!42 [sync] PR-41: fix CVE-2022-31030

### 1. Origin pull request: https://gitee.com/src-openeuler/containerd/pulls/41 ### 2. Original pull request related issue(s): https://gitee.com/src-openeuler/containerd/issues/I5BLIU ### 3. Original pull request related commit(s): | Sha | Datetime | Message | |---|---|---| |[0436d058](0436d058b3)|2022-07-04 17:06:29 +0800 CST|containerd: Limit the response size of ExecSync<br><br>fix CVE-2022-31030<br><br>Signed-off-by: zhongjiawei <zhongjiawei1@huawei.com><br>| From: @openeuler-sync-bot Reviewed-by: @zhangsong234, @duguhaotian Signed-off-by: @duguhaotian
2022-07-04 11:17:25 +00:00 · 2022-07-04 11:17:25 +00:00 · 8f8cc81338
commit 8f8cc81338
parent df345ee071 8bbd2f34fd
4 changed files with 142 additions and 2 deletions
--- a/containerd.spec
+++ b/containerd.spec
@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.2.0
 Name:           containerd
-Release:        302
+Release:        303
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@ -52,6 +52,12 @@ install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim
 %{_bindir}/containerd-shim
 %changelog
 * Mon Jul 4 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-303
 - Type:bugfix
 - ID:NA
 - SUG:NA
 - DESC: Limit the response size of ExecSync to fix CVE-2022-31030
 * Wed Jun 22 2022 zhangsong234<zhangsong34@huawei.com> - 1.2.0-302
 - Type:bugfix
 - ID:NA
--- a/2
+++ b/2
@ -1 +1 @@
-755bdc7a74588295ea632aa10da179cbcce8c64f
+1493659ef0808b8f3a5b920b0f0661833af2782e
--- a/patch/0086-containerd-Limit-the-response-size-of-ExecSync.patch
+++ b/patch/0086-containerd-Limit-the-response-size-of-ExecSync.patch
@ -0,0 +1,133 @@
 From cf3bde2b5a78d7ba8773eadcc3b28dfb0001aee0 Mon Sep 17 00:00:00 2001
 From: zhongjiawei <zhongjiawei1@huawei.com>
 Date: Mon, 4 Jul 2022 14:34:23 +0800
 Subject: [PATCH] containerd: Limit the response size of ExecSync
 fix CVE-2022-31030
 upstream:https://github.com/containerd/containerd/commit/c1bcabb4541930f643aa36a2b38655e131346382
 ---
 .../cri/pkg/server/container_execsync.go      | 45 ++++++++++++++++-
 .../cri/pkg/server/container_execsync_test.go | 49 +++++++++++++++++++
 2 files changed, 92 insertions(+), 2 deletions(-)
 create mode 100644 vendor/github.com/containerd/cri/pkg/server/container_execsync_test.go
 diff --git a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
 index fd54120..1ef93e5 100644
 --- a/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
 +++ b/vendor/github.com/containerd/cri/pkg/server/container_execsync.go
@@ -37,14 +37,55 @@ import (
 	"github.com/containerd/cri/pkg/util"
 )
 +type cappedWriter struct {
 +	w      io.WriteCloser
 +	remain int
 +}
 +
 +func (cw *cappedWriter) Write(p []byte) (int, error) {
 +	if cw.remain <= 0 {
 +		return len(p), nil
 +	}
 +
 +	end := cw.remain
 +	if end > len(p) {
 +		end = len(p)
 +	}
 +	written, err := cw.w.Write(p[0:end])
 +	cw.remain -= written
 +
 +	if err != nil {
 +		return written, err
 +	}
 +	return len(p), nil
 +}
 +
 +func (cw *cappedWriter) Close() error {
 +	return cw.w.Close()
 +}
 +
 +func (cw *cappedWriter) isFull() bool {
 +	return cw.remain <= 0
 +}
 +
 // ExecSync executes a command in the container, and returns the stdout output.
