fix CVE-2021-25741

Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
2022-03-02 11:28:12 +08:00 · 2022-03-02 11:28:12 +08:00 · bad87b2db5
commit bad87b2db5
parent a1cee7934d
2 changed files with 173 additions and 1 deletions
--- a/0005-fix-CVE-2021-25741.patch
+++ b/0005-fix-CVE-2021-25741.patch
@ -0,0 +1,168 @@
+From e604f40bcc61048b69654a4f4daa593f6adf7ade Mon Sep 17 00:00:00 2001
+From: Mauricio Poppe <mauriciopoppe@google.com>
+Date: Thu, 5 Aug 2021 22:31:38 +0000
+Subject: [PATCH] Pass additional flags to subpath mount to avoid flakes in
+ certain conditions
+
+(cherry picked from commit 8995693db5824a50249760f6b8e686cc1a500bad)
+Signed-off-by: leizhongkai <leizhongkai@huawei.com>
+---
+ pkg/volume/util/subpath/subpath_linux.go        |  3 ++-
+ staging/src/k8s.io/mount-utils/fake_mounter.go  |  4 ++++
+ staging/src/k8s.io/mount-utils/mount.go         |  2 ++
+ staging/src/k8s.io/mount-utils/mount_linux.go   | 31 ++++++++++++++++---------
+ staging/src/k8s.io/mount-utils/mount_windows.go |  6 +++++
+ 5 files changed, 34 insertions(+), 12 deletions(-)
+
+diff --git a/pkg/volume/util/subpath/subpath_linux.go b/pkg/volume/util/subpath/subpath_linux.go
+index c04f0a7..0588f3a 100644
+--- a/pkg/volume/util/subpath/subpath_linux.go
+++ b/pkg/volume/util/subpath/subpath_linux.go
+@@ -209,8 +209,9 @@ func doBindSubPath(mounter mount.Interface, subpath Subpath) (hostPath string, e
+ 
+ 	// Do the bind mount
+ 	options := []string{"bind"}
+	mountFlags := []string{"--no-canonicalize"}
+ 	klog.V(5).Infof("bind mounting %q at %q", mountSource, bindPathTarget)
+-	if err = mounter.MountSensitiveWithoutSystemd(mountSource, bindPathTarget, "" /*fstype*/, options, nil); err != nil {
+	if err = mounter.MountSensitiveWithoutSystemdWithMountFlags(mountSource, bindPathTarget, "" /*fstype*/, options, nil /* sensitiveOptions */, mountFlags); err != nil {
+ 		return "", fmt.Errorf("error mounting %s: %s", subpath.Path, err)
+ 	}
+ 	success = true
+diff --git a/staging/src/k8s.io/mount-utils/fake_mounter.go b/staging/src/k8s.io/mount-utils/fake_mounter.go
+index 393ed04..55ea5e2 100644
+--- a/staging/src/k8s.io/mount-utils/fake_mounter.go
+++ b/staging/src/k8s.io/mount-utils/fake_mounter.go
+@@ -136,6 +136,10 @@ func (f *FakeMounter) MountSensitiveWithoutSystemd(source string, target string,
+ 	return f.MountSensitive(source, target, fstype, options, nil /* sensitiveOptions */)
+ }
+ 
+func (f *FakeMounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error {
+	return f.MountSensitive(source, target, fstype, options, nil /* sensitiveOptions */)
+}
+
+ // Unmount records the unmount event and updates the in-memory mount points for FakeMounter
+ func (f *FakeMounter) Unmount(target string) error {
+ 	f.mutex.Lock()
+diff --git a/staging/src/k8s.io/mount-utils/mount.go b/staging/src/k8s.io/mount-utils/mount.go
+index c78cf13..9e2d5d9 100644
+--- a/staging/src/k8s.io/mount-utils/mount.go
+++ b/staging/src/k8s.io/mount-utils/mount.go
+@@ -48,6 +48,8 @@ type Interface interface {
+ 	MountSensitive(source string, target string, fstype string, options []string, sensitiveOptions []string) error
+ 	// MountSensitiveWithoutSystemd is the same as MountSensitive() but this method disable using systemd mount.
