[AUTO-CHERRYPICK] Patched moby-engine CVEs: 2024-23651 and 2024-23652. - branch main (#7854)

CBL-Mariner-Bot · PawelWMS · web-flow · commit 3e816269455d · 2024-02-12T23:39:23.000-08:00
Co-authored-by: Pawel Winogrodzki &lt;pawelwi@microsoft.com&gt;
diff --git a/SPECS/moby-engine/CVE-2024-23651.patch b/SPECS/moby-engine/CVE-2024-23651.patch
@@ -0,0 +1,220 @@
+diff --git a/vendor/github.com/moby/buildkit/executor/oci/spec.go b/vendor/github.com/moby/buildkit/executor/oci/spec.go
+index 8000310..0eb5d49 100644
+--- a/vendor/github.com/moby/buildkit/executor/oci/spec.go
++++ b/vendor/github.com/moby/buildkit/executor/oci/spec.go
+@@ -2,7 +2,9 @@ package oci
+ 
+ import (
+ 	"context"
++	"os"
+ 	"path"
++	"strconv"
+ 	"sync"
+ 
+ 	"github.com/containerd/containerd/containers"
+@@ -18,6 +20,7 @@ import (
+ 	specs "github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/opencontainers/selinux/go-selinux"
+ 	"github.com/pkg/errors"
++	"golang.org/x/sys/unix"
+ )
+ 
+ // ProcessMode configures PID namespaces
+@@ -145,6 +148,7 @@ func GenerateSpec(ctx context.Context, meta executor.Meta, mounts []executor.Mou
+ type mountRef struct {
+ 	mount   mount.Mount
+ 	unmount func() error
++	subRefs map[string]mountRef
+ }
+ 
+ type submounts struct {
+@@ -163,10 +167,17 @@ func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error)
+ 		return mount.Mount{}, nil
+ 	}
+ 	if mr, ok := s.m[h]; ok {
+-		sm, err := sub(mr.mount, subPath)
++		if sm, ok := mr.subRefs[subPath]; ok {
++			return sm.mount, nil
++		}
++		sm, unmount, err := sub(mr.mount, subPath)
+ 		if err != nil {
+ 			return mount.Mount{}, nil
+ 		}
++		mr.subRefs[subPath] = mountRef{
++			mount:   sm,
++			unmount: unmount,
++		}
+ 		return sm, nil
+ 	}
+ 
+@@ -191,12 +202,17 @@ func (s *submounts) subMount(m mount.Mount, subPath string) (mount.Mount, error)
+ 			Options: opts,
+ 		},
+ 		unmount: lm.Unmount,
++		subRefs: map[string]mountRef{},
+ 	}
+ 
+-	sm, err := sub(s.m[h].mount, subPath)
++	sm, unmount, err := sub(s.m[h].mount, subPath)
+ 	if err != nil {
+ 		return mount.Mount{}, err
+ 	}
++	s.m[h].subRefs[subPath] = mountRef{
++		mount:   sm,
++		unmount: unmount,
++	}
+ 	return sm, nil
+ }
+ 
+@@ -206,6 +222,9 @@ func (s *submounts) cleanup() {
+ 	for _, m := range s.m {
+ 		func(m mountRef) {
+ 			go func() {
++				for _, sm := range m.subRefs {
++					sm.unmount()
++				}
+ 				m.unmount()
+ 				wg.Done()
+ 			}()
+@@ -214,15 +233,6 @@ func (s *submounts) cleanup() {
+ 	wg.Wait()
+ }
+ 
+-func sub(m mount.Mount, subPath string) (mount.Mount, error) {
+-	src, err := fs.RootPath(m.Source, subPath)
+-	if err != nil {
+-		return mount.Mount{}, err
+-	}
+-	m.Source = src
+-	return m, nil
+-}
+-
+ func specMapping(s []idtools.IDMap) []specs.LinuxIDMapping {
+ 	var ids []specs.LinuxIDMapping
+ 	for _, item := range s {
+@@ -234,3 +244,45 @@ func specMapping(s []idtools.IDMap) []specs.LinuxIDMapping {
+ 	}
+ 	return ids
+ }
++
++func sub(m mount.Mount, subPath string) (mount.Mount, func() error, error) {
++	var retries = 10
++	root := m.Source
++	for {
++		src, err := fs.RootPath(root, subPath)
