[2.0] Upgrade cri-o to v1.22.3 to resolve regressed CVE-2022-0811 (#9191)

Co-authored-by: Henry Li <lihl@microsoft.com>

Author: henryli001

SPECS/cri-o/CVE-2021-3602.patch

@@ -1,82 +1,3 @@
-From 8716daa06e9eb421438b338f18b6b650b082b208 Mon Sep 17 00:00:00 2001
-From: Cameron Baird <cameronbaird@microsoft.com>
-Date: Tue, 16 Apr 2024 22:33:46 +0000
-Subject: [PATCH 4/4] CVE-2021-3602
-
----
- .../github.com/containers/buildah/chroot/run.go   | 15 +++++----------
- .../podman/v3/pkg/specgen/generate/security.go    |  7 +++++--
- 2 files changed, 10 insertions(+), 12 deletions(-)
-
-diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go
-index a93f97dcd..643f5c91d 100644
---- a/vendor/github.com/containers/buildah/chroot/run.go
-+++ b/vendor/github.com/containers/buildah/chroot/run.go
-@@ -160,7 +160,7 @@ func RunUsingChroot(spec *specs.Spec, bundlePath, homeDir string, stdin io.Reade
- 	cmd := unshare.Command(runUsingChrootCommand)
- 	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
- 	cmd.Dir = "/"
--	cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
-+	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
- 
- 	logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd)
- 	confwg.Add(1)
-@@ -206,7 +206,7 @@ func runUsingChrootMain() {
- 		os.Exit(1)
- 	}
- 
--	if options.Spec == nil {
-+	if options.Spec == nil || options.Spec.Process == nil {
- 		fmt.Fprintf(os.Stderr, "invalid options spec in runUsingChrootMain\n")
- 		os.Exit(1)
- 	}
-@@ -572,7 +572,7 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
- 	cmd := unshare.Command(append([]string{runUsingChrootExecCommand}, spec.Process.Args...)...)
- 	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
- 	cmd.Dir = "/"
--	cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
-+	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
- 	cmd.UnshareFlags = syscall.CLONE_NEWUTS | syscall.CLONE_NEWNS
- 	requestedUserNS := false
- 	for _, ns := range spec.Linux.Namespaces {
-@@ -662,7 +662,7 @@ func runUsingChrootExecMain() {
- 	// Set the hostname.  We're already in a distinct UTS namespace and are admins in the user
- 	// namespace which created it, so we shouldn't get a permissions error, but seccomp policy
- 	// might deny our attempt to call sethostname() anyway, so log a debug message for that.
--	if options.Spec == nil {
-+	if options.Spec == nil || options.Spec.Process == nil {
- 		fmt.Fprintf(os.Stderr, "invalid options spec passed in\n")
- 		os.Exit(1)
- 	}
-@@ -818,7 +818,6 @@ func runUsingChrootExecMain() {
- // Output debug messages when that differs from what we're being asked to do.
- func logNamespaceDiagnostics(spec *specs.Spec) {
- 	sawMountNS := false
--	sawUserNS := false
- 	sawUTSNS := false
- 	for _, ns := range spec.Linux.Namespaces {
- 		switch ns.Type {
-@@ -853,9 +852,8 @@ func logNamespaceDiagnostics(spec *specs.Spec) {
- 			}
- 		case specs.UserNamespace:
- 			if ns.Path != "" {
--				logrus.Debugf("unable to join user namespace %q, creating a new one", ns.Path)
-+				logrus.Debugf("unable to join user namespace, sorry about that")
- 			}
--			sawUserNS = true
- 		case specs.UTSNamespace:
- 			if ns.Path != "" {
- 				logrus.Debugf("unable to join UTS namespace %q, creating a new one", ns.Path)
-@@ -866,9 +864,6 @@ func logNamespaceDiagnostics(spec *specs.Spec) {
- 	if !sawMountNS {
- 		logrus.Debugf("mount namespace not requested, but creating a new one anyway")
- 	}
--	if !sawUserNS {
--		logrus.Debugf("user namespace not requested, but creating a new one anyway")
--	}
- 	if !sawUTSNS {
- 		logrus.Debugf("UTS namespace not requested, but creating a new one anyway")
- 	}
 diff --git a/vendor/github.com/containers/podman/v3/pkg/specgen/generate/security.go b/vendor/github.com/containers/podman/v3/pkg/specgen/generate/security.go
 index e0e4a47a4..3cda89a32 100644
 --- a/vendor/github.com/containers/podman/v3/pkg/specgen/generate/security.go

