!372 [sync] PR-366: fix CVE-2024-36623

From: @openeuler-sync-bot 
Reviewed-by: @zhangsong234 
Signed-off-by: @zhangsong234

VERSION-vendor

@@ -1 +1 @@
-18.09.0.340
+18.09.0.345

docker.spec

@@ -1,12 +1,12 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 340
+Release: 345
 Epoch: 2
 Summary: The open-source application container engine
 Group: Tools/Docker
 
-License: ASL 2.0
-Source0: https://github.com/docker/docker-ce/archive/v18.09.0.tar.gz
+License: Apache-2.0
+Source0: https://github.com/docker/docker-ce/archive/v%{version}.tar.gz
 Source1: patch.tar.gz
 Source2: apply-patches
 Source3: git-commit
@@ -24,15 +24,17 @@ URL: https://mobyproject.org
 # most are already in the container (see contrib/builder/rpm/ARCH/generate.sh)
 BuildRequires: pkgconfig(systemd) golang >= 1.8.3 btrfs-progs-devel device-mapper-devel glibc-static libseccomp-devel
 BuildRequires: libselinux-devel libtool-ltdl-devel pkgconfig selinux-policy selinux-policy-devel sqlite-devel systemd-devel
-BuildRequires: tar containerd runc docker-proxy git
+BuildRequires: tar containerd runc git
 
 # required packages on install
 Requires: /bin/sh iptables tar xz device-mapper-libs >= 1.02.90-1 systemd-units
+Requires: /usr/bin/docker-proxy
 
 # conflicting packages
 Provides: docker
 Conflicts: docker-io
 Conflicts: docker-engine-cs
+%{systemd_requires}
 
 %description
 Docker is an open source project to build, ship and run any application as a
@@ -111,9 +113,6 @@ install -p -m 755 components/engine/bundles/dynbinary-daemon/dockerd $RPM_BUILD_
 # install cli
 install -p -m 755 components/cli/build/docker $RPM_BUILD_ROOT/%{_bindir}/docker
 
-# install proxy
-install -p -m 755 /usr/bin/docker-proxy $RPM_BUILD_ROOT/%{_bindir}/docker-proxy
-
 # install containerd
 install -p -m 755 /usr/bin/containerd $RPM_BUILD_ROOT/%{_bindir}/containerd
 install -p -m 755 /usr/bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim
@@ -168,7 +167,6 @@ install -p -m 644 components/engine/contrib/syntax/nano/Dockerfile.nanorc $RPM_B
 /%{_bindir}/docker
 /%{_bindir}/dockerd
 /%{_bindir}/containerd
-/%{_bindir}/docker-proxy
 /%{_bindir}/containerd-shim
 /%{_bindir}/runc
 /%{_sysconfdir}/udev/rules.d/80-docker.rules
@@ -227,6 +225,33 @@ fi
 %endif
 
 %changelog
+* Fri Dec 06 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-345
+- Type:CVE
+- CVE:CVE-2024-36623
+- SUG:NA
+- DESC:fix CVE-2024-36623
+
+* Mon Dec 02 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-344
+- Type:CVE
+- CVE:CVE-2024-36621
+- SUG:NA
+- DESC:fix missing lock in ensurelayer
+
+* Sat Nov 23 2024 Funda Wang <fundawang@yeah.net> - 2:18.09.0-343
+- add requires for docker-proxy rather than installing it manually
+
+* Fri Oct 25 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-342
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:support calling clone when clone3 is not support
+
+* Sat Aug 31 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-341
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:try to reconnect when containerd grpc return unexpected EOF
+
 * Fri Aug 02 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-340
 - Type:bugfix
 - CVE:NA

gen-commit.sh

@@ -18,9 +18,10 @@ echo 18.09.0.$new_version > VERSION-vendor
 
 author=$(git config user.name)
 email=$(git config user.email)
+epoch=$(head -10 docker.spec | grep Epoch | awk '{print $NF}')
 version=$(head -10 docker.spec | grep Version | awk '{print $NF}')
 release=$(head -10 docker.spec | grep Release | awk '{print $2}' | awk -F% '{print $1}')
-new_all=$version-$release
+new_all=$epoch:$version-$release
 new_changelog=$(cat << EOF
 * $(LC_ALL="C" date '+%a %b %d %Y') $author<$email> - $new_all\n- Type:\n- CVE:\n- SUG:\n- DESC:\n
 EOF

