From 53c45a7abaea09e60e0175f192742c74d1be60e2 Mon Sep 17 00:00:00 2001
From: Vanient <xiadanni1@huawei.com>
Date: Thu, 31 Mar 2022 21:30:15 +0800
Subject: [PATCH] containerd:Use fs.RootPath when mounting volumes

fix CVE-2022-23648
upstream:https://github.com/containerd/containerd/commit/3406af86394c2426ce7f55d5f52be2b79f456211

Signed-off-by: Vanient <xiadanni1@huawei.com>
---
 .../containerd/cri/pkg/containerd/opts/container.go         | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
index 7647c373c..2ea49b594 100644
--- a/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
+++ b/vendor/github.com/containerd/cri/pkg/containerd/opts/container.go
@@ -20,7 +20,6 @@ import (
 	"context"
 	"io/ioutil"
 	"os"
-	"path/filepath"
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/containers"
@@ -88,7 +87,10 @@ func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts {
 		}()
 
 		for host, volume := range volumeMounts {
-			src := filepath.Join(root, volume)
+			src, err := fs.RootPath(root, volume)
+			if err != nil {
+				return errors.Wrapf(err, "rootpath on root %s, volume %s", root, volume)
+			}
 			if _, err := os.Stat(src); err != nil {
 				if os.IsNotExist(err) {
 					// Skip copying directory if it does not exist.
-- 
2.27.0