[AUTO-CHERRYPICK] Fix CVE-2024-21626 by patching vendored runc in kubernetes, kubevirt, cri-tools - branch main (#7903)

Co-authored-by: rikenm1 <rmaharjan@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/cri-tools/CVE-2024-21626.patch

@@ -0,0 +1,93 @@
+diff -urN b/cri-tools-1.28.0/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go a/cri-tools-1.28.0/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go
+--- cri-tools-1.28.0/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go	2023-08-11 06:45:27.000000000 -0700
++++ cri-tools-1.28.0/vendor/github.com/opencontainers/runc/libcontainer/utils/utils_unix.go	2024-02-13 15:41:56.671537200 -0800
+@@ -7,6 +7,7 @@
+ 	"fmt"
+ 	"os"
+ 	"strconv"
++	_ "unsafe" // for go:linkname
+ 
+ 	"golang.org/x/sys/unix"
+ )
+@@ -23,9 +24,11 @@
+ 	return nil
+ }
+ 
+-// CloseExecFrom applies O_CLOEXEC to all file descriptors currently open for
+-// the process (except for those below the given fd value).
+-func CloseExecFrom(minFd int) error {
++type fdFunc func(fd int)
++
++// fdRangeFrom calls the passed fdFunc for each file descriptor that is open in
++// the current process.
++func fdRangeFrom(minFd int, fn fdFunc) error {
+ 	fdDir, err := os.Open("/proc/self/fd")
+ 	if err != nil {
+ 		return err
+@@ -50,15 +53,60 @@
+ 		if fd < minFd {
+ 			continue
+ 		}
+-		// Intentionally ignore errors from unix.CloseOnExec -- the cases where
+-		// this might fail are basically file descriptors that have already
+-		// been closed (including and especially the one that was created when
+-		// os.ReadDir did the "opendir" syscall).
+-		unix.CloseOnExec(fd)
++		// Ignore the file descriptor we used for readdir, as it will be closed
++		// when we return.
++		if uintptr(fd) == fdDir.Fd() {
++			continue
++		}
++		// Run the closure.
++		fn(fd)
+ 	}
+ 	return nil
+ }
+ 
++// CloseExecFrom sets the O_CLOEXEC flag on all file descriptors greater or
++// equal to minFd in the current process.
++func CloseExecFrom(minFd int) error {
++	return fdRangeFrom(minFd, unix.CloseOnExec)
++}
++
++//go:linkname runtime_IsPollDescriptor internal/poll.IsPollDescriptor
++
++// In order to make sure we do not close the internal epoll descriptors the Go
++// runtime uses, we need to ensure that we skip descriptors that match
++// "internal/poll".IsPollDescriptor. Yes, this is a Go runtime internal thing,
++// unfortunately there's no other way to be sure we're only keeping the file
++// descriptors the Go runtime needs. Hopefully nothing blows up doing this...
++func runtime_IsPollDescriptor(fd uintptr) bool //nolint:revive
++
++// UnsafeCloseFrom closes all file descriptors greater or equal to minFd in the
++// current process, except for those critical to Go's runtime (such as the
++// netpoll management descriptors).
++//
++// NOTE: That this function is incredibly dangerous to use in most Go code, as
++// closing file descriptors from underneath *os.File handles can lead to very
++// bad behaviour (the closed file descriptor can be re-used and then any
++// *os.File operations would apply to the wrong file). This function is only
++// intended to be called from the last stage of runc init.
++func UnsafeCloseFrom(minFd int) error {
++	// We must not close some file descriptors.
++	return fdRangeFrom(minFd, func(fd int) {
++		if runtime_IsPollDescriptor(uintptr(fd)) {
++			// These are the Go runtimes internal netpoll file descriptors.
++			// These file descriptors are operated on deep in the Go scheduler,
++			// and closing those files from underneath Go can result in panics.
++			// There is no issue with keeping them because they are not
++			// executable and are not useful to an attacker anyway. Also we
++			// don't have any choice.
++			return
++		}
++		// There's nothing we can do about errors from close(2), and the
++		// only likely error to be seen is EBADF which indicates the fd was
++		// already closed (in which case, we got what we wanted).
++		_ = unix.Close(fd)
++	})
++}
++
+ // NewSockPair returns a new unix socket pair
+ func NewSockPair(name string) (parent *os.File, child *os.File, err error) {
+ 	fds, err := unix.Socketpair(unix.AF_LOCAL, unix.SOCK_STREAM|unix.SOCK_CLOEXEC, 0)
+Binary files b/v1.28.0.tar.gz and a/v1.28.0.tar.gz differ

SPECS/cri-tools/cri-tools.spec

@@ -7,13 +7,14 @@
 Summary:        CRI tools
 Name:           cri-tools
 Version:        1.28.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Tools
 URL:            https://github.com/kubernetes-sigs/cri-tools
 Source0:        https://github.com/kubernetes-sigs/cri-tools/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch0:         CVE-2024-21626.patch
 BuildRequires:  glib-devel
 BuildRequires:  glibc-devel
 BuildRequires:  golang
@@ -44,9 +45,12 @@ install -p -m 755 -t %{buildroot}%{_bindir} "${BUILD_FOLDER}/critest"
 %{_bindir}/critest
 
 %changelog
-* Fri Feb 02 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.28.0-4
+* Thu Feb 15 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.28.0-5
 - Bump release to rebuild with go 1.21.6
 
+* Wed Feb 14 2024 Riken Maharjan <rmaharjan@microsoft.com> - 1.28.0-4
+- Patch runc for CVE-2024-21626
+
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.28.0-3
 - Bump release to rebuild with go 1.20.9