git-commit

@@ -1 +1 @@
-29173030b7e118013ed3e8a3773492c40928bb9c
+760d2ff23dc93f97e0066748ab1e8050e3aaaa25

patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch

@@ -0,0 +1,57 @@
+From 68ea83ecea0e38d084c0d15c9e99c0b4494b1f32 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Thu, 22 Aug 2024 20:22:43 +0800
+Subject: [PATCH] docker: try to reconnect when containerd grpc return
+ unexpected EOF
+
+---
+ .../engine/libcontainerd/client_daemon.go     | 26 ++++++++++++++-----
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/components/engine/libcontainerd/client_daemon.go b/components/engine/libcontainerd/client_daemon.go
+index 09ce6e1f5..14f420ed8 100755
+--- a/components/engine/libcontainerd/client_daemon.go
++++ b/components/engine/libcontainerd/client_daemon.go
+@@ -38,9 +38,12 @@ import (
+ 	"google.golang.org/grpc/status"
+ )
+ 
+-// InitProcessName is the name given to the first process of a
+-// container
+-const InitProcessName = "init"
++const (
++	// InitProcessName is the name given to the first process of a container
++	InitProcessName = "init"
++	// RetryMax is the max num to connect containerd grpc
++	RetryMax = 10
++)
+ 
+ type container struct {
+ 	mu sync.Mutex
+@@ -167,9 +170,20 @@ func (c *client) Restore(ctx context.Context, id string, attachStdio StdioCallba
+ 		err = wrapError(err)
+ 	}()
+ 
+-	ctr, err := c.client.LoadContainer(ctx, id)
+-	if err != nil {
+-		return false, -1, errors.WithStack(wrapError(err))
++	var ctr containerd.Container
++	var err1 error
++	for retry := 1; retry <= RetryMax; retry++ {
++		ctr, err1 = c.client.LoadContainer(ctx, id)
++		if err1 == nil {
++			break
++		} else if strings.Contains(err1.Error(), "unexpected EOF") {
++			time.Sleep(time.Millisecond * 100)
++			continue
++		}
++		return false, -1, errors.WithStack(wrapError(err1))
++	}
++	if err1 != nil {
++		return false, -1, errors.Wrap(wrapError(err1), "reconnect load contianer failed")
+ 	}
+ 
+ 	attachIO := func(fifos *cio.FIFOSet) (cio.IO, error) {
+-- 
+2.33.0
+

patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch

@@ -0,0 +1,123 @@
+From 28a8f3016bfba8aab5cf0495519ca41f4c43f7a3 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Fri, 25 Oct 2024 15:00:22 +0800
+Subject: [PATCH] docker:support calling clone when clone3 is not support
+
+---
+ components/engine/api/types/seccomp.go        |  1 +
+ components/engine/profiles/seccomp/seccomp.go |  7 +++---
+ .../profiles/seccomp/seccomp_default.go       | 22 ++++++++++---------
+ .../runtime-spec/specs-go/config.go           |  1 +
+ 4 files changed, 18 insertions(+), 13 deletions(-)
+
+diff --git a/components/engine/api/types/seccomp.go b/components/engine/api/types/seccomp.go
+index 67a41e1a..0ed7d6ee 100644
+--- a/components/engine/api/types/seccomp.go
++++ b/components/engine/api/types/seccomp.go
+@@ -86,6 +86,7 @@ type Syscall struct {
+ 	Name     string   `json:"name,omitempty"`
+ 	Names    []string `json:"names,omitempty"`
+ 	Action   Action   `json:"action"`
++	ErrnoRet *uint    `json:"errnoRet,omitempty"`
+ 	Args     []*Arg   `json:"args"`
+ 	Comment  string   `json:"comment"`
+ 	Includes Filter   `json:"includes"`
+diff --git a/components/engine/profiles/seccomp/seccomp.go b/components/engine/profiles/seccomp/seccomp.go
+index 4438670a..993e8d87 100644
+--- a/components/engine/profiles/seccomp/seccomp.go
++++ b/components/engine/profiles/seccomp/seccomp.go
+@@ -128,21 +128,22 @@ Loop:
+ 		}
+ 
+ 		if call.Name != "" {
+-			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args))
++			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args, call.ErrnoRet))
+ 		}
+ 
+ 		for _, n := range call.Names {
+-			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args))
++			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args, call.ErrnoRet))
+ 		}
+ 	}
+ 
+ 	return newConfig, nil
+ }
+ 
+-func createSpecsSyscall(name string, action types.Action, args []*types.Arg) specs.LinuxSyscall {
++func createSpecsSyscall(name string, action types.Action, args []*types.Arg, errnoRet *uint) specs.LinuxSyscall {
+ 	newCall := specs.LinuxSyscall{
+ 		Names:  []string{name},
+ 		Action: specs.LinuxSeccompAction(action),
++		ErrnoRet: errnoRet,
+ 	}
+ 
+ 	// Loop through all the arguments of the syscall and convert them
+diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go
+index a90e441c..0b96de5f 100644
+--- a/components/engine/profiles/seccomp/seccomp_default.go
++++ b/components/engine/profiles/seccomp/seccomp_default.go
+@@ -42,6 +42,7 @@ func arches() []types.Architecture {
+ 
+ // DefaultProfile defines the whitelist for the default seccomp profile.
+ func DefaultProfile() *types.Seccomp {
++	nosys := uint(unix.ENOSYS)
+ 	syscalls := []*types.Syscall{
+ 		{
+ 			Names: []string{
+@@ -489,16 +490,6 @@ func DefaultProfile() *types.Seccomp {
+ 				Arches: []string{"amd64", "x32", "x86"},
+ 			},
+ 		},
+-		{
+-                        Names: []string{
+-				"clone3",
+-                        },
+-                        Action: types.ActAllow,
+-                        Args:   []*types.Arg{},
+-                        Includes: types.Filter{
+-                                Arches: []string{"arm64", "amd64", "x32", "x86"},
+-                        },
+-                },
+ 		{
+ 			Names: []string{
+ 				"s390_pci_mmio_read",
+@@ -525,6 +516,7 @@ func DefaultProfile() *types.Seccomp {
+ 			Names: []string{
+ 				"bpf",
+ 				"clone",
++				"clone3",
+ 				"fanotify_init",
+ 				"lookup_dcookie",
+ 				"mount",
+@@ -584,6 +576,16 @@ func DefaultProfile() *types.Seccomp {
+ 				Caps: []string{"CAP_SYS_ADMIN"},
+ 			},
+ 		},
++		{
++			Names: []string{
++				"clone3",
++			},
++			Action: types.ActErrno,
++			ErrnoRet: &nosys,
++			Excludes: types.Filter{
++				Caps: []string{"CAP_SYS_ADMIN"},
++			},
++		},
+ 		{
+ 			Names: []string{
+ 				"reboot",
+diff --git a/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+index 46049b3b..8b17fd1e 100644
+--- a/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
++++ b/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+@@ -628,6 +628,7 @@ type LinuxSeccompArg struct {
+ type LinuxSyscall struct {
+ 	Names  []string           `json:"names"`
+ 	Action LinuxSeccompAction `json:"action"`
++	ErrnoRet *uint            `json:"errnoRet,omitempty"`
+ 	Args   []LinuxSeccompArg  `json:"args,omitempty"`
+ }
+ 
+-- 
+2.33.0
+

