!368 docker：fix CVE-2024-36623

From: @zhong-jiawei-1 
Reviewed-by: @zhangsong234 
Signed-off-by: @zhangsong234

VERSION-vendor

@@ -1 +1 @@
-18.09.0.266
+18.09.0.271

docker-engine-openeuler.spec

@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 266
+Release: 271
 Epoch: 1
 Summary: The open-source application container engine
 Group: Tools/Docker
@@ -199,6 +199,36 @@ fi
 %endif
 
 %changelog
+* Fri Dec 06 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1:18.09.0-271
+- Type:CVE
+- CVE:CVE-2024-36623
+- SUG:NA
+- DESC:fix CVE-2024-36623
+
+* Mon Dec 02 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1:18.09.0-270
+- Type:CVE
+- CVE:CVE-2024-36621
+- SUG:NA
+- DESC:fix missing lock in ensurelayer
+
+* Sat Aug 31 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1:18.09.0-269
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:try to reconnect when containerd grpc return unexpected EOF
+
+* Fri Aug 02 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1:18.09.0-268
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:add clone3 seccomp whitelist for arm64
+
+* Fri Jul 26 2024 zhongjiawei<zhongjiawei1@huawei.com> - 18.09.0-267
+- Type:CVE
+- CVE:CVE-2024-41110
+- SUG:NA
+- DESC:fix CVE-2024-41110
+
 * Mon Jul 15 2024 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-266
 - Type:bugfix
 - CVE:NA

patch/0277-backport-fix-CVE-2024-41110.patch

@@ -0,0 +1,169 @@
+From fc274cd2ff4cf3b48c91697fb327dd1fb95588fb Mon Sep 17 00:00:00 2001
+From: Jameson Hyde <jameson.hyde@docker.com>
+Date: Mon, 26 Nov 2018 14:15:22 -0500
+Subject: [PATCH] Authz plugin security fixes for 0-length content and path
+ validation Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
+
+fix comments
+
+(cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e)
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
+---
+ components/engine/pkg/authorization/authz.go  | 38 ++++++++++++--
+ .../pkg/authorization/authz_unix_test.go      | 49 +++++++++++++++++--
+ 2 files changed, 80 insertions(+), 7 deletions(-)
+
+diff --git a/components/engine/pkg/authorization/authz.go b/components/engine/pkg/authorization/authz.go
+index a1edbcd8..f63b8851 100644
+--- a/components/engine/pkg/authorization/authz.go
++++ b/components/engine/pkg/authorization/authz.go
+@@ -7,6 +7,8 @@ import (
+ 	"io"
+ 	"mime"
+ 	"net/http"
++	"net/url"
++	"regexp"
+ 	"strings"
+ 
+ 	"github.com/docker/docker/pkg/ioutils"
+@@ -52,10 +54,23 @@ type Ctx struct {
+ 	authReq *Request
+ }
+ 
++func isChunked(r *http.Request) bool {
++	//RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
++	if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" {
++		return true
++	}
++	for _, v := range r.TransferEncoding {
++		if 0 == strings.Compare(strings.ToLower(v), "chunked") {
++			return true
++		}
++	}
++	return false
++}
++
+ // AuthZRequest authorized the request to the docker daemon using authZ plugins
+ func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
+ 	var body []byte
+-	if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
++	if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
+ 		var err error
+ 		body, r.Body, err = drainBody(r.Body)
+ 		if err != nil {
+@@ -108,7 +123,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
+ 	if sendBody(ctx.requestURI, rm.Header()) {
+ 		ctx.authReq.ResponseBody = rm.RawBody()
+ 	}
+-
+ 	for _, plugin := range ctx.plugins {
+ 		logrus.Debugf("AuthZ response using plugin %s", plugin.Name())
+ 
+@@ -146,10 +160,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
+ 	return nil, newBody, err
+ }
+ 
++func isAuthEndpoint(urlPath string) (bool, error) {
++	// eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
++	matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`, urlPath)
++	if err != nil {
++		return false, err
++	}
++	return matched, nil
++}
++
+ // sendBody returns true when request/response body should be sent to AuthZPlugin
+-func sendBody(url string, header http.Header) bool {
++func sendBody(inURL string, header http.Header) bool {
++	u, err := url.Parse(inURL)
++	// Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
++	if err != nil {
++		return false
++	}
++
+ 	// Skip body for auth endpoint
+-	if strings.HasSuffix(url, "/auth") {
++	isAuth, err := isAuthEndpoint(u.Path)
++	if isAuth || err != nil {
+ 		return false
+ 	}
+ 
+diff --git a/components/engine/pkg/authorization/authz_unix_test.go b/components/engine/pkg/authorization/authz_unix_test.go
+index cfdb9a00..0fc51d32 100644
+--- a/components/engine/pkg/authorization/authz_unix_test.go
++++ b/components/engine/pkg/authorization/authz_unix_test.go
+@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) {
+ 
+ func TestSendBody(t *testing.T) {
+ 	var (
+-		url       = "nothing.com"
+ 		testcases = []struct {
++			url         string
+ 			contentType string
+ 			expected    bool
+ 		}{
+@@ -219,15 +219,58 @@ func TestSendBody(t *testing.T) {
+ 				contentType: "",
+ 				expected:    false,
+ 			},
++			{
++				url:         "nothing.com/auth",
++				contentType: "",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/auth",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/auth?p1=test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/test?p1=/auth",
++				contentType: "application/json;charset=UTF8",
++				expected:    true,
++			},
++			{
++				url:         "nothing.com/something/auth",
++				contentType: "application/json;charset=UTF8",
++				expected:    true,
++			},
++			{
++				url:         "nothing.com/auth/test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/v1.24/auth/test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/v1/auth/test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
+ 		}
+ 	)
+ 
+ 	for _, testcase := range testcases {
+ 		header := http.Header{}
+ 		header.Set("Content-Type", testcase.contentType)
++		if testcase.url == "" {
++			testcase.url = "nothing.com"
++		}
+ 
+-		if b := sendBody(url, header); b != testcase.expected {
+-			t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
++		if b := sendBody(testcase.url, header); b != testcase.expected {
++			t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
+ 		}
+ 	}
+ }
+-- 
+2.33.0
+

patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch

@@ -0,0 +1,41 @@
+From c2bc614038532cfbd1db9bfe8ff3949b1867a5c5 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Fri, 2 Aug 2024 16:26:00 +0800
+Subject: [PATCH] docker:add clone3 seccomp whitelist for arm64
+
+---
+ components/engine/profiles/seccomp/seccomp_default.go | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go
+index 2c670623..a90e441c 100644
+--- a/components/engine/profiles/seccomp/seccomp_default.go
++++ b/components/engine/profiles/seccomp/seccomp_default.go
+@@ -482,7 +482,6 @@ func DefaultProfile() *types.Seccomp {
+ 		{
+ 			Names: []string{
+ 				"modify_ldt",
+-				"clone3",
+ 			},
+ 			Action: types.ActAllow,
+ 			Args:   []*types.Arg{},
+@@ -490,6 +489,16 @@ func DefaultProfile() *types.Seccomp {
+ 				Arches: []string{"amd64", "x32", "x86"},
+ 			},
+ 		},
++		{
++                        Names: []string{
++				"clone3",
++                        },
++                        Action: types.ActAllow,
++                        Args:   []*types.Arg{},
++                        Includes: types.Filter{
++                                Arches: []string{"arm64", "amd64", "x32", "x86"},
++                        },
++                },
+ 		{
+ 			Names: []string{
+ 				"s390_pci_mmio_read",
+-- 
+2.33.0
+

patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch

@@ -0,0 +1,57 @@
+From 68ea83ecea0e38d084c0d15c9e99c0b4494b1f32 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Thu, 22 Aug 2024 20:22:43 +0800
+Subject: [PATCH] docker: try to reconnect when containerd grpc return
+ unexpected EOF
+
+---
+ .../engine/libcontainerd/client_daemon.go     | 26 ++++++++++++++-----
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/components/engine/libcontainerd/client_daemon.go b/components/engine/libcontainerd/client_daemon.go
+index 09ce6e1f5..14f420ed8 100755
+--- a/components/engine/libcontainerd/client_daemon.go
++++ b/components/engine/libcontainerd/client_daemon.go
+@@ -38,9 +38,12 @@ import (
+ 	"google.golang.org/grpc/status"
+ )
+ 
+-// InitProcessName is the name given to the first process of a
+-// container
+-const InitProcessName = "init"
++const (
++	// InitProcessName is the name given to the first process of a container
++	InitProcessName = "init"
++	// RetryMax is the max num to connect containerd grpc
++	RetryMax = 10
++)
+ 
+ type container struct {
+ 	mu sync.Mutex
+@@ -167,9 +170,20 @@ func (c *client) Restore(ctx context.Context, id string, attachStdio StdioCallba
+ 		err = wrapError(err)
+ 	}()
+ 
+-	ctr, err := c.client.LoadContainer(ctx, id)
+-	if err != nil {
+-		return false, -1, errors.WithStack(wrapError(err))
++	var ctr containerd.Container
++	var err1 error
++	for retry := 1; retry <= RetryMax; retry++ {
++		ctr, err1 = c.client.LoadContainer(ctx, id)
++		if err1 == nil {
++			break
++		} else if strings.Contains(err1.Error(), "unexpected EOF") {
++			time.Sleep(time.Millisecond * 100)
++			continue
++		}
++		return false, -1, errors.WithStack(wrapError(err1))
++	}
++	if err1 != nil {
++		return false, -1, errors.Wrap(wrapError(err1), "reconnect load contianer failed")
+ 	}
+ 
+ 	attachIO := func(fifos *cio.FIFOSet) (cio.IO, error) {
+-- 
+2.33.0
+

