From 192f9b1059073d7ac64910ad74a82b35e4e9f59d Mon Sep 17 00:00:00 2001
From: dongyuzhen <dongyuzhen@h-partners.com>
Date: Fri, 16 May 2025 10:25:59 +0800
Subject: [PATCH] sync patch from upstream

---
 ...I-heap-buffer-overflow-when-containe.patch | 217 ++++++++++++++++++
 iSulad.spec                                   |   9 +-
 2 files changed, 225 insertions(+), 1 deletion(-)
 create mode 100644 0201-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch

diff --git a/0201-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch b/0201-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch
new file mode 100644
index 0000000..a96f5e7
--- /dev/null
+++ b/0201-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch
@@ -0,0 +1,217 @@
+From 1887601e26b4e3dbfdacb66afad145dbbc08d877 Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Fri, 28 Mar 2025 16:08:03 +0800
+Subject: [PATCH] bugfix:SandboxAPI heap-buffer-overflow when containers are
+ created concurrently.
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ .../sandbox/sandboxer/sandboxer_sandbox.cc    | 46 +++++++++----------
+ .../sandbox/sandboxer/sandboxer_sandbox.h     |  8 ++--
+ 2 files changed, 26 insertions(+), 28 deletions(-)
+
+diff --git a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc
+index e26b87c8..fc44f94a 100644
+--- a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc
++++ b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc
+@@ -73,7 +73,6 @@ auto SandboxerSandbox::ReadSandboxTasksJson() -> sandbox_tasks *
+     __isula_auto_free parser_error err = nullptr;
+     sandbox_tasks *tasksArray = nullptr;
+ 
+-    ReadGuard<RWMutex> lock(m_tasksMutex);
+     tasksArray = sandbox_tasks_parse_file(path.c_str(), nullptr, &err);
+     if (tasksArray == nullptr) {
+         WARN("Failed to read %s tasks json: %s", path.c_str(), err);
+@@ -86,7 +85,6 @@ auto SandboxerSandbox::WriteSandboxTasksJson(std::string &tasks_json) -> bool
+     int nret = 0;
+     const std::string path = GetTasksJsonPath();
+ 
+-    WriteGuard<RWMutex> lock(m_tasksMutex);
+     nret = util_atomic_write_file(path.c_str(), tasks_json.c_str(), tasks_json.size(), CONFIG_FILE_MODE, false);
+     if (nret != 0) {
+         SYSERROR("Failed to write file %s", path.c_str());
+@@ -99,7 +97,6 @@ auto SandboxerSandbox::DeleteSandboxTasksJson() -> bool
+     int get_err = 0;
+     const std::string path = GetTasksJsonPath();
+ 
+-    WriteGuard<RWMutex> lock(m_tasksMutex);
+     if (util_fileself_exists(path.c_str()) &&
+         !util_force_remove_file(path.c_str(), &get_err)) {
+         errno = get_err;
+@@ -114,7 +111,6 @@ void SandboxerSandbox::AddSandboxTasksByArray(sandbox_tasks *tasksArray)
+ {
+     size_t i;
+ 
+-    WriteGuard<RWMutex> lock(m_tasksMutex);
+     for (i = 0; i < tasksArray->tasks_len; i++) {
+         if (!AddTaskById(tasksArray->tasks[i]->task_id, tasksArray->tasks[i])) {
+             return;
+@@ -128,6 +124,8 @@ void SandboxerSandbox::LoadSandboxTasks()
+ {
+     sandbox_tasks *tasksArray = nullptr;
+ 
++    std::lock_guard<std::mutex> lockGuard(m_tasksMutex);
++
+     tasksArray = ReadSandboxTasksJson();
+     if (tasksArray == nullptr) {
+         return;
+@@ -164,8 +162,6 @@ auto SandboxerSandbox::AddSandboxTasks(sandbox_task *task) -> bool
+         return false;
+     }
+ 
+-    WriteGuard<RWMutex> lock(m_tasksMutex);
+-
+     return AddTaskById(task->task_id, task);
+ }
+ 
+@@ -181,19 +177,8 @@ auto SandboxerSandbox::GetAnySandboxTasks() -> std::string
+         SYSERROR("Out of memory.");
+         return std::string("");
+     }
+-
+-    ReadGuard<RWMutex> lock(m_tasksMutex);
++    
+     for (auto const& [_, val] : m_tasks) {
+-        /* 
+-         * We ignore that the processes are modified 
+-         * when we generate tasks json string. 
