Merge pull request #9225 from mheon/fix_CVE-2021-20199_30

Fix CVE-2021-20199 for Podman v3.0

Author: openshift-merge-robot

go.mod

@@ -49,7 +49,7 @@ require (
 	github.com/opentracing/opentracing-go v1.2.0
 	github.com/pkg/errors v0.9.1
 	github.com/pmezard/go-difflib v1.0.0
-	github.com/rootless-containers/rootlesskit v0.11.1
+	github.com/rootless-containers/rootlesskit v0.12.0
 	github.com/sirupsen/logrus v1.7.0
 	github.com/spf13/cobra v1.1.1
 	github.com/spf13/pflag v1.0.5
@@ -63,7 +63,7 @@ require (
 	golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
 	golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9
-	golang.org/x/sys v0.0.0-20201218084310-7d0127a74742
+	golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4
 	google.golang.org/appengine v1.6.6 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect

go.sum

@@ -1735,7 +1735,7 @@ func (c *Container) generateResolvConf() (string, error) {
 		nameservers = resolvconf.GetNameservers(resolv.Content)
 		// slirp4netns has a built in DNS server.
 		if c.config.NetMode.IsSlirp4netns() {
-			nameservers = append([]string{"10.0.2.3"}, nameservers...)
+			nameservers = append([]string{slirp4netnsDNS}, nameservers...)
 		}
 	}
 
@@ -1815,7 +1815,7 @@ func (c *Container) getHosts() string {
 	if c.Hostname() != "" {
 		if c.config.NetMode.IsSlirp4netns() {
 			// When using slirp4netns, the interface gets a static IP
-			hosts += fmt.Sprintf("# used by slirp4netns\n%s\t%s %s\n", "10.0.2.100", c.Hostname(), c.config.Name)
+			hosts += fmt.Sprintf("# used by slirp4netns\n%s\t%s %s\n", slirp4netnsIP, c.Hostname(), c.config.Name)
 		} else {
 			hasNetNS := false
 			netNone := false

libpod/container_internal_linux.go

@@ -35,6 +35,15 @@ import (
 	"golang.org/x/sys/unix"
 )
 
+const (
+	// slirp4netnsIP is the IP used by slirp4netns to configure the tap device
+	// inside the network namespace.
+	slirp4netnsIP = "10.0.2.100"
+
+	// slirp4netnsDNS is the IP for the built-in DNS server in the slirp network
+	slirp4netnsDNS = "10.0.2.3"
+)
+
 // Get an OCICNI network config
 func (r *Runtime) getPodNetwork(id, name, nsPath string, networks []string, ports []ocicni.PortMapping, staticIP net.IP, staticMAC net.HardwareAddr, netDescriptions ContainerNetworkDescriptions) ocicni.PodNetwork {
 	var networkKey string
@@ -547,6 +556,7 @@ func (r *Runtime) setupRootlessPortMappingViaRLK(ctr *Container, netnsPath strin
 		ExitFD:    3,
 		ReadyFD:   4,
 		TmpDir:    ctr.runtime.config.Engine.TmpDir,
+		ChildIP:   slirp4netnsIP,
 	}
 	cfgJSON, err := json.Marshal(cfg)
 	if err != nil {

libpod/networking_linux.go

@@ -48,6 +48,7 @@ type Config struct {
 	ExitFD    int
 	ReadyFD   int
 	TmpDir    string
+	ChildIP   string
 }
 
 func init() {
@@ -227,7 +228,7 @@ outer:
 
 	// let parent expose ports
 	logrus.Infof("exposing ports %v", cfg.Mappings)
-	if err := exposePorts(driver, cfg.Mappings); err != nil {
+	if err := exposePorts(driver, cfg.Mappings, cfg.ChildIP); err != nil {
 		return err
 	}
 
@@ -248,7 +249,7 @@ outer:
 	return nil
 }
 
-func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping) error {
+func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping, childIP string) error {
 	ctx := context.TODO()
 	for _, i := range portMappings {
 		hostIP := i.HostIP
@@ -260,6 +261,7 @@ func exposePorts(pm rkport.Manager, portMappings []ocicni.PortMapping) error {
 			ParentIP:   hostIP,
 			ParentPort: int(i.HostPort),
 			ChildPort:  int(i.ContainerPort),
+			ChildIP:    childIP,
 		}
 		if err := rkportutil.ValidatePortSpec(spec, nil); err != nil {
 			return err

pkg/rootlessport/rootlessport_linux.go

@@ -65,16 +65,31 @@ load helpers
     myport=54321
 
     # Container will exit as soon as 'nc' receives input
+    # We use '-n -v' to give us log messages showing an incoming connection
+    # and its IP address; the purpose of that is guaranteeing that the
+    # remote IP is not 127.0.0.1 (podman PR #9052).
+    # We could get more parseable output by using $NCAT_REMOTE_ADDR,
+    # but busybox nc doesn't support that.
     run_podman run -d --userns=keep-id -p 127.0.0.1:$myport:$myport \
-               $IMAGE nc -l -p $myport
+               $IMAGE nc -l -n -v -p $myport
     cid="$output"
 
     # emit random string, and check it
     teststring=$(random_string 30)
     echo "$teststring" | nc 127.0.0.1 $myport
 
     run_podman logs $cid
-    is "$output" "$teststring" "test string received on container"
+    # Sigh. We can't check line-by-line, because 'nc' output order is
+    # unreliable. We usually get the 'connect to' line before the random
+    # string, but sometimes we get it after. So, just do substring checks.
+    is "$output" ".*listening on \[::\]:$myport .*" "nc -v shows right port"
+
+    # This is the truly important check: make sure the remote IP is
+    # in the 10.X range, not 127.X.
+    is "$output" \
+       ".*connect to \[::ffff:10\..*\]:$myport from \[::ffff:10\..*\]:.*" \
+       "nc -v shows remote IP address in 10.X space (not 127.0.0.1)"
+    is "$output" ".*${teststring}.*" "test string received on container"
 
     # Clean up
     run_podman rm $cid