patch/0281-backport-fix-CVE-2024-36621.patch

@@ -0,0 +1,79 @@
+From 5aa1ff9afad56ef0cf4acd983ff441c8048c0ba3 Mon Sep 17 00:00:00 2001
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Wed, 6 Mar 2024 23:11:32 -0800
+Subject: [PATCH] builder-next: fix missing lock in ensurelayer
+
+When this was called concurrently from the moby image
+exporter there could be a data race where a layer was
+written to the refs map when it was already there.
+
+In that case the reference count got mixed up and on
+release only one of these layers was actually released.
+
+Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
+---
+ .../builder-next/adapters/snapshot/layer.go   |  3 +++
+ .../adapters/snapshot/snapshot.go             | 19 +++++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/components/engine/builder/builder-next/adapters/snapshot/layer.go b/components/engine/builder/builder-next/adapters/snapshot/layer.go
+index ffde5eec..13847d5a 100644
+--- a/components/engine/builder/builder-next/adapters/snapshot/layer.go
++++ b/components/engine/builder/builder-next/adapters/snapshot/layer.go
+@@ -13,6 +13,9 @@ import (
+ )
+ 
+ func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
++	s.layerCreateLocker.Lock(key)
++	defer s.layerCreateLocker.Unlock(key)
++
+ 	if l, err := s.getLayer(key, true); err != nil {
+ 		return nil, err
+ 	} else if l != nil {
+diff --git a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
+index c1388da7..2b1d33d7 100644
+--- a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
++++ b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
+@@ -11,6 +11,7 @@ import (
+ 	"github.com/containerd/containerd/snapshots"
+ 	"github.com/docker/docker/daemon/graphdriver"
+ 	"github.com/docker/docker/layer"
++	"github.com/docker/docker/pkg/locker"
+ 	"github.com/moby/buildkit/identity"
+ 	"github.com/moby/buildkit/snapshot"
+ 	digest "github.com/opencontainers/go-digest"
+@@ -43,10 +44,11 @@ type checksumCalculator interface {
+ type snapshotter struct {
+ 	opt Opt
+ 
+-	refs map[string]layer.Layer
+-	db   *bolt.DB
+-	mu   sync.Mutex
+-	reg  graphIDRegistrar
++	refs              map[string]layer.Layer
++	db                *bolt.DB
++	mu                sync.Mutex
++	reg               graphIDRegistrar
++	layerCreateLocker *locker.Locker
+ }
+ 
+ var _ snapshot.SnapshotterBase = &snapshotter{}
+@@ -65,10 +67,11 @@ func NewSnapshotter(opt Opt) (snapshot.SnapshotterBase, error) {
+ 	}
+ 
+ 	s := &snapshotter{
+-		opt:  opt,
+-		db:   db,
+-		refs: map[string]layer.Layer{},
+-		reg:  reg,
++		opt:               opt,
++		db:                db,
++		refs:              map[string]layer.Layer{},
++		reg:               reg,
++		layerCreateLocker: locker.New(),
+ 	}
+ 	return s, nil
+ }
+-- 
+2.33.0
+

patch/0282-backport-fix-CVE-2024-36623.patch

@@ -0,0 +1,48 @@
+From 5e02d7625ef0472e0be29acb30e47255546ced58 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
+Date: Thu, 22 Feb 2024 18:01:40 +0100
+Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Sync access to the underlying `io.Writer` with a mutex.
+
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ components/engine/pkg/streamformatter/streamformatter.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/components/engine/pkg/streamformatter/streamformatter.go b/components/engine/pkg/streamformatter/streamformatter.go
+index 04917d49ab..eaa82e1010 100644
+--- a/components/engine/pkg/streamformatter/streamformatter.go
++++ b/components/engine/pkg/streamformatter/streamformatter.go
+@@ -5,6 +5,7 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
++	"sync"
+ 
+ 	"github.com/docker/docker/pkg/jsonmessage"
+ 	"github.com/docker/docker/pkg/progress"
+@@ -109,6 +110,7 @@ type progressOutput struct {
+ 	sf       formatProgress
+ 	out      io.Writer
+ 	newLines bool
++	mu       sync.Mutex
+ }
+ 
+ // WriteProgress formats progress information from a ProgressReader.
+@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error {
+ 		jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units}
+ 		formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
+ 	}
++
++	out.mu.Lock()
++	defer out.mu.Unlock()
+ 	_, err := out.out.Write(formatted)
+ 	if err != nil {
+ 		return err
+-- 
+2.33.0
+

series.conf

@@ -265,4 +265,9 @@ patch/0273-backport-fix-CVE-2024-24557.patch
 patch/0274-backport-fix-CVE-2024-29018.patch
 patch/0275-backport-fix-CVE-2024-32473.patch
 patch/0276-docker-Ignore-SIGURG-on-Linux.patch
+patch/0277-backport-fix-CVE-2024-41110.patch
+patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
+patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch
+patch/0281-backport-fix-CVE-2024-36621.patch
+patch/0282-backport-fix-CVE-2024-36623.patch
 #end