+ 	MountSensitiveWithoutSystemd(source string, target string, fstype string, options []string, sensitiveOptions []string) error
+	// MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd() with additional mount flags
+	MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error
+ 	// Unmount unmounts given target.
+ 	Unmount(target string) error
+ 	// List returns a list of all mounted filesystems.  This can be large.
+diff --git a/staging/src/k8s.io/mount-utils/mount_linux.go b/staging/src/k8s.io/mount-utils/mount_linux.go
+index 20993cf..e9daa56 100644
+--- a/staging/src/k8s.io/mount-utils/mount_linux.go
+++ b/staging/src/k8s.io/mount-utils/mount_linux.go
+@@ -83,11 +83,11 @@ func (mounter *Mounter) MountSensitive(source string, target string, fstype stri
+ 	mounterPath := ""
+ 	bind, bindOpts, bindRemountOpts, bindRemountOptsSensitive := MakeBindOptsSensitive(options, sensitiveOptions)
+ 	if bind {
+-		err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, true)
+		err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, nil /* mountFlags */, true)
+ 		if err != nil {
+ 			return err
+ 		}
+-		return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, true)
+		return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, nil /* mountFlags */, true)
+ 	}
+ 	// The list of filesystems that require containerized mounter on GCI image cluster
+ 	fsTypesNeedMounter := map[string]struct{}{
+@@ -99,19 +99,24 @@ func (mounter *Mounter) MountSensitive(source string, target string, fstype stri
+ 	if _, ok := fsTypesNeedMounter[fstype]; ok {
+ 		mounterPath = mounter.mounterPath
+ 	}
+-	return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, true)
+	return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, nil /* mountFlags */, true)
+ }
+ 
+ // MountSensitiveWithoutSystemd is the same as MountSensitive() but disable using systemd mount.
+ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target string, fstype string, options []string, sensitiveOptions []string) error {
+	return mounter.MountSensitiveWithoutSystemdWithMountFlags(source, target, fstype, options, sensitiveOptions, nil /* mountFlags */)
+}
+
+// MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd with additional mount flags.
+func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error {
+ 	mounterPath := ""
+ 	bind, bindOpts, bindRemountOpts, bindRemountOptsSensitive := MakeBindOptsSensitive(options, sensitiveOptions)
+ 	if bind {
+-		err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, false)
+		err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, mountFlags, false)
+ 		if err != nil {
+ 			return err
+ 		}
+-		return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, false)
+		return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, mountFlags, false)
+ 	}
+ 	// The list of filesystems that require containerized mounter on GCI image cluster
+ 	fsTypesNeedMounter := map[string]struct{}{
+@@ -123,14 +128,14 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin
+ 	if _, ok := fsTypesNeedMounter[fstype]; ok {
+ 		mounterPath = mounter.mounterPath
+ 	}
+-	return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, false)
+	return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, mountFlags, false)
+ }
+ 
+ // doMount runs the mount command. mounterPath is the path to mounter binary if containerized mounter is used.
+ // sensitiveOptions is an extension of options except they will not be logged (because they may contain sensitive material)
+ // systemdMountRequired is an extension of option to decide whether uses systemd mount.
+-func (mounter *Mounter) doMount(mounterPath string, mountCmd string, source string, target string, fstype string, options []string, sensitiveOptions []string, systemdMountRequired bool) error {
+-	mountArgs, mountArgsLogStr := MakeMountArgsSensitive(source, target, fstype, options, sensitiveOptions)
+func (mounter *Mounter) doMount(mounterPath string, mountCmd string, source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string, systemdMountRequired bool) error {
+	mountArgs, mountArgsLogStr := MakeMountArgsSensitive(source, target, fstype, options, sensitiveOptions, mountFlags)
+ 	if len(mounterPath) > 0 {
+ 		mountArgs = append([]string{mountCmd}, mountArgs...)
