Merge pull request #27023 from TomSweeneyRedHat/dev/tsweeney/CVE-2025-9566-v4.9-rhel

[v4.9-rhel] CVE-2025-9566 Fixes

Author: openshift-merge-bot[bot]

go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09
 	github.com/coreos/stream-metadata-go v0.4.4
 	github.com/crc-org/vfkit v0.1.2-0.20231030102423-f3c783d34420
-	github.com/cyphar/filepath-securejoin v0.2.4
+	github.com/cyphar/filepath-securejoin v0.4.1
 	github.com/digitalocean/go-qemu v0.0.0-20230711162256-2e3d0186973e
 	github.com/docker/distribution v2.8.3+incompatible
 	github.com/docker/docker v24.0.7+incompatible

go.sum

@@ -319,8 +319,8 @@ github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 h
 github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
 github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
 github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
+github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/d2g/dhcp4 v0.0.0-20170904100407-a1d1b6c41b1c/go.mod h1:Ct2BUK8SB0YC1SMSibvLzxjeJLnrYEVLULFNiHY9YfQ=
 github.com/d2g/dhcp4client v1.0.0/go.mod h1:j0hNfjhrt2SxUOw55nL0ATM/z4Yt3t2Kd1mW34z5W5s=
 github.com/d2g/dhcp4server v0.0.0-20181031114812-7d4a0a7f59a5/go.mod h1:Eo87+Kg/IX2hfWJfwxMzLyuSZyxSoAug2nGa1G2QAi8=

pkg/domain/infra/abi/play.go

@@ -638,8 +638,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 			defaultMode := v.DefaultMode
 			// Create files and add data to the volume mountpoint based on the Items in the volume
 			for k, v := range v.Items {
-				dataPath := filepath.Join(mountPoint, k)
-				f, err := os.Create(dataPath)
+				f, err := openPathSafely(mountPoint, k)
 				if err != nil {
 					return nil, nil, fmt.Errorf("cannot create file %q at volume mountpoint %q: %w", k, mountPoint, err)
 				}
@@ -649,7 +648,7 @@ func (ic *ContainerEngine) playKubePod(ctx context.Context, podName string, podY
 					return nil, nil, err
 				}
 				// Set file permissions
-				if err := os.Chmod(f.Name(), os.FileMode(defaultMode)); err != nil {
+				if err := f.Chmod(os.FileMode(defaultMode)); err != nil {
 					return nil, nil, err
 				}
 			}

pkg/domain/infra/abi/play_linux.go

@@ -0,0 +1,18 @@
+//go:build !remote
+
+package abi
+
+import (
+	"os"
+
+	securejoin "github.com/cyphar/filepath-securejoin"
+)
+
+// openSymlinkPath opens the path under root using securejoin.OpenatInRoot().
+func openSymlinkPath(root *os.File, unsafePath string, flags int) (*os.File, error) {
+	file, err := securejoin.OpenatInRoot(root, unsafePath)
+	if err != nil {
+		return nil, err
+	}
+	return securejoin.Reopen(file, flags)
+}

pkg/domain/infra/abi/play_unsupported.go

@@ -0,0 +1,13 @@
+//go:build !linux && !remote
+
+package abi
+
+import (
+	"errors"
+	"os"
+)
+
+// openSymlinkPath is not supported on this platform.
+func openSymlinkPath(root *os.File, unsafePath string, flags int) (*os.File, error) {
+	return nil, errors.New("cannot safely open symlink on this platform")
+}

pkg/domain/infra/abi/play_utils.go

@@ -1,6 +1,13 @@
 package abi
 
-import "github.com/containers/podman/v4/libpod/define"
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/containers/podman/v4/libpod/define"
+	"golang.org/x/sys/unix"
+)
 