SPECS/cri-o/CVE-2021-44716.patch

@@ -1,17 +1,8 @@
-From deb00def7d110f1b4edbe5d03044a9d9f2516151 Mon Sep 17 00:00:00 2001
-From: Cameron Baird <cameronbaird@microsoft.com>
-Date: Wed, 17 Apr 2024 20:57:05 +0000
-Subject: [PATCH 2/2] CVE-2021-44716
-
----
- vendor/golang.org/x/net/http2/server.go | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
 diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
-index e125bbd2a..5f417b444 100644
+index 09bc705..23058b6 100644
 --- a/vendor/golang.org/x/net/http2/server.go
 +++ b/vendor/golang.org/x/net/http2/server.go
-@@ -720,7 +720,15 @@ func (sc *serverConn) canonicalHeader(v string) string {
+@@ -714,7 +714,15 @@ func (sc *serverConn) canonicalHeader(v string) string {
  		sc.canonHeader = make(map[string]string)
  	}
  	cv = http.CanonicalHeaderKey(v)
@@ -28,7 +19,7 @@ index e125bbd2a..5f417b444 100644
  	return cv
  }
 
-@@ -2530,8 +2538,9 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) {
+@@ -2524,8 +2532,9 @@ func (rws *responseWriterState) writeChunk(p []byte) (n int, err error) {
  // prior to the headers being written. If the set of trailers is fixed
  // or known before the header is written, the normal Go trailers mechanism
  // is preferred:
@@ -40,6 +31,3 @@ index e125bbd2a..5f417b444 100644
  const TrailerPrefix = "Trailer:"
 
  // promoteUndeclaredTrailers permits http.Handlers to set trailers
--- 
-2.33.8
-

SPECS/cri-o/CVE-2022-1708.patch

@@ -1,30 +1,5 @@
-Modified patch to apply to version 1.21.7.
-Modified-by: sumsharma@microsoft.com
-
-commit f032cf649ecc7e0c46718bd9e7814bfb317cb544 (from afab4b78d1d66fb5144ef003b20eba5e53833336)
-Merge: afab4b78d 79e404fa5
-Author: Peter Hunt <pehunt@redhat.com>
-Date:   Mon Jun 6 13:54:06 2022 -0400
-
-    Merge pull request from GHSA-fcm2-6c3h-pg6j
-    
-    oci: add support for capping memory and disk usage from exec sync output
----
- internal/config/conmonmgr/conmonmgr.go        |  32 +++++-
- internal/config/conmonmgr/conmonmgr_test.go   | 106 +++++++++++++++++-
- internal/oci/oci.go                           |   5 +
- internal/oci/runtime_oci.go                   |  19 +++-
- internal/oci/runtime_oci_test.go              |  39 +++++++
- internal/oci/runtime_vm.go                    |   5 +-
- pkg/config/config.go                          |   4 +
- test/ctr.bats                                 |   8 ++
- .../pkg/kubelet/util/ioutils/ioutils.go       |  70 ++++++++++++
- vendor/modules.txt                            |   1 +
- 10 files changed, 282 insertions(+), 7 deletions(-)
- create mode 100644 vendor/k8s.io/kubernetes/pkg/kubelet/util/ioutils/ioutils.go
-
 diff --git a/internal/config/conmonmgr/conmonmgr.go b/internal/config/conmonmgr/conmonmgr.go
-index 9aef7ef..5276039 100644
+index 857437c..e95e274 100644
 --- a/internal/config/conmonmgr/conmonmgr.go
 +++ b/internal/config/conmonmgr/conmonmgr.go
 @@ -1,6 +1,7 @@
@@ -212,7 +187,7 @@ index a097312..e804c62 100644
 +	})
  })
 diff --git a/internal/oci/oci.go b/internal/oci/oci.go
-index 478726d..d992e90 100644
+index 6c4efa9..89ecfb2 100644
 --- a/internal/oci/oci.go
 +++ b/internal/oci/oci.go
 @@ -35,6 +35,11 @@ const (
@@ -228,10 +203,10 @@ index 478726d..d992e90 100644
 