+-         * Because no matter whether a process is deleted or added, 
+-         * the Update of sandbox api will be called eventually.
+-         * 
+-         * And we ignore that the task is freed after we do GetTask().
+-         * Because the only way to free task is DeleteSandboxTasks()
+-         * which needs write lock of m_tasksMutex.
+-        */ 
+         tasksArray.tasks[i] = val->GetTask();
+         i++;
+     }
+@@ -218,7 +203,6 @@ void SandboxerSandbox::DeleteSandboxTasks(const char *containerId)
+ 
+     std::string taskId = std::string(containerId);
+ 
+-    WriteGuard<RWMutex> lock(m_tasksMutex);
+     auto iter = m_tasks.find(taskId);
+     if (iter == m_tasks.end()) {
+         return;
+@@ -235,7 +219,6 @@ auto SandboxerSandbox::AddSandboxTasksProcess(const char *containerId, sandbox_p
+ 
+     std::string taskId = std::string(containerId);
+ 
+-    ReadGuard<RWMutex> lock(m_tasksMutex);
+     auto iter = m_tasks.find(taskId);
+     if (iter == m_tasks.end()) {
+         SYSERROR("Failed to find container %s", containerId);
+@@ -253,7 +236,6 @@ void SandboxerSandbox::DeleteSandboxTasksProcess(const char *containerId, const
+ 
+     std::string taskId = std::string(containerId);
+ 
+-    ReadGuard<RWMutex> lock(m_tasksMutex);
+     auto iter = m_tasks.find(taskId);
+     if (iter == m_tasks.end()) {
+         return;
+@@ -481,6 +463,7 @@ auto SandboxerSandbox::PrepareContainer(const char *containerId, const char *bas
+     sandbox_sandbox *apiSandbox = nullptr;
+ 
+     INFO("Prepare container for sandbox");
++    std::lock_guard<std::mutex> lockGuard(m_tasksMutex);
+ 
+     if (nullptr == consoleFifos) {
+         ERROR("Invlaid parameter: consoleFifos");
+@@ -529,7 +512,7 @@ auto SandboxerSandbox::PrepareContainer(const char *containerId, const char *bas
+     }
+     if (!SaveSandboxTasks()) {
+         ERROR("Failed to Save %s sandbox tasks.", containerId);
+-        (void)PurgeContainer(containerId);
++        (void)DoPurgeContainer(containerId);
+         return -1;
+     }
+     return 0;
+@@ -546,6 +529,7 @@ auto SandboxerSandbox::PrepareExec(const char *containerId, const char *execId,
+     sandbox_sandbox *apiSandbox = nullptr;
+ 
+     INFO("Prepare exec for container in sandbox");
++    std::lock_guard<std::mutex> lockGuard(m_tasksMutex);
+ 
+     if (nullptr == consoleFifos) {
+         ERROR("Invlaid parameter: consoleFifos");
+@@ -590,7 +574,7 @@ auto SandboxerSandbox::PrepareExec(const char *containerId, const char *execId,
+     }
+     if (!SaveSandboxTasks()) {
+         ERROR("Failed to Save %s sandbox tasks.", containerId);
+-        (void)PurgeExec(containerId, execId);
++        (void)DoPurgeExec(containerId, execId);
+         return -1;
+     }
+     return 0;
+@@ -600,7 +584,7 @@ del_out:
+     return -1;
+ }   
+ 
+-auto SandboxerSandbox::PurgeContainer(const char *containerId) -> int
++auto SandboxerSandbox::DoPurgeContainer(const char *containerId) -> int
+ {
+     sandbox_sandbox *apiSandbox = nullptr;
+ 
+@@ -630,7 +614,13 @@ auto SandboxerSandbox::PurgeContainer(const char *containerId) -> int
+     return 0;
+ }