 // If command exits with a non-zero exit code, an error is returned.
 func (c *criService) ExecSync(ctx context.Context, r *runtime.ExecSyncRequest) (*runtime.ExecSyncResponse, error) {
 +	const maxStreamSize = 1024 * 1024 * 16
 +
 	var stdout, stderr bytes.Buffer
 +
 +	// cappedWriter truncates the output. In that case, the size of
 +	// the ExecSyncResponse will hit the CRI plugin's gRPC response limit.
 +	// Thus the callers outside of the containerd process (e.g. Kubelet) never see
 +	// the truncated output.
 +	cout := &cappedWriter{w: cioutil.NewNopWriteCloser(&stdout), remain: maxStreamSize}
 +	cerr := &cappedWriter{w: cioutil.NewNopWriteCloser(&stderr), remain: maxStreamSize}
 +
 	exitCode, err := c.execInContainer(ctx, r.GetContainerId(), execOptions{
 		cmd:     r.GetCmd(),
 -		stdout:  cioutil.NewNopWriteCloser(&stdout),
 -		stderr:  cioutil.NewNopWriteCloser(&stderr),
 +		stdout:  cout,
 +		stderr:  cerr,
 		timeout: time.Duration(r.GetTimeout()) * time.Second,
 	})
 	if err != nil {
 diff --git a/vendor/github.com/containerd/cri/pkg/server/container_execsync_test.go b/vendor/github.com/containerd/cri/pkg/server/container_execsync_test.go
 new file mode 100644
 index 0000000..c8641d0
 --- /dev/null
 +++ b/vendor/github.com/containerd/cri/pkg/server/container_execsync_test.go
@@ -0,0 +1,49 @@
 +/*
 +   Copyright The containerd Authors.
 +   Licensed under the Apache License, Version 2.0 (the "License");
 +   you may not use this file except in compliance with the License.
 +   You may obtain a copy of the License at
 +       http://www.apache.org/licenses/LICENSE-2.0
 +   Unless required by applicable law or agreed to in writing, software
 +   distributed under the License is distributed on an "AS IS" BASIS,
 +   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 +   See the License for the specific language governing permissions and
 +   limitations under the License.
 +*/
 +
 +package server
 +
 +import (
 +	"bytes"
 +	"testing"
 +
 +	cioutil "github.com/containerd/containerd/pkg/ioutil"
 +	"github.com/stretchr/testify/assert"
 +)
 +
 +func TestCWWrite(t *testing.T) {
 +	var buf bytes.Buffer
 +	cw := &cappedWriter{w: cioutil.NewNopWriteCloser(&buf), remain: 10}
 +
 +	n, err := cw.Write([]byte("hello"))
 +	assert.NoError(t, err)
 +	assert.Equal(t, 5, n)
 +
 +	n, err = cw.Write([]byte("helloworld"))
 +	assert.NoError(t, err, "no errors even it hits the cap")
 +	assert.Equal(t, 10, n, "no indication of partial write")
 +	assert.True(t, cw.isFull())
 +	assert.Equal(t, []byte("hellohello"), buf.Bytes(), "the underlying writer is capped")
 +
 +	_, err = cw.Write([]byte("world"))
 +	assert.NoError(t, err)
 +	assert.True(t, cw.isFull())
 +	assert.Equal(t, []byte("hellohello"), buf.Bytes(), "the underlying writer is capped")
 +}
 +
 +func TestCWClose(t *testing.T) {
 +	var buf bytes.Buffer
 +	cw := &cappedWriter{w: cioutil.NewNopWriteCloser(&buf), remain: 5}
 +	err := cw.Close()
 +	assert.NoError(t, err)
 +}
 -- 
 2.30.0
--- a/series.conf
+++ b/series.conf
@ -90,4 +90,5 @@ patch/0082-containerd-fix-publish-command-wait-block-for.patch
 patch/0083-containerd-optimize-cgo-compile-options.patch
 patch/0084-containerd-Use-fs.RootPath-when-mounting-vo.patch
 patch/0085-containerd-put-get-pid-lock-after-set-process-exited-to-.patch
 patch/0086-containerd-Limit-the-response-size-of-ExecSync.patch
 # end
`@ -1 +1 @@`
	`755bdc7a74588295ea632aa10da179cbcce8c64f`	`1493659ef0808b8f3a5b920b0f0661833af2782e`