  // Runtime is the generic structure holding both global and specific
 diff --git a/internal/oci/runtime_oci.go b/internal/oci/runtime_oci.go
-index 4bf66ee..37f62c6 100644
+index 6295ff9..1ed9131 100644
 --- a/internal/oci/runtime_oci.go
 +++ b/internal/oci/runtime_oci.go
-@@ -458,6 +458,9 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman
+@@ -461,6 +461,9 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman
  	if r.config.ConmonSupportsSync() {
  		args = append(args, "--sync")
  	}
@@ -241,7 +216,7 @@ index 4bf66ee..37f62c6 100644
  	if c.terminal {
  		args = append(args, "-t")
  	}
-@@ -564,7 +567,7 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman
+@@ -567,7 +570,7 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman
  	// ExecSyncResponse we have to read the logfile.
  	// XXX: Currently runC dups the same console over both stdout and stderr,
  	//      so we can't differentiate between the two.
@@ -250,7 +225,7 @@ index 4bf66ee..37f62c6 100644
  	if err != nil {
  		return nil, &ExecSyncError{
  			Stdout:   stdoutBuf,
-@@ -583,6 +586,20 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman
+@@ -586,6 +589,20 @@ func (r *runtimeOCI) ExecSyncContainer(ctx context.Context, c *Container, comman
  	}, nil
  }
 
@@ -329,19 +304,19 @@ index 3385e30..90901e8 100644
 
  func waitContainerStopAndFailAfterTimeout(ctx context.Context,
 diff --git a/internal/oci/runtime_vm.go b/internal/oci/runtime_vm.go
-index 6f10cfc..be8a0fa 100644
+index 394b750..51465da 100644
 --- a/internal/oci/runtime_vm.go
 +++ b/internal/oci/runtime_vm.go
-@@ -33,6 +33,7 @@ import (
+@@ -36,6 +36,7 @@ import (
  	"golang.org/x/sys/unix"
  	"k8s.io/client-go/tools/remotecommand"
  	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 +	kioutil "k8s.io/kubernetes/pkg/kubelet/util/ioutils"
  	utilexec "k8s.io/utils/exec"
  )
 
-@@ -309,8 +310,8 @@ func (r *runtimeVM) ExecSyncContainer(ctx context.Context, c *Container, command
- 	defer log.Debugf(ctx, "runtimeVM.ExecSyncContainer() end")
+@@ -339,8 +340,8 @@ func (r *runtimeVM) ExecSyncContainer(ctx context.Context, c *Container, command
+ 	defer log.Debugf(ctx, "RuntimeVM.ExecSyncContainer() end")
 
  	var stdoutBuf, stderrBuf bytes.Buffer
 -	stdout := cioutil.NewNopWriteCloser(&stdoutBuf)
@@ -352,10 +327,10 @@ index 6f10cfc..be8a0fa 100644
  	exitCode, err := r.execContainerCommon(ctx, c, command, timeout, nil, stdout, stderr, c.terminal, nil)
  	if err != nil {
 diff --git a/pkg/config/config.go b/pkg/config/config.go
-index 25c51e2..606c7a9 100644
+index 7a75ff8..591623a 100644
 --- a/pkg/config/config.go
 +++ b/pkg/config/config.go
-@@ -1011,6 +1011,10 @@ func (c *RuntimeConfig) ConmonSupportsSync() bool {
+@@ -1065,6 +1065,10 @@ func (c *RuntimeConfig) ConmonSupportsSync() bool {
  	return c.conmonManager.SupportsSync()
  }
 
