Skip to content

Commit

Permalink
Merge pull request #9221 from mheon/fix_CVE-2021-20199
Browse files Browse the repository at this point in the history
[v2.2.1-rhel] Backport fix for CVE-2021-20199
  • Loading branch information
openshift-merge-robot authored Feb 3, 2021
2 parents d486878 + 83ab19a commit 1741f15
Show file tree
Hide file tree
Showing 191 changed files with 11,164 additions and 1,637 deletions.
8 changes: 4 additions & 4 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ require (
github.com/ghodss/yaml v1.0.0
github.com/godbus/dbus/v5 v5.0.3
github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf
github.com/google/uuid v1.1.2
github.com/google/uuid v1.1.5
github.com/gorilla/mux v1.8.0
github.com/gorilla/schema v1.2.0
github.com/hashicorp/go-multierror v1.1.0
Expand All @@ -48,12 +48,12 @@ require (
github.com/opentracing/opentracing-go v1.2.0
github.com/pkg/errors v0.9.1
github.com/pmezard/go-difflib v1.0.0
github.com/rootless-containers/rootlesskit v0.11.1
github.com/rootless-containers/rootlesskit v0.12.0
github.com/sirupsen/logrus v1.7.0
github.com/spf13/cobra v1.1.1
github.com/spf13/pflag v1.0.5
github.com/stretchr/objx v0.2.0 // indirect
github.com/stretchr/testify v1.6.1
github.com/stretchr/testify v1.7.0
github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2
github.com/uber/jaeger-client-go v2.25.0+incompatible
github.com/uber/jaeger-lib v2.2.0+incompatible // indirect
Expand All @@ -64,7 +64,7 @@ require (
golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4
google.golang.org/appengine v1.6.6 // indirect
google.golang.org/protobuf v1.25.0 // indirect
gopkg.in/square/go-jose.v2 v2.5.1 // indirect
Expand Down
54 changes: 44 additions & 10 deletions go.sum

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions libpod/container_internal_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -1527,7 +1527,7 @@ func (c *Container) generateResolvConf() (string, error) {
nameservers = resolvconf.GetNameservers(resolv.Content)
// slirp4netns has a built in DNS server.
if c.config.NetMode.IsSlirp4netns() {
nameservers = append([]string{"10.0.2.3"}, nameservers...)
nameservers = append([]string{slirp4netnsDNS}, nameservers...)
}
}

Expand Down Expand Up @@ -1607,7 +1607,7 @@ func (c *Container) getHosts() string {
if c.Hostname() != "" {
if c.config.NetMode.IsSlirp4netns() {
// When using slirp4netns, the interface gets a static IP
hosts += fmt.Sprintf("# used by slirp4netns\n%s\t%s %s\n", "10.0.2.100", c.Hostname(), c.config.Name)
hosts += fmt.Sprintf("# used by slirp4netns\n%s\t%s %s\n", slirp4netnsIP, c.Hostname(), c.config.Name)
} else {
hasNetNS := false
netNone := false
Expand Down
10 changes: 10 additions & 0 deletions libpod/networking_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,15 @@ import (
"golang.org/x/sys/unix"
)

const (
// slirp4netnsIP is the IP used by slirp4netns to configure the tap device
// inside the network namespace.
slirp4netnsIP = "10.0.2.100"

// slirp4netnsDNS is the IP for the built-in DNS server in the slirp network
slirp4netnsDNS = "10.0.2.3"
)

// Get an OCICNI network config
func (r *Runtime) getPodNetwork(id, name, nsPath string, networks []string, ports []ocicni.PortMapping, staticIP net.IP, staticMAC net.HardwareAddr, netDescriptions ContainerNetworkDescriptions) ocicni.PodNetwork {
var networkKey string
Expand Down Expand Up @@ -544,6 +553,7 @@ func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath strin
ExitFD: 3,
ReadyFD: 4,
TmpDir: ctr.runtime.config.Engine.TmpDir,
ChildIP: slirp4netnsIP,
}
cfgJSON, err := json.Marshal(cfg)
if err != nil {
Expand Down
6 changes: 4 additions & 2 deletions pkg/rootlessport/rootlessport_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ type Config struct {
ExitFD int
ReadyFD int
TmpDir string
ChildIP string
}

func init() {
Expand Down Expand Up @@ -227,7 +228,7 @@ outer:

// let parent expose ports
logrus.Infof("exposing ports %v", cfg.Mappings)
if err := exposePorts(driver, cfg.Mappings); err != nil {
if err := exposePorts(driver, cfg.Mappings, cfg.ChildIP); err != nil {
return err
}

Expand All @@ -248,7 +249,7 @@ outer:
return nil
}

func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping) error {
func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping, childIP string) error {
ctx := context.TODO()
for _, i := range portMappings {
hostIP := i.HostIP
Expand All @@ -260,6 +261,7 @@ func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping) error {
ParentIP: hostIP,
ParentPort: int(i.HostPort),
ChildPort: int(i.ContainerPort),
ChildIP: childIP,
}
if err := rkportutil.ValidatePortSpec(spec, nil); err != nil {
return err
Expand Down
19 changes: 17 additions & 2 deletions test/system/500-networking.bats
Original file line number Diff line number Diff line change
Expand Up @@ -65,16 +65,31 @@ load helpers
myport=54321

# Container will exit as soon as 'nc' receives input
# We use '-n -v' to give us log messages showing an incoming connection
# and its IP address; the purpose of that is guaranteeing that the
# remote IP is not 127.0.0.1 (podman PR #9052).
# We could get more parseable output by using $NCAT_REMOTE_ADDR,
# but busybox nc doesn't support that.
run_podman run -d --userns=keep-id -p 127.0.0.1:$myport:$myport \
$IMAGE nc -l -p $myport
$IMAGE nc -l -n -v -p $myport
cid="$output"

# emit random string, and check it
teststring=$(random_string 30)
echo "$teststring" | nc 127.0.0.1 $myport

run_podman logs $cid
is "$output" "$teststring" "test string received on container"
# Sigh. We can't check line-by-line, because 'nc' output order is
# unreliable. We usually get the 'connect to' line before the random
# string, but sometimes we get it after. So, just do substring checks.
is "$output" ".*listening on \[::\]:$myport .*" "nc -v shows right port"

# This is the truly important check: make sure the remote IP is
# in the 10.X range, not 127.X.
is "$output" \
".*connect to \[::ffff:10\..*\]:$myport from \[::ffff:10\..*\]:.*" \
"nc -v shows remote IP address in 10.X space (not 127.0.0.1)"
is "$output" ".*${teststring}.*" "test string received on container"

# Clean up
run_podman rm $cid
Expand Down
4 changes: 2 additions & 2 deletions vendor/github.com/google/uuid/hash.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion vendor/github.com/google/uuid/sql.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 8 additions & 2 deletions vendor/github.com/google/uuid/uuid.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 1741f15

Please sign in to comment.