containerd: bugfix and add CGO security build option

(cherry picked from commit eb136438cf63fae5754c31920a6bf8afaeded135)

containerd.spec

@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.2.0
 Name:           containerd
-Release:        303
+Release:        304
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@@ -52,6 +52,12 @@ install -p -m 755 bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim
 %{_bindir}/containerd-shim
 
 %changelog
+* Thu Sep 22 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-304
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC: bugfix and add CGO security build option
+
 * Mon Jul 4 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-303
 - Type:bugfix
 - ID:NA

git-commit

@@ -1 +1 @@
-1493659ef0808b8f3a5b920b0f0661833af2782e
+12d183fff48f375fac852537ae9677c0efa407ec

patch/0087-containerd-treat-manifest-provided-URLs-differently.patch

@@ -0,0 +1,65 @@
+From eb6ab2e84ab184321bd649b4def182f93e62b6df Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Mon, 24 Jan 2022 19:03:30 +0800
+Subject: [PATCH] [Backport]treat manifest provided URLs differently
+
+fix CVE-2020-15157
+
+Conflict:NA
+Reference:https://github.com/containerd/containerd/commit/1ead8d9deb3b175bf40413b8c47b3d19c2262726
+https://github.com/containerd/containerd/commit/abbb17959f55bbb9b7eb37f965d7dad2f4ea8744
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ remotes/docker/fetcher.go | 28 ++++++++++++++++++++--------
+ 1 file changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/remotes/docker/fetcher.go b/remotes/docker/fetcher.go
+index 4a2ce3c39..00e7a47c6 100644
+--- a/remotes/docker/fetcher.go
++++ b/remotes/docker/fetcher.go
+@@ -56,6 +56,26 @@ func (r dockerFetcher) Fetch(ctx context.Context, desc ocispec.Descriptor) (io.R
+ 	}
+ 
+ 	return newHTTPReadSeeker(desc.Size, func(offset int64) (io.ReadCloser, error) {
++		if len(desc.URLs) > 0 {
++			db := *r.dockerBase
++			// Remove authorizer to avoid authentication when
++			// connecting to manifest provided URLs.
++			// Prevents https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c
++			db.auth = nil
++			nr := dockerFetcher{
++				dockerBase: &db,
++			}
++			for _, u := range desc.URLs {
++				log.G(ctx).WithField("url", u).Debug("trying alternative url")
++				rc, err := nr.open(ctx, u, desc.MediaType, offset)
++				if err != nil {
++					log.G(ctx).WithField("error", err).Debug("error trying url")
++					continue // try one of the other urls.
++				}
++
++				return rc, nil
++			}
++		}
+ 		for _, u := range urls {
+ 			rc, err := r.open(ctx, u, desc.MediaType, offset)
+ 			if err != nil {
+@@ -142,14 +162,6 @@ func (r dockerFetcher) open(ctx context.Context, u, mediatype string, offset int
+ func (r *dockerFetcher) getV2URLPaths(ctx context.Context, desc ocispec.Descriptor) ([]string, error) {
+ 	var urls []string
+ 
+-	if len(desc.URLs) > 0 {
+-		// handle fetch via external urls.
+-		for _, u := range desc.URLs {
+-			log.G(ctx).WithField("url", u).Debug("adding alternative url")
+-			urls = append(urls, u)
+-		}
+-	}
+-
+ 	switch desc.MediaType {
+ 	case images.MediaTypeDockerSchema2Manifest, images.MediaTypeDockerSchema2ManifestList,
+ 		images.MediaTypeDockerSchema1Manifest,
+-- 
+2.27.0
+

patch/0088-containerd-Use-chmod-path-for-checking-symlink.patch

@@ -0,0 +1,30 @@
+From 90a3fd55136fb18641c8221792b013ee1dbc17f5 Mon Sep 17 00:00:00 2001
+From: xiadanni <xiadanni1@huawei.com>
+Date: Mon, 24 Jan 2022 19:15:14 +0800
+Subject: [PATCH] [Backport]Use chmod path for checking symlink
+
+fix CVE-2021-32760
+Conflict:NA
+Reference:https://github.com/containerd/containerd/commit/03aa748c11663e87a72fab92b7ab7c88c28bf13e
+
+Signed-off-by: xiadanni <xiadanni1@huawei.com>
+---
+ archive/tar_unix.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/archive/tar_unix.go b/archive/tar_unix.go
+index 022dd6d4f..7f3857c7d 100644
+--- a/archive/tar_unix.go
++++ b/archive/tar_unix.go
+@@ -127,7 +127,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error {
+ 
+ func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error {
+ 	if hdr.Typeflag == tar.TypeLink {
+-		if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
++		if fi, err := os.Lstat(path); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
+ 			if err := os.Chmod(path, hdrInfo.Mode()); err != nil {
+ 				return err
+ 			}
+-- 
+2.27.0
+

