From cbd6727d829cc96e31de72bc256c849d31f5223c Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Thu, 18 Sep 2025 17:16:54 +0800 Subject: [PATCH] sync patches from upstream --- ...I-heap-buffer-overflow-when-containe.patch | 217 ++++++++++++++++++ ...ugfix-fix-cdi-hook-name-strcmp-error.patch | 32 +++ iSulad.spec | 10 +- 3 files changed, 258 insertions(+), 1 deletion(-) create mode 100644 0201-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch create mode 100644 0202-bugfix-fix-cdi-hook-name-strcmp-error.patch diff --git a/0201-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch b/0201-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch new file mode 100644 index 0000000..a96f5e7 --- /dev/null +++ b/0201-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch @@ -0,0 +1,217 @@ +From 1887601e26b4e3dbfdacb66afad145dbbc08d877 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Fri, 28 Mar 2025 16:08:03 +0800 +Subject: [PATCH] bugfix:SandboxAPI heap-buffer-overflow when containers are + created concurrently. + +Signed-off-by: liuxu +--- + .../sandbox/sandboxer/sandboxer_sandbox.cc | 46 +++++++++---------- + .../sandbox/sandboxer/sandboxer_sandbox.h | 8 ++-- + 2 files changed, 26 insertions(+), 28 deletions(-) + +diff --git a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc +index e26b87c8..fc44f94a 100644 +--- a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc ++++ b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.cc +@@ -73,7 +73,6 @@ auto SandboxerSandbox::ReadSandboxTasksJson() -> sandbox_tasks * + __isula_auto_free parser_error err = nullptr; + sandbox_tasks *tasksArray = nullptr; + +- ReadGuard lock(m_tasksMutex); + tasksArray = sandbox_tasks_parse_file(path.c_str(), nullptr, &err); + if (tasksArray == nullptr) { + WARN("Failed to read %s tasks json: %s", path.c_str(), err); +@@ -86,7 +85,6 @@ auto SandboxerSandbox::WriteSandboxTasksJson(std::string &tasks_json) -> bool + int nret = 0; + const std::string path = GetTasksJsonPath(); + +- WriteGuard lock(m_tasksMutex); + nret = util_atomic_write_file(path.c_str(), tasks_json.c_str(), tasks_json.size(), CONFIG_FILE_MODE, false); + if (nret != 0) { + SYSERROR("Failed to write file %s", path.c_str()); +@@ -99,7 +97,6 @@ auto SandboxerSandbox::DeleteSandboxTasksJson() -> bool + int get_err = 0; + const std::string path = GetTasksJsonPath(); + +- WriteGuard lock(m_tasksMutex); + if (util_fileself_exists(path.c_str()) && + !util_force_remove_file(path.c_str(), &get_err)) { + errno = get_err; +@@ -114,7 +111,6 @@ void SandboxerSandbox::AddSandboxTasksByArray(sandbox_tasks *tasksArray) + { + size_t i; + +- WriteGuard lock(m_tasksMutex); + for (i = 0; i < tasksArray->tasks_len; i++) { + if (!AddTaskById(tasksArray->tasks[i]->task_id, tasksArray->tasks[i])) { + return; +@@ -128,6 +124,8 @@ void SandboxerSandbox::LoadSandboxTasks() + { + sandbox_tasks *tasksArray = nullptr; + ++ std::lock_guard lockGuard(m_tasksMutex); ++ + tasksArray = ReadSandboxTasksJson(); + if (tasksArray == nullptr) { + return; +@@ -164,8 +162,6 @@ auto SandboxerSandbox::AddSandboxTasks(sandbox_task *task) -> bool + return false; + } + +- WriteGuard lock(m_tasksMutex); +- + return AddTaskById(task->task_id, task); + } + +@@ -181,19 +177,8 @@ auto SandboxerSandbox::GetAnySandboxTasks() -> std::string + SYSERROR("Out of memory."); + return std::string(""); + } +- +- ReadGuard lock(m_tasksMutex); ++ + for (auto const& [_, val] : m_tasks) { +- /* +- * We ignore that the processes are modified +- * when we generate tasks json string. +- * Because no matter whether a process is deleted or added, +- * the Update