++		if err != nil {
++			return mount.Mount{}, nil, err
++		}
++		// similar to runc.WithProcfd
++		fh, err := os.OpenFile(src, unix.O_PATH|unix.O_CLOEXEC, 0)
++		if err != nil {
++			return mount.Mount{}, nil, err
++		}
++
++		fdPath := "/proc/self/fd/" + strconv.Itoa(int(fh.Fd()))
++		if resolved, err := os.Readlink(fdPath); err != nil {
++			fh.Close()
++			return mount.Mount{}, nil, err
++		} else if resolved != src {
++			retries--
++			if retries <= 0 {
++				fh.Close()
++				return mount.Mount{}, nil, errors.Errorf("unable to safely resolve subpath %s", subPath)
++			}
++			fh.Close()
++			continue
++		}
++
++		m.Source = fdPath
++		lm := snapshot.LocalMounterWithMounts([]mount.Mount{m}, snapshot.ForceRemount())
++		mp, err := lm.Mount()
++		if err != nil {
++			fh.Close()
++			return mount.Mount{}, nil, err
++		}
++		m.Source = mp
++		fh.Close() // release the fd, we don't need it anymore
++
++		return m, lm.Unmount, nil
++	}
++}
+diff --git a/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go b/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go
+index 18f0019..d619a64 100644
+--- a/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go
++++ b/vendor/github.com/moby/buildkit/executor/oci/spec_windows.go
+@@ -4,7 +4,9 @@
+ package oci
+ 
+ import (
++	"github.com/containerd/containerd/mount"
+ 	"github.com/containerd/containerd/oci"
++	"github.com/containerd/continuity/fs"
+ 	"github.com/docker/docker/pkg/idtools"
+ 	"github.com/moby/buildkit/solver/pb"
+ 	"github.com/pkg/errors"
+@@ -36,3 +38,12 @@ func generateIDmapOpts(idmap *idtools.IdentityMapping) ([]oci.SpecOpts, error) {
+ 	}
+ 	return nil, errors.New("no support for IdentityMapping on Windows")
+ }
++
++func sub(m mount.Mount, subPath string) (mount.Mount, func() error, error) {
++	src, err := fs.RootPath(m.Source, subPath)
++	if err != nil {
++		return mount.Mount{}, nil, err
++	}
++	m.Source = src
++	return m, func() error { return nil }, nil
++}
+diff --git a/vendor/github.com/moby/buildkit/snapshot/localmounter.go b/vendor/github.com/moby/buildkit/snapshot/localmounter.go
+index 9ddb7c1..304eebc 100644
+--- a/vendor/github.com/moby/buildkit/snapshot/localmounter.go
++++ b/vendor/github.com/moby/buildkit/snapshot/localmounter.go
+@@ -11,22 +11,39 @@ type Mounter interface {
+ 	Unmount() error
+ }
+ 
++type LocalMounterOpt func(*localMounter)
++
+ // LocalMounter is a helper for mounting mountfactory to temporary path. In
+ // addition it can mount binds without privileges
+-func LocalMounter(mountable Mountable) Mounter {
+-	return &localMounter{mountable: mountable}
++func LocalMounter(mountable Mountable, opts ...LocalMounterOpt) Mounter {
++	lm := &localMounter{mountable: mountable}
++	for _, opt := range opts {
++		opt(lm)
++	}
++	return lm
+ }
+ 
+ // LocalMounterWithMounts is a helper for mounting to temporary path. In
+ // addition it can mount binds without privileges
+-func LocalMounterWithMounts(mounts []mount.Mount) Mounter {
+-	return &localMounter{mounts: mounts}
++func LocalMounterWithMounts(mounts []mount.Mount, opts ...LocalMounterOpt) Mounter {