+ 
+-auto SandboxerSandbox::PurgeExec(const char *containerId, const char *execId) -> int
++auto SandboxerSandbox::PurgeContainer(const char *containerId) -> int
++{
++    std::lock_guard<std::mutex> lockGuard(m_tasksMutex);
++    return DoPurgeContainer(containerId);
++}
++
++auto SandboxerSandbox::DoPurgeExec(const char *containerId, const char *execId) -> int
+ {
+     sandbox_sandbox *apiSandbox = nullptr;
+ 
+@@ -660,4 +650,10 @@ auto SandboxerSandbox::PurgeExec(const char *containerId, const char *execId) ->
+     return 0;
+ }
+ 
++auto SandboxerSandbox::PurgeExec(const char *containerId, const char *execId) -> int
++{
++    std::lock_guard<std::mutex> lockGuard(m_tasksMutex);
++    return DoPurgeExec(containerId, execId);
++}
++
+ }
+\ No newline at end of file
+diff --git a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.h b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.h
+index 37a96cd6..1f3bc186 100644
+--- a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.h
++++ b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.h
+@@ -20,7 +20,6 @@
+ #include <mutex>
+ #include <google/protobuf/map.h>
+ 
+-#include "read_write_lock.h"
+ #include "sandbox_task.h"
+ #include "sandbox.h"
+ 
+@@ -45,6 +44,9 @@ public:
+     auto PurgeExec(const char *containerId, const char *execId) -> int override;
+ 
+ private:
++    auto DoPurgeContainer(const char *containerId) -> int;
++    auto DoPurgeExec(const char *containerId, const char *execId) -> int;
++
+     auto GetTasksJsonPath() -> std::string;
+     auto SaveSandboxTasks() -> bool;
+     auto AddSandboxTasks(sandbox_task *task) -> bool;
+@@ -67,8 +69,8 @@ private:
+     auto DoSandboxUpdate(sandbox_sandbox *apiSandbox) -> int;
+ 
+ private:
+-    // use m_tasksMutex to ensure the correctness of the tasks
+-    RWMutex m_tasksMutex;
++    // use m_tasksMutex to ensure the correctness of the tasks and task json file when the external interface accesses them.
++    std::mutex m_tasksMutex;
+     // for sandbox api update, containerId --> tasks
+     std::map<std::string, std::shared_ptr<SandboxTask>> m_tasks;
+ };
+-- 
+2.43.0
+
diff --git a/iSulad.spec b/iSulad.spec
index b450799..5cf31d3 100644
--- a/iSulad.spec
+++ b/iSulad.spec
@@ -1,5 +1,5 @@
 %global _version 2.1.5
-%global _release 19
+%global _release 20
 %global is_systemd 1
 %global enable_criv1 1
 %global enable_cdi 1
@@ -222,6 +222,7 @@ Patch0197:	0197-coco-support-confidential-containers.patch
 Patch0198:	0198-isolate-isula-search-ut-in-registry_images_ut.patch
 Patch0199:	0199-move-sandbox-network_ready-from-metadata-to-state-fo.patch
 Patch0200:	0200-clean-sandbox-when-create-failed-to-be-consisent-wit.patch
+Patch0201:	0201-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch
 
 %ifarch x86_64 aarch64
 Provides:       libhttpclient.so()(64bit)
@@ -492,6 +493,12 @@ fi
 %endif
 
 %changelog
+* Fri May 16 2025 dongyuzhen <dongyuzhen@h-partners.com> - 2.1.5-20
+- Type:enhancement
+- CVE:NA
+- SUG:NA
+- DESC:sync patch from upstream
+
 * Mon May 12 2025 dongyuzhen <dongyuzhen@h-partners.com> - 2.1.5-19
 - Type:enhancement
 - CVE:NA
-- 
Gitee