From 811fea11922b9da55ebd901c65d7fff82328cf36 Mon Sep 17 00:00:00 2001 From: zhongjiawei Date: Mon, 2 Dec 2024 14:43:51 +0800 Subject: [PATCH] docker:fix missing lock in ensurelayer --- VERSION-vendor | 2 +- docker.spec | 8 +- git-commit | 2 +- ...next-fix-missing-lock-in-ensurelayer.patch | 79 +++++++++++++++++++ series.conf | 1 + 5 files changed, 89 insertions(+), 3 deletions(-) create mode 100644 patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch diff --git a/VERSION-vendor b/VERSION-vendor index 9007bda..ccb4857 100644 --- a/VERSION-vendor +++ b/VERSION-vendor @@ -1 +1 @@ -18.09.0.341 +18.09.0.344 diff --git a/docker.spec b/docker.spec index dd9de9b..3571321 100644 --- a/docker.spec +++ b/docker.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 341 +Release: 344 Epoch: 2 Summary: The open-source application container engine Group: Tools/Docker @@ -227,6 +227,12 @@ fi %endif %changelog +* Mon Dec 02 2024 zhongjiawei - 2:18.09.0-344 +- Type:CVE +- CVE:CVE-2024-36621 +- SUG:NA +- DESC:fix missing lock in ensurelayer + * Sat Aug 31 2024 zhongjiawei - 2:18.09.0-341 - Type:bugfix - CVE:NA diff --git a/git-commit b/git-commit index 0fc7236..bae7a93 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -678fb4d2b2fbf91642358d82e5680aec01a15d56 +9da17b5107496bcb8d817baadfacf7b82a032262 diff --git a/patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch b/patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch new file mode 100644 index 0000000..21b60a6 --- /dev/null +++ b/patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch @@ -0,0 +1,79 @@ +From 5aa1ff9afad56ef0cf4acd983ff441c8048c0ba3 Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Wed, 6 Mar 2024 23:11:32 -0800 +Subject: [PATCH] builder-next: fix missing lock in ensurelayer + +When this was called concurrently from the moby image +exporter there could be a data race where a layer was +written to the refs map when it was already there. + +In that case the reference count got mixed up and on +release only one of these layers was actually released. + +Signed-off-by: Tonis Tiigi +--- + .../builder-next/adapters/snapshot/layer.go | 3 +++ + .../adapters/snapshot/snapshot.go | 19 +++++++++++-------- + 2 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/components/engine/builder/builder-next/adapters/snapshot/layer.go b/components/engine/builder/builder-next/adapters/snapshot/layer.go +index ffde5eec..13847d5a 100644 +--- a/components/engine/builder/builder-next/adapters/snapshot/layer.go ++++ b/components/engine/builder/builder-next/adapters/snapshot/layer.go +@@ -13,6 +13,9 @@ import ( + ) + + func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) { ++ s.layerCreateLocker.Lock(key) ++ defer s.layerCreateLocker.Unlock(key) ++ + if l, err := s.getLayer(key, true); err != nil { + return nil, err + } else if l != nil { +diff --git a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go +index c1388da7..2b1d33d7 100644 +--- a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go ++++ b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go +@@ -11,6 +11,7 @@ import ( + "github.com/containerd/containerd/snapshots" + "github.com/docker/docker/daemon/graphdriver" + "github.com/docker/docker/layer" ++ "github.com/docker/docker/pkg/locker" + "github.com/moby/buildkit/identity" + "github.com/moby/buildkit/snapshot" + digest "github.com/opencontainers/go-digest" +@@ -43,10 +44,11 @@ type checksumCalculator interface { + type snapshotter struct { + opt Opt + +- refs map[string]layer.Layer +- db *bolt.DB +- mu sync.Mutex +- reg graphIDRegistrar ++ refs map[string]layer.Layer ++ db *bolt.DB ++ mu sync.Mutex ++ reg graphIDRegistrar ++ layerCreateLocker *locker.Locker + } + + var _ snapshot.SnapshotterBase = &snapshotter{} +@@ -65,10 +67,11 @@ func NewSnapshotter(opt Opt) (snapshot.SnapshotterBase, error) { + } + + s := &snapshotter{ +- opt: opt, +- db: db, +- refs: map[string]layer.Layer{}, +- reg: reg, ++ opt: opt, ++ db: db, ++ refs: map[string]layer.Layer{}, ++ reg: reg, ++ layerCreateLocker: locker.New(), + } + return s, nil + } +-- +2.33.0 + diff --git a/series.conf b/series.conf index 509ea2a..1b6a416 100644 --- a/series.conf +++ b/series.conf @@ -274,4 +274,5 @@ patch/0276-docker-Ignore-SIGURG-on-Linux.patch patch/0277-backport-fix-CVE-2024-41110.patch patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch +patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch #end -- Gitee