+ 		mountArgsLogStr = mountCmd + " " + mountArgsLogStr
+@@ -206,17 +211,21 @@ func detectSystemd() bool {
+ // MakeMountArgs makes the arguments to the mount(8) command.
+ // options MUST not contain sensitive material (like passwords).
+ func MakeMountArgs(source, target, fstype string, options []string) (mountArgs []string) {
+-	mountArgs, _ = MakeMountArgsSensitive(source, target, fstype, options, nil /* sensitiveOptions */)
+	mountArgs, _ = MakeMountArgsSensitive(source, target, fstype, options, nil /* sensitiveOptions */, nil /* mountFlags */)
+ 	return mountArgs
+ }
+ 
+ // MakeMountArgsSensitive makes the arguments to the mount(8) command.
+ // sensitiveOptions is an extension of options except they will not be logged (because they may contain sensitive material)
+-func MakeMountArgsSensitive(source, target, fstype string, options []string, sensitiveOptions []string) (mountArgs []string, mountArgsLogStr string) {
+func MakeMountArgsSensitive(source, target, fstype string, options []string, sensitiveOptions []string, mountFlags []string) (mountArgs []string, mountArgsLogStr string) {
+ 	// Build mount command as follows:
+-	//   mount [-t $fstype] [-o $options] [$source] $target
+	//   mount [--$mountFlags] [-t $fstype] [-o $options] [$source] $target
+ 	mountArgs = []string{}
+ 	mountArgsLogStr = ""
+
+	mountArgs = append(mountArgs, mountFlags...)
+	mountArgsLogStr += strings.Join(mountFlags, " ")
+
+ 	if len(fstype) > 0 {
+ 		mountArgs = append(mountArgs, "-t", fstype)
+ 		mountArgsLogStr += strings.Join(mountArgs, " ")
+diff --git a/staging/src/k8s.io/mount-utils/mount_windows.go b/staging/src/k8s.io/mount-utils/mount_windows.go
+index 358bcf5..92b42ca 100644
+--- a/staging/src/k8s.io/mount-utils/mount_windows.go
+++ b/staging/src/k8s.io/mount-utils/mount_windows.go
+@@ -64,6 +64,12 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin
+ 	return mounter.MountSensitive(source, target, fstype, options, sensitiveOptions /* sensitiveOptions */)
+ }
+ 
+// MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd with additional mount flags
+// Windows not supported systemd mount, this function degrades to MountSensitive().
+func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error {
+	return mounter.MountSensitive(source, target, fstype, options, sensitiveOptions /* sensitiveOptions */)
+}
+
+ // MountSensitive is the same as Mount() but this method allows
+ // sensitiveOptions to be passed in a separate parameter from the normal
+ // mount options and ensures the sensitiveOptions are never logged. This
+-- 
+1.8.3.1
+
--- a/kubernetes.spec
+++ b/kubernetes.spec
@ -3,7 +3,7 @@

 Name:         kubernetes
 Version:      1.20.2
-Release:      6
+Release:      7
 Summary:      Container cluster management
 License:      ASL 2.0
 URL:          https://k8s.io/kubernetes
@ -28,6 +28,7 @@ Patch6000: 0001-kubelet-support-exec-websocket-protocol.patch
 Patch6001: 0002-fix-compile-options.patch
 Patch6002: 0003-fix-CVE-2021-25735.patch
 Patch6003: 0004-fix-CVE-2021-25737.patch
+Patch6004: 0005-fix-CVE-2021-25741.patch

 %description
 Container cluster management.
@ -259,6 +260,9 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
 %systemd_postun kubelet kube-proxy

 %changelog
+* Wed Mar 02 2022 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 1.20.2-7
+- DESC: fix CVE-2021-25741
+
 * Fri Sep 24 2021 leizhongkai<leizhongkai@huawei.com> - 1.20.2-6
 - DESC: fix CVE-2021-25735 and CVE-2021-25737