patch/0281-backport-fix-CVE-2024-36621.patch

@@ -0,0 +1,79 @@
+From 5aa1ff9afad56ef0cf4acd983ff441c8048c0ba3 Mon Sep 17 00:00:00 2001
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Wed, 6 Mar 2024 23:11:32 -0800
+Subject: [PATCH] builder-next: fix missing lock in ensurelayer
+
+When this was called concurrently from the moby image
+exporter there could be a data race where a layer was
+written to the refs map when it was already there.
+
+In that case the reference count got mixed up and on
+release only one of these layers was actually released.
+
+Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
+---
+ .../builder-next/adapters/snapshot/layer.go   |  3 +++
+ .../adapters/snapshot/snapshot.go             | 19 +++++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/components/engine/builder/builder-next/adapters/snapshot/layer.go b/components/engine/builder/builder-next/adapters/snapshot/layer.go
+index ffde5eec..13847d5a 100644
+--- a/components/engine/builder/builder-next/adapters/snapshot/layer.go
++++ b/components/engine/builder/builder-next/adapters/snapshot/layer.go
+@@ -13,6 +13,9 @@ import (
+ )
+ 
+ func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
++	s.layerCreateLocker.Lock(key)
++	defer s.layerCreateLocker.Unlock(key)
++
+ 	if l, err := s.getLayer(key, true); err != nil {
+ 		return nil, err
+ 	} else if l != nil {
+diff --git a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
+index c1388da7..2b1d33d7 100644
+--- a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
++++ b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
+@@ -11,6 +11,7 @@ import (
+ 	"github.com/containerd/containerd/snapshots"
+ 	"github.com/docker/docker/daemon/graphdriver"
+ 	"github.com/docker/docker/layer"
++	"github.com/docker/docker/pkg/locker"
+ 	"github.com/moby/buildkit/identity"
+ 	"github.com/moby/buildkit/snapshot"
+ 	digest "github.com/opencontainers/go-digest"
+@@ -43,10 +44,11 @@ type checksumCalculator interface {
+ type snapshotter struct {
+ 	opt Opt
+ 
+-	refs map[string]layer.Layer
+-	db   *bolt.DB
+-	mu   sync.Mutex
+-	reg  graphIDRegistrar
++	refs              map[string]layer.Layer
++	db                *bolt.DB
++	mu                sync.Mutex
++	reg               graphIDRegistrar
++	layerCreateLocker *locker.Locker
+ }
+ 
+ var _ snapshot.SnapshotterBase = &snapshotter{}
+@@ -65,10 +67,11 @@ func NewSnapshotter(opt Opt) (snapshot.SnapshotterBase, error) {
+ 	}
+ 
+ 	s := &snapshotter{
+-		opt:  opt,
+-		db:   db,
+-		refs: map[string]layer.Layer{},
+-		reg:  reg,
++		opt:               opt,
++		db:                db,
++		refs:              map[string]layer.Layer{},
++		reg:               reg,
++		layerCreateLocker: locker.New(),
+ 	}
+ 	return s, nil
+ }
+-- 
+2.33.0
+

patch/0282-backport-fix-CVE-2024-36623.patch

@@ -0,0 +1,48 @@
+From 5e02d7625ef0472e0be29acb30e47255546ced58 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
+Date: Thu, 22 Feb 2024 18:01:40 +0100
+Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Sync access to the underlying `io.Writer` with a mutex.
+
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ components/engine/pkg/streamformatter/streamformatter.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/components/engine/pkg/streamformatter/streamformatter.go b/components/engine/pkg/streamformatter/streamformatter.go
+index 04917d49ab..eaa82e1010 100644
+--- a/components/engine/pkg/streamformatter/streamformatter.go
++++ b/components/engine/pkg/streamformatter/streamformatter.go
+@@ -5,6 +5,7 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
++	"sync"
+ 
+ 	"github.com/docker/docker/pkg/jsonmessage"
+ 	"github.com/docker/docker/pkg/progress"
+@@ -109,6 +110,7 @@ type progressOutput struct {
+ 	sf       formatProgress
+ 	out      io.Writer
+ 	newLines bool
++	mu       sync.Mutex
+ }
+ 
+ // WriteProgress formats progress information from a ProgressReader.
+@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error {
+ 		jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units}
+ 		formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
+ 	}
++
++	out.mu.Lock()
++	defer out.mu.Unlock()
+ 	_, err := out.out.Write(formatted)
+ 	if err != nil {
+ 		return err
+-- 
+2.33.0
+

series.conf

@@ -276,4 +276,8 @@ patch/0275-backport-fix-CVE-2024-32473.patch
 patch/0276-docker-Ignore-SIGURG-on-Linux.patch
 patch/0277-backport-fix-CVE-2024-41110.patch
 patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
+patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch
+patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch
+patch/0281-backport-fix-CVE-2024-36621.patch
+patch/0282-backport-fix-CVE-2024-36623.patch
 #end