of sandbox api will be called eventually. +- * +- * And we ignore that the task is freed after we do GetTask(). +- * Because the only way to free task is DeleteSandboxTasks() +- * which needs write lock of m_tasksMutex. +- */ + tasksArray.tasks[i] = val->GetTask(); + i++; + } +@@ -218,7 +203,6 @@ void SandboxerSandbox::DeleteSandboxTasks(const char *containerId) + + std::string taskId = std::string(containerId); + +- WriteGuard lock(m_tasksMutex); + auto iter = m_tasks.find(taskId); + if (iter == m_tasks.end()) { + return; +@@ -235,7 +219,6 @@ auto SandboxerSandbox::AddSandboxTasksProcess(const char *containerId, sandbox_p + + std::string taskId = std::string(containerId); + +- ReadGuard lock(m_tasksMutex); + auto iter = m_tasks.find(taskId); + if (iter == m_tasks.end()) { + SYSERROR("Failed to find container %s", containerId); +@@ -253,7 +236,6 @@ void SandboxerSandbox::DeleteSandboxTasksProcess(const char *containerId, const + + std::string taskId = std::string(containerId); + +- ReadGuard lock(m_tasksMutex); + auto iter = m_tasks.find(taskId); + if (iter == m_tasks.end()) { + return; +@@ -481,6 +463,7 @@ auto SandboxerSandbox::PrepareContainer(const char *containerId, const char *bas + sandbox_sandbox *apiSandbox = nullptr; + + INFO("Prepare container for sandbox"); ++ std::lock_guard lockGuard(m_tasksMutex); + + if (nullptr == consoleFifos) { + ERROR("Invlaid parameter: consoleFifos"); +@@ -529,7 +512,7 @@ auto SandboxerSandbox::PrepareContainer(const char *containerId, const char *bas + } + if (!SaveSandboxTasks()) { + ERROR("Failed to Save %s sandbox tasks.", containerId); +- (void)PurgeContainer(containerId); ++ (void)DoPurgeContainer(containerId); + return -1; + } + return 0; +@@ -546,6 +529,7 @@ auto SandboxerSandbox::PrepareExec(const char *containerId, const char *execId, + sandbox_sandbox *apiSandbox = nullptr; + + INFO("Prepare exec for container in sandbox"); ++ std::lock_guard lockGuard(m_tasksMutex); + + if (nullptr == consoleFifos) { + ERROR("Invlaid parameter: consoleFifos"); +@@ -590,7 +574,7 @@ auto SandboxerSandbox::PrepareExec(const char *containerId, const char *execId, + } + if (!SaveSandboxTasks()) { + ERROR("Failed to Save %s sandbox tasks.", containerId); +- (void)PurgeExec(containerId, execId); ++ (void)DoPurgeExec(containerId, execId); + return -1; + } + return 0; +@@ -600,7 +584,7 @@ del_out: + return -1; + } + +-auto SandboxerSandbox::PurgeContainer(const char *containerId) -> int ++auto SandboxerSandbox::DoPurgeContainer(const char *containerId) -> int + { + sandbox_sandbox *apiSandbox = nullptr; + +@@ -630,7 +614,13 @@ auto SandboxerSandbox::PurgeContainer(const char *containerId) -> int + return 0; + } + +-auto SandboxerSandbox::PurgeExec(const char *containerId, const char *execId) -> int ++auto SandboxerSandbox::PurgeContainer(const char *containerId) -> int ++{ ++ std::lock_guard lockGuard(m_tasksMutex); ++ return DoPurgeContainer(containerId); ++} ++ ++auto SandboxerSandbox::DoPurgeExec(const char *containerId, const char *execId) -> int + { + sandbox_sandbox *apiSandbox = nullptr; + +@@ -660,4 +650,10 @@ auto SandboxerSandbox::PurgeExec(const char *containerId, const char *execId) -> + return 0; + } + ++auto SandboxerSandbox::PurgeExec(const char *containerId, const char *execId) -> int ++{ ++ std::lock_guard lockGuard(m_tasksMutex); ++ return DoPurgeExec(containerId, execId); ++} ++ + } +\ No newline at end of file +diff --git a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.h b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.h +index 37a96cd6..1f3bc186 100644 +--- a/src/daemon/sandbox/sandboxer/sandboxer_sandbox.h ++++ b/src/daemon/sandbox/sandboxer/sandboxer_sandbox.h +@@ -20,7 +20,6 @@ + #include + #include + +-#include "read_write_lock.h" + #include "sandbox_task.h" + #include "sandbox.h" + +@@ -45,6 +44,9 @@ public: + auto PurgeExec(const char *containerId, const char *execId) -> int override; + + private: ++ auto DoPurgeContainer(const char *containerId) -> int; ++ auto DoPurgeExec(const char *containerId, const char *execId) -> int; ++ + auto GetTasksJsonPath() -> std::string; + auto SaveSandboxTasks() -> bool; + auto AddSandboxTasks(sandbox_task *task) -> bool; +@@ -67,8 +69,8 @@ private: + auto DoSandboxUpdate(sandbox_sandbox *apiSandbox) -> int; + + private: +- // use m_tasksMutex to ensure the correctness of the tasks +- RWMutex m_tasksMutex; ++ // use m_tasksMutex to ensure the correctness of the tasks and task json file when the external interface accesses them. ++ std::mutex m_tasksMutex; + // for sandbox api update, containerId --> tasks + std::map> m_tasks; + }; +-- +2.43.0 + diff --git a/0202-bugfix-fix-cdi-hook-name-strcmp-error.patch b/0202-bugfix-fix-cdi-hook-name-strcmp-error.patch new file mode 100644 index 0000000..c4d5218 --- /dev/null +++ b/0202-bugfix-fix-cdi-hook-name-strcmp-error.patch @@ -0,0 +1,32 @@ +From d7689c4f36949d5b315de776a1bb32a4cde04584 Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Sun, 27 Apr 2025 16:52:19 +0800 +Subject: [PATCH] bugfix: fix cdi hook name strcmp error + +Signed-off-by: liuxu +--- + .../modules/device/cdi/behavior/cdi_container_edits.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/daemon/modules/device/cdi/behavior/cdi_container_edits.c b/src/daemon/modules/device/cdi/behavior/cdi_container_edits.c +index d146f7e1..38842f3b 100644 +--- a/src/daemon/modules/device/cdi/behavior/cdi_container_edits.c ++++ b/src/daemon/modules/device/cdi/behavior/cdi_container_edits.c +@@ -404,11 +404,11 @@ static int apply_cdi_hooks(cdi_container_edits *e, oci_runtime_spec *spec) + + for (i = 0; i < e->hooks_len; i++) { + defs_hook *oci_hook = cdi_hook_to_oci(e->hooks[i]); +- if (strcmp(e->hooks[i]->hook_name, PRESTART_HOOK)) { ++ if (strcmp(e->hooks[i]->hook_name, PRESTART_HOOK) == 0) { + ret = spec_add_prestart_hook(spec, oci_hook); +- } else if (strcmp(e->hooks[i]->hook_name, POSTSTART_HOOK)) { ++ } else if (strcmp(e->hooks[i]->hook_name, POSTSTART_HOOK) == 0) { + ret = spec_add_poststart_hook(spec, oci_hook); +- } else if (strcmp(e->hooks[i]->hook_name, POSTSTOP_HOOK)) { ++ } else if (strcmp(e->hooks[i]->hook_name, POSTSTOP_HOOK) == 0) { + ret = spec_add_poststop_hook(spec, oci_hook); + } else { + /* +-- +2.43.0 + diff --git a/iSulad.spec b/iSulad.spec index c3bdf56..2c68b7b 100644 --- a/iSulad.spec +++ b/iSulad.spec @@ -1,5 +1,5 @@ %global _version 2.1.5 -%global _release 21 +%global _release 22 %global is_systemd 1 %global enable_criv1 1 %global enable_cdi 1 @@ -221,6 +221,8 @@ Patch0197: 0197-coco-support-confidential-containers.patch Patch0198: 0198-isolate-isula-search-ut-in-registry_images_ut.patch Patch0199: 0199-move-sandbox-network_ready-from-metadata-to-state-fo.patch Patch0200: 0200-clean-sandbox-when-create-failed-to-be-consisent-wit.patch +Patch0201: 0201-bugfix-SandboxAPI-heap-buffer-overflow-when-containe.patch +Patch0202: 0202-bugfix-fix-cdi-hook-name-strcmp-error.patch %ifarch x86_64 aarch64 Provides: libhttpclient.so()(64bit) @@ -482,6 +484,12 @@ fi %endif %changelog +* Thu Sep 18 2025 dongyuzhen - 2.1.5-22 +- Type:enhancement +- CVE:NA +- SUG:NA +- DESC:sync patches from upstream + * Tue Mar 18 2025 dongyuzhen - 2.1.5-21 - Type:enhancement - CVE:NA -- Gitee