docker:fix missing lock in ensurelayer

(cherry picked from commit 7d79bc05c62531d7ffcc2caaf89c29e33440171e)

VERSION-vendor

@@ -1 +1 @@
-18.09.0.342
+18.09.0.344

docker.spec

@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 343
+Release: 344
 Epoch: 2
 Summary: The open-source application container engine
 Group: Tools/Docker
@@ -225,6 +225,12 @@ fi
 %endif
 
 %changelog
+* Mon Dec 02 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-344
+- Type:CVE
+- CVE:CVE-2024-36621
+- SUG:NA
+- DESC:fix missing lock in ensurelayer
+
 * Sat Nov 23 2024 Funda Wang <fundawang@yeah.net> - 2:18.09.0-343
 - add requires for docker-proxy rather than installing it manually
 

git-commit

@@ -1 +1 @@
-26b8df427648c7fa5fef833419438cd4e9d3443b
+9da17b5107496bcb8d817baadfacf7b82a032262

patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch

@@ -0,0 +1,79 @@
+From 5aa1ff9afad56ef0cf4acd983ff441c8048c0ba3 Mon Sep 17 00:00:00 2001
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Wed, 6 Mar 2024 23:11:32 -0800
+Subject: [PATCH] builder-next: fix missing lock in ensurelayer
+
+When this was called concurrently from the moby image
+exporter there could be a data race where a layer was
+written to the refs map when it was already there.
+
+In that case the reference count got mixed up and on
+release only one of these layers was actually released.
+
+Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
+---
+ .../builder-next/adapters/snapshot/layer.go   |  3 +++
+ .../adapters/snapshot/snapshot.go             | 19 +++++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/components/engine/builder/builder-next/adapters/snapshot/layer.go b/components/engine/builder/builder-next/adapters/snapshot/layer.go
+index ffde5eec..13847d5a 100644
+--- a/components/engine/builder/builder-next/adapters/snapshot/layer.go
++++ b/components/engine/builder/builder-next/adapters/snapshot/layer.go
+@@ -13,6 +13,9 @@ import (
+ )
+ 
+ func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
++	s.layerCreateLocker.Lock(key)
++	defer s.layerCreateLocker.Unlock(key)
++
+ 	if l, err := s.getLayer(key, true); err != nil {
+ 		return nil, err
+ 	} else if l != nil {
+diff --git a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
+index c1388da7..2b1d33d7 100644
+--- a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
++++ b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
+@@ -11,6 +11,7 @@ import (
+ 	"github.com/containerd/containerd/snapshots"
+ 	"github.com/docker/docker/daemon/graphdriver"
+ 	"github.com/docker/docker/layer"
++	"github.com/docker/docker/pkg/locker"
+ 	"github.com/moby/buildkit/identity"
+ 	"github.com/moby/buildkit/snapshot"
+ 	digest "github.com/opencontainers/go-digest"
+@@ -43,10 +44,11 @@ type checksumCalculator interface {
+ type snapshotter struct {
+ 	opt Opt
+ 
+-	refs map[string]layer.Layer
+-	db   *bolt.DB
+-	mu   sync.Mutex
+-	reg  graphIDRegistrar
++	refs              map[string]layer.Layer
++	db                *bolt.DB
++	mu                sync.Mutex
++	reg               graphIDRegistrar
++	layerCreateLocker *locker.Locker
+ }
+ 
+ var _ snapshot.SnapshotterBase = &snapshotter{}
+@@ -65,10 +67,11 @@ func NewSnapshotter(opt Opt) (snapshot.SnapshotterBase, error) {
+ 	}
+ 
+ 	s := &snapshotter{
+-		opt:  opt,
+-		db:   db,
+-		refs: map[string]layer.Layer{},
+-		reg:  reg,
++		opt:               opt,
++		db:                db,
++		refs:              map[string]layer.Layer{},
++		reg:               reg,
++		layerCreateLocker: locker.New(),
+ 	}
+ 	return s, nil
+ }
+-- 
+2.33.0
+

series.conf

@@ -278,4 +278,5 @@ patch/0277-backport-fix-CVE-2024-41110.patch
 patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
 patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch
 patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch
+patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch
 #end