1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001
From: Tonis Tiigi <tonistiigi@gmail.com>
Date: Wed, 6 Mar 2024 23:11:32 -0800
Subject: [PATCH] builder-next: fix missing lock in ensurelayer
When this was called concurrently from the moby image
exporter there could be a data race where a layer was
written to the refs map when it was already there.
In that case the reference count got mixed up and on
release only one of these layers was actually released.
CVE: CVE-2024-36621
Upstream-Status: Backport [https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e]
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
.../builder-next/adapters/snapshot/layer.go | 3 +++
.../adapters/snapshot/snapshot.go | 19 +++++++++++--------
2 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go
index 73120ea70b..fc83058339 100644
--- a/builder/builder-next/adapters/snapshot/layer.go
+++ b/builder/builder-next/adapters/snapshot/layer.go
@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
}
func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
+ s.layerCreateLocker.Lock(key)
+ defer s.layerCreateLocker.Unlock(key)
+
diffIDs, err := s.GetDiffIDs(ctx, key)
if err != nil {
return nil, err
diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go
index a0d28ad984..510ffefb49 100644
--- a/builder/builder-next/adapters/snapshot/snapshot.go
+++ b/builder/builder-next/adapters/snapshot/snapshot.go
@@ -17,6 +17,7 @@ import (
"github.com/moby/buildkit/identity"
"github.com/moby/buildkit/snapshot"
"github.com/moby/buildkit/util/leaseutil"
+ "github.com/moby/locker"
"github.com/opencontainers/go-digest"
"github.com/pkg/errors"
bolt "go.etcd.io/bbolt"
@@ -51,10 +52,11 @@ type checksumCalculator interface {
type snapshotter struct {
opt Opt
- refs map[string]layer.Layer
- db *bolt.DB
- mu sync.Mutex
- reg graphIDRegistrar
+ refs map[string]layer.Layer
+ db *bolt.DB
+ mu sync.Mutex
+ reg graphIDRegistrar
+ layerCreateLocker *locker.Locker
}
// NewSnapshotter creates a new snapshotter
@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
}
s := &snapshotter{
- opt: opt,
- db: db,
- refs: map[string]layer.Layer{},
- reg: reg,
+ opt: opt,
+ db: db,
+ refs: map[string]layer.Layer{},
+ reg: reg,
+ layerCreateLocker: locker.New(),
}
slm := newLeaseManager(s, prevLM)
--
2.40.0
|