++	lm := &localMounter{mounts: mounts}
++	for _, opt := range opts {
++		opt(lm)
++	}
++	return lm
+ }
+ 
+ type localMounter struct {
+-	mu        sync.Mutex
+-	mounts    []mount.Mount
+-	mountable Mountable
+-	target    string
+-	release   func() error
++	mu           sync.Mutex
++	mounts       []mount.Mount
++	mountable    Mountable
++	target       string
++	release      func() error
++	forceRemount bool
++}
++
++func ForceRemount() LocalMounterOpt {
++	return func(lm *localMounter) {
++		lm.forceRemount = true
++	}
+ }
diff --git a/SPECS/moby-engine/CVE-2024-23652.patch b/SPECS/moby-engine/CVE-2024-23652.patch
@@ -0,0 +1,36 @@
+diff --git a/vendor/github.com/moby/buildkit/executor/stubs.go b/vendor/github.com/moby/buildkit/executor/stubs.go
+index 2c13b13..db56236 100644
+--- a/vendor/github.com/moby/buildkit/executor/stubs.go
++++ b/vendor/github.com/moby/buildkit/executor/stubs.go
+@@ -4,6 +4,7 @@ import (
+ 	"errors"
+ 	"os"
+ 	"path/filepath"
++	"strings"
+ 	"syscall"
+ 
+ 	"github.com/containerd/continuity/fs"
+@@ -36,6 +37,11 @@ func MountStubsCleaner(dir string, mounts []Mount) func() {
+ 
+ 	return func() {
+ 		for _, p := range paths {
++			p, err := fs.RootPath(dir, strings.TrimPrefix(p, dir))
++			if err != nil {
++				continue
++			}
++
+ 			st, err := os.Lstat(p)
+ 			if err != nil {
+ 				continue
+@@ -43,6 +49,11 @@ func MountStubsCleaner(dir string, mounts []Mount) func() {
+ 			if st.Size() != 0 {
+ 				continue
+ 			}
++
++			parent := filepath.Dir(p)
++			if realPath, err := fs.RootPath(dir, strings.TrimPrefix(parent, dir)); err != nil || realPath != parent {
++				continue
++			}
+ 			os.Remove(p)
+ 		}
+ 	}
diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec
@@ -4,7 +4,7 @@
 Summary: The open-source application container engine
 Name:    %{upstream_name}-engine
 Version: 20.10.27
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: ASL 2.0
 Group:   Tools/Container
 URL: https://mobyproject.org
@@ -21,6 +21,12 @@ Source3: docker.service
 Source4: docker.socket
 Patch0:  CVE-2023-25153.patch
 Patch1:  CVE-2022-21698.patch
+# Backport of vendored "buildkit" v0.12.5 https://github.com/moby/buildkit/pull/4604 to 0.8.4-0.20221020190723-eeb7b65ab7d6 in this package.
+# Remove once we upgrade this package at least to version 25.0+.
+Patch2:  CVE-2024-23651.patch
+# Backport of vendored "buildkit" v0.12.5 https://github.com/moby/buildkit/pull/4603 to 0.8.4-0.20221020190723-eeb7b65ab7d6 in this package.
+# Remove once we upgrade this package at least to version 25.0+.
+Patch3:  CVE-2024-23652.patch
 
 %{?systemd_requires}
 
@@ -128,9 +134,12 @@ fi
 %{_unitdir}/*
 
 %changelog
-* Thu Feb 08 2024 Muhammad Falak <mwani@microsoft.com> - 20.10.27-3
+* Mon Feb 12 2024 Muhammad Falak <mwani@microsoft.com> - 20.10.27-4
 - Bump release to rebuild with go 1.21.6
 
+* Mon Feb 12 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 20.10.27-3
+- Fixing CVEs: 2024-23651 and 2024-23652.
+
 * Fri Feb 02 2024 Tobias Brick <tobiasb@microsoft.com> - 20.10.27-2
 - Patch CVE-2022-21698
 