patch/0089-containerd-Add-lock-for-ListPids.patch

@@ -0,0 +1,31 @@
+From 9a92dd95046003cd661f8cd76429b2e424907a2a Mon Sep 17 00:00:00 2001
+From: Vanient <xiadanni1@huawei.com>
+Date: Mon, 21 Mar 2022 06:57:02 +0800
+Subject: [PATCH] [Backport]containerd: Add lock for ListPids
+
+Add the missing locks in ListPids
+Conflict:NA
+Reference:https://github.com/containerd/containerd/commit/fcf3b275fcd404ddf5fe75d5629d2168742ec0d3
+
+Signed-off-by: Vanient <xiadanni1@huawei.com>
+---
+ runtime/v1/shim/service.go | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/runtime/v1/shim/service.go b/runtime/v1/shim/service.go
+index 7d7327cd8..435f02e3c 100644
+--- a/runtime/v1/shim/service.go
++++ b/runtime/v1/shim/service.go
+@@ -434,6 +434,9 @@ func (s *Service) ListPids(ctx context.Context, r *shimapi.ListPidsRequest) (*sh
+ 		return nil, errdefs.ToGRPC(err)
+ 	}
+ 	var processes []*task.ProcessInfo
++
++	s.mu.Lock()
++	defer s.mu.Unlock()
+ 	for _, pid := range pids {
+ 		pInfo := task.ProcessInfo{
+ 			Pid: pid,
+-- 
+2.27.0
+

patch/0090-images-validate-document-type-before-unmarshal.patch

@@ -0,0 +1,117 @@
+From e3e70b398ff362182797e2d73372f8f654ba9383 Mon Sep 17 00:00:00 2001
+From: Vanient <xiadanni1@huawei.com>
+Date: Thu, 9 Jun 2022 10:45:47 +0800
+Subject: [PATCH 1/2] images: validate document type before unmarshal
+
+Conflict:NA
+Reference:https://github.com/containerd/containerd/commit/eb9ba7ed8d46d48fb22362f9d91fff6fb837e37e
+
+Signed-off-by: Vanient <xiadanni1@huawei.com>
+---
+ images/image.go | 55 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 55 insertions(+)
+
+diff --git a/images/image.go b/images/image.go
+index f72684d82..ad12fe971 100644
+--- a/images/image.go
++++ b/images/image.go
+@@ -19,6 +19,7 @@ package images
+ import (
+ 	"context"
+ 	"encoding/json"
++	"fmt"
+ 	"sort"
+ 	"strings"
+ 	"time"
+@@ -154,6 +155,10 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc
+ 				return nil, err
+ 			}
+ 
++			if err := validateMediaType(p, desc.MediaType); err != nil {
++				return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest)
++			}
++
+ 			var manifest ocispec.Manifest
+ 			if err := json.Unmarshal(p, &manifest); err != nil {
+ 				return nil, err
+@@ -194,6 +199,10 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc
+ 				return nil, err
+ 			}
+ 
++			if err := validateMediaType(p, desc.MediaType); err != nil {
++				return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest)
++			}
++
+ 			var idx ocispec.Index
+ 			if err := json.Unmarshal(p, &idx); err != nil {
+ 				return nil, err
+@@ -335,6 +344,10 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr
+ 			return nil, err
+ 		}
+ 
++		if err := validateMediaType(p, desc.MediaType); err != nil {
++			return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest)
++		}
++
+ 		// TODO(stevvooe): We just assume oci manifest, for now. There may be
+ 		// subtle differences from the docker version.
+ 		var manifest ocispec.Manifest
+@@ -350,6 +363,10 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr
+ 			return nil, err
+ 		}
+ 
++		if err := validateMediaType(p, desc.MediaType); err != nil {
++			return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest)
++		}
++
+ 		var index ocispec.Index
+ 		if err := json.Unmarshal(p, &index); err != nil {
+ 			return nil, err
+@@ -371,6 +388,44 @@ func Children(ctx context.Context, provider content.Provider, desc ocispec.Descr
+ 	return descs, nil
+ }
+ 
++// unknownDocument represents a manifest, manifest list, or index that has not
++// yet been validated.
++type unknownDocument struct {
++	MediaType string          `json:"mediaType,omitempty"`
++	Config    json.RawMessage `json:"config,omitempty"`
++	Layers    json.RawMessage `json:"layers,omitempty"`
++	Manifests json.RawMessage `json:"manifests,omitempty"`
++	FSLayers  json.RawMessage `json:"fsLayers,omitempty"` // schema 1
++}
++
++// validateMediaType returns an error if the byte slice is invalid JSON or if
++// the media type identifies the blob as one format but it contains elements of
++// another format.
++func validateMediaType(b []byte, mt string) error {
++	var doc unknownDocument
++	if err := json.Unmarshal(b, &doc); err != nil {
++		return err
++	}
++	if len(doc.FSLayers) != 0 {
++		return fmt.Errorf("media-type: schema 1 not supported")
++	}
++	switch mt {
++	case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest:
++		if len(doc.Manifests) != 0 ||
++			doc.MediaType == MediaTypeDockerSchema2ManifestList ||
++			doc.MediaType == ocispec.MediaTypeImageIndex {
++			return fmt.Errorf("media-type: expected manifest but found index (%s)", mt)
++		}
++	case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex:
++		if len(doc.Config) != 0 || len(doc.Layers) != 0 ||
++			doc.MediaType == MediaTypeDockerSchema2Manifest ||
++			doc.MediaType == ocispec.MediaTypeImageManifest {
++			return fmt.Errorf("media-type: expected index but found manifest (%s)", mt)
++		}
++	}
++	return nil
++}
++
+ // RootFS returns the unpacked diffids that make up and images rootfs.
+ //
+ // These are used to verify that a set of layers unpacked to the expected
+-- 
+2.27.0
+