@@ -367,7 +342,7 @@ index 25c51e2..606c7a9 100644
  	var err error
  	c.PinnsPath, err = validateExecutablePath(executable, c.PinnsPath)
 diff --git a/test/ctr.bats b/test/ctr.bats
-index 31cf6c7..a9f9393 100644
+index 3e7577d..ea7b635 100644
 --- a/test/ctr.bats
 +++ b/test/ctr.bats
 @@ -487,6 +487,14 @@ function check_oci_annotation() {
@@ -385,93 +360,15 @@ index 31cf6c7..a9f9393 100644
  @test "ctr device add" {
  	# In an user namespace we can only bind mount devices from the host, not mknod
  	# https://github.com/opencontainers/runc/blob/master/libcontainer/rootfs_linux.go#L480-L481
-diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/util/ioutils/ioutils.go b/vendor/k8s.io/kubernetes/pkg/kubelet/util/ioutils/ioutils.go
-new file mode 100644
-index 0000000..1b2b5a6
---- /dev/null
-+++ b/vendor/k8s.io/kubernetes/pkg/kubelet/util/ioutils/ioutils.go
-@@ -0,0 +1,70 @@
-+/*
-+Copyright 2016 The Kubernetes Authors.
-+
-+Licensed under the Apache License, Version 2.0 (the "License");
-+you may not use this file except in compliance with the License.
-+You may obtain a copy of the License at
-+
-+    http://www.apache.org/licenses/LICENSE-2.0
-+
-+Unless required by applicable law or agreed to in writing, software
-+distributed under the License is distributed on an "AS IS" BASIS,
-+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+See the License for the specific language governing permissions and
-+limitations under the License.
-+*/
-+
-+package ioutils
-+
-+import "io"
-+
-+// writeCloserWrapper represents a WriteCloser whose closer operation is noop.
-+type writeCloserWrapper struct {
-+	Writer io.Writer
-+}
-+
-+func (w *writeCloserWrapper) Write(buf []byte) (int, error) {
-+	return w.Writer.Write(buf)
-+}
-+
-+func (w *writeCloserWrapper) Close() error {
-+	return nil
-+}
-+
-+// WriteCloserWrapper returns a writeCloserWrapper.
-+func WriteCloserWrapper(w io.Writer) io.WriteCloser {
-+	return &writeCloserWrapper{w}
-+}
-+
-+// LimitWriter is a copy of the standard library ioutils.LimitReader,
-+// applied to the writer interface.
-+// LimitWriter returns a Writer that writes to w
-+// but stops with EOF after n bytes.
-+// The underlying implementation is a *LimitedWriter.
-+func LimitWriter(w io.Writer, n int64) io.Writer { return &LimitedWriter{w, n} }
-+
-+// A LimitedWriter writes to W but limits the amount of
-+// data returned to just N bytes. Each call to Write
-+// updates N to reflect the new amount remaining.
-+// Write returns EOF when N <= 0 or when the underlying W returns EOF.
-+type LimitedWriter struct {
-+	W io.Writer // underlying writer
-+	N int64     // max bytes remaining
-+}
-+
-+func (l *LimitedWriter) Write(p []byte) (n int, err error) {
-+	if l.N <= 0 {
-+		return 0, io.ErrShortWrite
-+	}
-+	truncated := false
-+	if int64(len(p)) > l.N {
-+		p = p[0:l.N]
-+		truncated = true
-+	}
-+	n, err = l.W.Write(p)
-+	l.N -= int64(n)
-+	if err == nil && truncated {
-+		err = io.ErrShortWrite
-+	}
-+	return
-+}
 diff --git a/vendor/modules.txt b/vendor/modules.txt
-index 030e1d1..d911968 100644
+index 6f8a08b..1899c90 100644
 --- a/vendor/modules.txt
 +++ b/vendor/modules.txt
-@@ -1373,6 +1373,7 @@ k8s.io/kubernetes/pkg/kubelet/cri/streaming
+@@ -1517,6 +1517,7 @@ k8s.io/kubernetes/pkg/kubelet/cri/streaming
  k8s.io/kubernetes/pkg/kubelet/cri/streaming/portforward
  k8s.io/kubernetes/pkg/kubelet/cri/streaming/remotecommand
  k8s.io/kubernetes/pkg/kubelet/types
 +k8s.io/kubernetes/pkg/kubelet/util/ioutils
  k8s.io/kubernetes/pkg/proxy
  k8s.io/kubernetes/pkg/proxy/config
  k8s.io/kubernetes/pkg/proxy/healthcheck
--- 
-2.25.1

