifest-provided-URLs-differently.patch new file mode 100644 index 0000000..717e4a1 --- /dev/null +++ b/patch/0087-containerd-treat-manifest-provided-URLs-differently.patch @@ -0,0 +1,65 @@ +From eb6ab2e84ab184321bd649b4def182f93e62b6df Mon Sep 17 00:00:00 2001 +From: xiadanni +Date: Mon, 24 Jan 2022 19:03:30 +0800 +Subject: [PATCH] [Backport]treat manifest provided URLs differently + +fix CVE-2020-15157 + +Conflict:NA +Reference:https://github.com/containerd/containerd/commit/1ead8d9deb3b175bf40413b8c47b3d19c2262726 +https://github.com/containerd/containerd/commit/abbb17959f55bbb9b7eb37f965d7dad2f4ea8744 + +Signed-off-by: xiadanni +--- + remotes/docker/fetcher.go | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/remotes/docker/fetcher.go b/remotes/docker/fetcher.go +index 4a2ce3c39..00e7a47c6 100644 +--- a/remotes/docker/fetcher.go ++++ b/remotes/docker/fetcher.go +@@ -56,6 +56,26 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R + } + + return newHTTPReadSeeker(desc.Size, func(offset int64) (io.ReadCloser, error) { ++ if len(desc.URLs) > 0 { ++ db := *r.dockerBase ++ // Remove authorizer to avoid authentication when ++ // connecting to manifest provided URLs. ++ // Prevents https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c ++ db.auth = nil ++ nr := dockerFetcher{ ++ dockerBase: &db, ++ } ++ for _, u := range desc.URLs { ++ log.G(ctx).WithField("url", u).Debug("trying alternative url") ++ rc, err := nr.open(ctx, u, desc.MediaType, offset) ++ if err != nil { ++ log.G(ctx).WithField("error", err).Debug("error trying url") ++ continue // try one of the other urls. ++ } ++ ++ return rc, nil ++ } ++ } + for _, u := range urls { + rc, err := r.open(ctx, u, desc.MediaType, offset) + if err != nil { +@@ -142,14 +162,6 @@ func (r dockerFetcher) open(ctx context.Context, u, mediatype string, offset int + func (r *dockerFetcher) getV2URLPaths(ctx context.Context, desc ocispec.Descriptor) ([]string, error) { + var urls []string + +- if len(desc.URLs) > 0 { +- // handle fetch via external urls. +- for _, u := range desc.URLs { +- log.G(ctx).WithField("url", u).Debug("adding alternative url") +- urls = append(urls, u) +- } +- } +- + switch desc.MediaType { + case images.MediaTypeDockerSchema2Manifest, images.MediaTypeDockerSchema2ManifestList, + images.MediaTypeDockerSchema1Manifest, +-- +2.27.0 + diff --git a/patch/0088-containerd-Use-chmod-path-for-checking-symlink.patch b/patch/0088-containerd-Use-chmod-path-for-checking-symlink.patch new file mode 100644 index 0000000..bc4cf4f --- /dev/null +++ b/patch/0088-containerd-Use-chmod-path-for-checking-symlink.patch @@ -0,0 +1,30 @@ +From 90a3fd55136fb18641c8221792b013ee1dbc17f5 Mon Sep 17 00:00:00 2001 +From: xiadanni +Date: Mon, 24 Jan 2022 19:15:14 +0800 +Subject: [PATCH] [Backport]Use chmod path for checking symlink + +fix CVE-2021-32760 +Conflict:NA +Reference:https://github.com/containerd/containerd/commit/03aa748c11663e87a72fab92b7ab7c88c28bf13e + +Signed-off-by: xiadanni +--- + archive/tar_unix.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/archive/tar_unix.go b/archive/tar_unix.go +index 022dd6d4f..7f3857c7d 100644 +--- a/archive/tar_unix.go ++++ b/archive/tar_unix.go +@@ -127,7 +127,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error { + + func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error { + if hdr.Typeflag == tar.TypeLink { +- if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) { ++ if fi, err := os.Lstat(path); err == nil && (fi.Mode()&os.ModeSymlink == 0) { + if err := os.Chmod(path, hdrInfo.Mode()); err != nil { + return err + } +-- +2.27.0 + diff --git a/patch/0089-containerd-Add-lock-for-ListPids.patch b/patch/0089-containerd-Add-lock-for-ListPids.patch new file mode 100644 index 0000000..9bfc877 --- /dev/null +++ b/patch/0089-containerd-Add-lock-for-ListPids.patch @@ -0,0 +1,31 @@ +From 9a92dd95046003cd661f8cd76429b2e424907a2a Mon Sep 17 00:00:00 2001 +From: Vanient +Date: Mon, 21 Mar 2022 06:57:02 +0800 +Subject: [PATCH] [Backport]containerd: Add lock for ListPids + +Add the missing locks in ListPids +Conflict:NA +Reference:https://github.com/containerd/containerd/commit/fcf3b275fcd404ddf5fe75d5629d2168742ec0d3 + +Signed-off-by: Vanient +--- + runtime/v1/shim/service.go | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go +index 