patch/0091-schema1-reject-ambiguous-documents.patch

@@ -0,0 +1,43 @@
+From 7a294fa5d943401ed3cb9149f69f1d12f372c374 Mon Sep 17 00:00:00 2001
+From: Vanient <xiadanni1@huawei.com>
+Date: Thu, 9 Jun 2022 10:48:09 +0800
+Subject: [PATCH 2/2] schema1: reject ambiguous documents
+
+Conflict:NA
+Reference:https://github.com/containerd/containerd/commit/70c88f507579277ab7af23b06666e3b57d4b4f2d
+
+Signed-off-by: Vanient <xiadanni1@huawei.com>
+---
+ remotes/docker/schema1/converter.go | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/remotes/docker/schema1/converter.go b/remotes/docker/schema1/converter.go
+index 766c24a26..c618a33d5 100644
+--- a/remotes/docker/schema1/converter.go
++++ b/remotes/docker/schema1/converter.go
+@@ -250,6 +250,9 @@ func (c *Converter) fetchManifest(ctx context.Context, desc ocispec.Descriptor)
+ 	if err := json.Unmarshal(b, &m); err != nil {
+ 		return err
+ 	}
++	if len(m.Manifests) != 0 || len(m.Layers) != 0 {
++		return errors.New("converter: expected schema1 document but found extra keys")
++	}
+ 	c.pulledManifest = &m
+ 
+ 	return nil
+@@ -466,8 +469,10 @@ type history struct {
+ }
+ 
+ type manifest struct {
+-	FSLayers []fsLayer `json:"fsLayers"`
+-	History  []history `json:"history"`
++	FSLayers  []fsLayer       `json:"fsLayers"`
++	History   []history       `json:"history"`
++	Layers    json.RawMessage `json:"layers,omitempty"`    // OCI manifest
++	Manifests json.RawMessage `json:"manifests,omitempty"` // OCI index
+ }
+ 
+ type v1History struct {
+-- 
+2.27.0
+

patch/0092-containerd-add-CGO-sercurity-build-options.patch

@@ -0,0 +1,38 @@
+From f7d5384097fde1e448649fcacde0dd05b7f2e967 Mon Sep 17 00:00:00 2001
+From: zjw <zhongjiawei1@huawei.com>
+Date: Mon, 20 Jun 2022 20:08:24 +0800
+Subject: [PATCH] containerd: containerd and containerd-shim add CGO security build options
+
+---
+ Makefile | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 49a90e6..2bc5dd5 100644
+--- a/Makefile
++++ b/Makefile
+@@ -172,8 +172,8 @@ bin/%: cmd/% FORCE
+ 	mkdir -p $(BEP_DIR)
+ 	@echo "$(WHALE) $@${BINARY_SUFFIX}"
+ 	CGO_ENABLED=1 \
+-	CGO_CFLAGS="-fstack-protector-strong" \
+-	CGO_CPPFLAGS="-fstack-protector-strong" \
++	CGO_CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_CPPFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS}  ./$<
+@@ -181,8 +181,8 @@ bin/%: cmd/% FORCE
+ bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
+ 	@echo "$(WHALE) bin/containerd-shim"
+ 	CGO_ENABLED=1 \
+-	CGO_CFLAGS="-fstack-protector-strong -fPIE" \
+-	CGO_CPPFLAGS="-fstack-protector-strong -fPIE" \
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build -buildmode=pie ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim
+-- 
+2.30.0
+

series.conf

@@ -91,4 +91,10 @@ patch/0083-containerd-optimize-cgo-compile-options.patch
 patch/0084-containerd-Use-fs.RootPath-when-mounting-vo.patch
 patch/0085-containerd-put-get-pid-lock-after-set-process-exited-to-.patch
 patch/0086-containerd-Limit-the-response-size-of-ExecSync.patch
+patch/0087-containerd-treat-manifest-provided-URLs-differently.patch
+patch/0088-containerd-Use-chmod-path-for-checking-symlink.patch
+patch/0089-containerd-Add-lock-for-ListPids.patch
+patch/0090-images-validate-document-type-before-unmarshal.patch
+patch/0091-schema1-reject-ambiguous-documents.patch
+patch/0092-containerd-add-CGO-sercurity-build-options.patch
 # end