SPECS/cri-o/CVE-2022-27651.patch

@@ -1,18 +1,8 @@
-From a3b181b667b8bd408c036e94f2b2f61295610ed6 Mon Sep 17 00:00:00 2001
-From: Cameron Baird <cameronbaird@microsoft.com>
-Date: Tue, 16 Apr 2024 22:27:00 +0000
-Subject: [PATCH 3/4] CVE-2022-27651
-
----
- vendor/github.com/containers/buildah/chroot/run.go | 2 +-
- vendor/github.com/containers/buildah/run_linux.go  | 6 ------
- 2 files changed, 1 insertion(+), 7 deletions(-)
-
 diff --git a/vendor/github.com/containers/buildah/chroot/run.go b/vendor/github.com/containers/buildah/chroot/run.go
-index 39ad88b2b..a93f97dcd 100644
+index 5910035..e533e2f 100644
 --- a/vendor/github.com/containers/buildah/chroot/run.go
 +++ b/vendor/github.com/containers/buildah/chroot/run.go
-@@ -898,7 +898,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
+@@ -894,7 +894,7 @@ func setCapabilities(spec *specs.Spec, keepCaps ...string) error {
  	capMap := map[capability.CapType][]string{
  		capability.BOUNDING:    spec.Process.Capabilities.Bounding,
  		capability.EFFECTIVE:   spec.Process.Capabilities.Effective,
@@ -22,10 +12,10 @@ index 39ad88b2b..a93f97dcd 100644
  		capability.AMBIENT:     spec.Process.Capabilities.Ambient,
  	}
 diff --git a/vendor/github.com/containers/buildah/run_linux.go b/vendor/github.com/containers/buildah/run_linux.go
-index ffbb36b7b..1d0646612 100644
+index 81af8ee..f82c52f 100644
 --- a/vendor/github.com/containers/buildah/run_linux.go
 +++ b/vendor/github.com/containers/buildah/run_linux.go
-@@ -1850,9 +1850,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {
+@@ -1898,9 +1898,6 @@ func setupCapAdd(g *generate.Generator, caps ...string) error {
  		if err := g.AddProcessCapabilityEffective(cap); err != nil {
  			return errors.Wrapf(err, "error adding %q to the effective capability set", cap)
  		}
@@ -35,7 +25,7 @@ index ffbb36b7b..1d0646612 100644
  		if err := g.AddProcessCapabilityPermitted(cap); err != nil {
  			return errors.Wrapf(err, "error adding %q to the permitted capability set", cap)
  		}
-@@ -1871,9 +1868,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {
+@@ -1919,9 +1916,6 @@ func setupCapDrop(g *generate.Generator, caps ...string) error {
  		if err := g.DropProcessCapabilityEffective(cap); err != nil {
  			return errors.Wrapf(err, "error removing %q from the effective capability set", cap)
  		}
@@ -45,6 +35,3 @@ index ffbb36b7b..1d0646612 100644
  		if err := g.DropProcessCapabilityPermitted(cap); err != nil {
  			return errors.Wrapf(err, "error removing %q from the permitted capability set", cap)
  		}
--- 
-2.33.8
-