 // getSdNotifyMode returns the `sdNotifyAnnotation/$name` for the specified
 // name. If name is empty, it'll only look for `sdNotifyAnnotation`.
@@ -14,3 +21,33 @@ func getSdNotifyMode(annotations map[string]string, name string) (string, error)
 	}
 	return mode, define.ValidateSdNotifyMode(mode)
 }
+
+// openPathSafely opens the given name under the trusted root path, the unsafeName
+// must be a single path component and not contain "/".
+// The resulting path will be opened or created if it does not exists.
+// Following of symlink is done within staying under root, escapes outsides
+// of root are not allowed and prevent.
+//
+// This custom function is needed because securejoin.SecureJoin() is not race safe
+// and the volume might be mounted in another container that could swap in a symlink
+// after the function ahs run. securejoin.OpenInRoot() doesn't work either because
+// it cannot create files and doesn't work on freebsd.
+func openPathSafely(root, unsafeName string) (*os.File, error) {
+	if strings.Contains(unsafeName, "/") {
+		return nil, fmt.Errorf("name %q must not contain path separator", unsafeName)
+	}
+	fdDir, err := os.OpenFile(root, unix.O_RDONLY, 0)
+	if err != nil {
+		return nil, err
+	}
+	defer fdDir.Close()
+	flags := unix.O_CREAT | unix.O_WRONLY | unix.O_TRUNC | unix.O_CLOEXEC
+	fd, err := unix.Openat(int(fdDir.Fd()), unsafeName, flags|unix.O_NOFOLLOW, 0o644)
+	if err == nil {
+		return os.NewFile(uintptr(fd), unsafeName), nil
+	}
+	if err == unix.ELOOP {
+		return openSymlinkPath(fdDir, unsafeName, flags)
+	}
+	return nil, &os.PathError{Op: "openat", Path: unsafeName, Err: err}
+}

test/e2e/play_kube_test.go

@@ -1913,7 +1913,7 @@ func getPersistentVolumeClaimVolume(vName string) *Volume {
 
 // getConfigMap returns a new ConfigMap Volume given the name and items
 // of the ConfigMap.
-func getConfigMapVolume(vName string, items []map[string]string, optional bool, defaultMode *int32) *Volume { //nolint:unparam
+func getConfigMapVolume(vName string, items []map[string]string, optional bool, defaultMode *int32) *Volume {
 	vol := &Volume{
 		VolumeType: "ConfigMap",
 		Name:       defaultVolName,
@@ -6337,4 +6337,32 @@ spec:
 		Expect(execArr[len(execArr)-1]).To(Not(ContainSubstring(arr[len(arr)-1])))
 	})
 
+	It("CVE-2025-9566 regression test - ConfigMap mount", func() {
+		testfile := filepath.Join(podmanTest.TempDir, "testfile")
+		volumeName := "cm-vol"
+		cm := getConfigMap(withConfigMapName(volumeName), withConfigMapData("foo", "content1"))
+		cmYaml, err := getKubeYaml("configmap", cm)
+		Expect(err).ToNot(HaveOccurred())
+
+		ctrName := "ctr1"
+		podName := "pod1"
+		// create a symlink at the volume mount location so we can make sure we don't resolve that to the host location.
+		ctr := getCtr(withName(ctrName), withVolumeMount("/test", "", false), withImage(CITEST_IMAGE), withCmd([]string{"sh", "-c", "ln -sf " + testfile + " /test/foo"}))
+		pod := getPod(withPodName(podName), withVolume(getConfigMapVolume(volumeName, nil, false, nil)), withCtr(ctr))
+		podYaml, err := getKubeYaml("pod", pod)
+		Expect(err).ToNot(HaveOccurred())
+		yamls := []string{cmYaml, podYaml}
+		err = generateMultiDocKubeYaml(yamls, kubeYaml)
+		Expect(err).ToNot(HaveOccurred())
+
+		podmanTest.PodmanExitCleanly("kube", "play", kubeYaml)
+		// wait for the container to finish to ensure the symlink was created
+		podmanTest.PodmanExitCleanly("wait", podName+"-"+ctrName)
+		podmanTest.PodmanExitCleanly("kube", "down", kubeYaml)
+		kube := podmanTest.Podman([]string{"kube", "play", kubeYaml})
+		kube.WaitWithDefaultTimeout()
+		Expect(kube).To(ExitWithError(125, `cannot create file "foo" at volume mountpoint`))
+
+		Expect(testfile).ToNot(BeAnExistingFile(), "file should never be created on the host")
+	})
 })