7d7327cd8..435f02e3c 100644 +--- a/runtime/v1/shim/service.go ++++ b/runtime/v1/shim/service.go +@@ -434,6 +434,9 @@ func (s *Service) ListPids(ctx context.Context, r *shimapi.ListPidsRequest) (*sh + return nil, errdefs.ToGRPC(err) + } + var processes []*task.ProcessInfo ++ ++ s.mu.Lock() ++ defer s.mu.Unlock() + for _, pid := range pids { + pInfo := task.ProcessInfo{ + Pid: pid, +-- +2.27.0 + diff --git a/patch/0090-images-validate-document-type-before-unmarshal.patch b/patch/0090-images-validate-document-type-before-unmarshal.patch new file mode 100644 index 0000000..f4998f6 --- /dev/null +++ b/patch/0090-images-validate-document-type-before-unmarshal.patch @@ -0,0 +1,117 @@ +From e3e70b398ff362182797e2d73372f8f654ba9383 Mon Sep 17 00:00:00 2001 +From: Vanient +Date: Thu, 9 Jun 2022 10:45:47 +0800 +Subject: [PATCH 1/2] images: validate document type before unmarshal + +Conflict:NA +Reference:https://github.com/containerd/containerd/commit/eb9ba7ed8d46d48fb22362f9d91fff6fb837e37e + +Signed-off-by: Vanient +--- + images/image.go | 55 +++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 55 insertions(+) + +diff --git a/images/image.go b/images/image.go +index f72684d82..ad12fe971 100644 +--- a/images/image.go ++++ b/images/image.go +@@ -19,6 +19,7 @@ package images + import ( + "context" + "encoding/json" ++ "fmt" + "sort" + "strings" + "time" +@@ -154,6 +155,10 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc + return nil, err + } + ++ if err := validateMediaType(p, desc.MediaType); err != nil { ++ return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) ++ } ++ + var manifest ocispec.Manifest + if err := json.Unmarshal(p, &manifest); err != nil { + return nil, err +@@ -194,6 +199,10 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc + return nil, err + } + ++ if err := validateMediaType(p, desc.MediaType); err != nil { ++ return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) ++ } ++ + var idx ocispec.Index + if err := json.Unmarshal(p, &idx); err != nil { + return nil, err +@@ -335,6 +344,10 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr + return nil, err + } + ++ if err := validateMediaType(p, desc.MediaType); err != nil { ++ return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) ++ } ++ + // TODO(stevvooe): We just assume oci manifest, for now. There may be + // subtle differences from the docker version. + var manifest ocispec.Manifest +@@ -350,6 +363,10 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr + return nil, err + } + ++ if err := validateMediaType(p, desc.MediaType); err != nil { ++ return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) ++ } ++ + var index ocispec.Index + if err := json.Unmarshal(p, &index); err != nil { + return nil, err +@@ -371,6 +388,44 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr + return descs, nil + } + ++// unknownDocument represents a manifest, manifest list, or index that has not ++// yet been validated. ++type unknownDocument struct { ++ MediaType string `json:"mediaType,omitempty"` ++ Config json.RawMessage `json:"config,omitempty"` ++ Layers json.RawMessage `json:"layers,omitempty"` ++ Manifests json.RawMessage `json:"manifests,omitempty"` ++ FSLayers json.RawMessage `json:"fsLayers,omitempty"` // schema 1 ++} ++ ++// validateMediaType returns an error if the byte slice is invalid JSON or if ++// the media type identifies the blob as one format but it contains elements of ++// another format. ++func validateMediaType(b []byte, mt string) error { ++ var doc unknownDocument ++ if err := json.Unmarshal(b, &doc); err != nil { ++ return err ++ } ++ if len(doc.FSLayers) != 0 { ++ return fmt.Errorf("media-type: schema 1 not supported") ++ } ++ switch mt { ++ case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: ++ if len(doc.Manifests) != 0 || ++ doc.MediaType == MediaTypeDockerSchema2ManifestList || ++ doc.MediaType == ocispec.MediaTypeImageIndex { ++ return fmt.Errorf("media-type: expected manifest but found index (%s)", mt) ++ } ++ case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: ++ if len(doc.Config) != 0 || len(doc.Layers) != 0 || ++ doc.MediaType == MediaTypeDockerSchema2Manifest || ++ doc.MediaType == ocispec.MediaTypeImageManifest { ++ return fmt.Errorf("media-type: expected index but found manifest (%s)", mt) ++ } ++ } ++ return nil ++} ++ + // RootFS returns the unpacked diffids that make up and images rootfs. + // + // These are used to verify that a set of layers unpacked to the expected +-- +2.27.0 + diff --git a/patch/0091-schema1-reject-ambiguous-documents.patch b/patch/0091-schema1-reject-ambiguous-documents.patch new file mode 100644 index 0000000..d03ec24 --- /dev/null +++ b/patch/0091-schema1-reject-ambiguous-documents.patch @@ -0,0 +1,43 @@ +From 7a294fa5d943401ed3cb9149f69f1d12f372c374 Mon Sep 17 00:00:00 2001 +From: Vanient +Date: Thu, 9 Jun 2022 10:48:09 +0800 +Subject: [PATCH 2/2] schema1: reject ambiguous documents + +Conflict:NA +Reference:https://github.com/containerd/containerd/commit/70c88f507579277ab7af23b06666e3b57d4b4f2d + +Signed-off-by: Vanient +--- + remotes/docker/schema1/converter.go | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/remotes/docker/schema1/converter.go b/remotes/docker/schema1/converter.go +index 766c24a26..c618a33d5 100644 +--- a/remotes/docker/schema1/converter.go ++++ b/remotes/docker/schema1/converter.go +@@ -250,6 +250,9 @@ func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor) + if err := json.Unmarshal(b, &m); err != nil { + return err + } ++ if len(m.Manifests) != 0 || len(m.Layers) != 0 { ++ return errors.New("converter: expected schema1 document but found extra keys") ++ } + c.pulledManifest = &m + + return nil +@@ -466,8 +469,10 @@ type history struct { + } + + type manifest struct { +- FSLayers []fsLayer `json:"fsLayers"` +- History []history `json:"history"` ++ FSLayers []fsLayer `json:"fsLayers"` ++ History []history `json:"history"` ++ Layers json.RawMessage `json:"layers,omitempty"` // OCI manifest ++ Manifests json.RawMessage `json:"manifests,omitempty"` // OCI index + } + + type v1History struct { +-- +2.27.0 + diff --git a/patch/0092-containerd-add-CGO-sercurity-build-options.patch b/patch/0092-containerd-add-CGO-sercurity-build-options.patch new file mode 100644 index 0000000..29ec5ab --- /dev/null +++ b/patch/0092-containerd-add-CGO-sercurity-build-options.patch @@ -0,0 +1,38 @@ +From f7d5384097fde1e448649fcacde0dd05b7f2e967 Mon Sep 17 00:00:00 2001 +From: zjw +Date: Mon, 20 Jun 2022 20:08:24 +0800 +Subject: [PATCH] containerd: containerd and containerd-shim add CGO security build options + +--- + Makefile | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/Makefile b/Makefile +index 49a90e6..2bc5dd5 100644 +--- a/Makefile ++++ b/Makefile +@@ -172,8 +172,8 @@ bin/%: cmd/% FORCE + mkdir -p $(BEP_DIR) + @echo "$(WHALE) $@${BINARY_SUFFIX}" + CGO_ENABLED=1 \ +- CGO_CFLAGS="-fstack-protector-strong" \ +- CGO_CPPFLAGS="-fstack-protector-strong" \ ++ CGO_CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \ ++ CGO_CPPFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \ + CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \ + CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ + go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS} ./$< +@@ -181,8 +181,8 @@ bin/%: cmd/% FORCE + bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220 + @echo "$(WHALE) bin/containerd-shim" + CGO_ENABLED=1 \ +- CGO_CFLAGS="-fstack-protector-strong -fPIE" \ +- CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \ ++ CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ ++ CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \ + CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \ + CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \ + go build -buildmode=pie ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim +-- +2.30.0 + diff --git a/series.conf b/series.conf index 1054096..f7bbc65 100644 --- a/series.conf +++ b/series.conf @@ -91,4 +91,10 @@ patch/0083-containerd-optimize-cgo-compile-options.patch patch/0084-containerd-Use-fs.RootPath-when-mounting-vo.patch patch/0085-containerd-put-get-pid-lock-after-set-process-exited-to-.patch patch/0086-containerd-Limit-the-response-size-of-ExecSync.patch +patch/0087-containerd-treat-manifest-provided-URLs-differently.patch +patch/0088-containerd-Use-chmod-path-for-checking-symlink.patch +patch/0089-containerd-Add-lock-for-ListPids.patch +patch/0090-images-validate-document-type-before-unmarshal.patch +patch/0091-schema1-reject-ambiguous-documents.patch +patch/0092-containerd-add-CGO-sercurity-build-options.patch # end -- Gitee