Skip to content

Commit 8d31795

Browse files
authored
Merge pull request #41966 from thaJeztah/CVE-2021-21285_master
[master] prevent an invalid image from crashing docker daemon (CVE-2021-21285)
2 parents 2bd6213 + c747d9f commit 8d31795

File tree

2 files changed

+9
-0
lines changed

2 files changed

+9
-0
lines changed

Diff for: builder/builder-next/adapters/containerimage/pull.go

+3
Original file line numberDiff line numberDiff line change
@@ -524,6 +524,9 @@ func (p *puller) Snapshot(ctx context.Context, g session.Group) (cache.Immutable
524524
layers := make([]xfer.DownloadDescriptor, 0, len(mfst.Layers))
525525

526526
for i, desc := range mfst.Layers {
527+
if err := desc.Digest.Validate(); err != nil {
528+
return nil, errors.Wrap(err, "layer digest could not be validated")
529+
}
527530
ongoing.add(desc)
528531
layers = append(layers, &layerDescriptor{
529532
desc: desc,

Diff for: distribution/pull_v2.go

+6
Original file line numberDiff line numberDiff line change
@@ -528,6 +528,9 @@ func (p *v2Puller) pullSchema1(ctx context.Context, ref reference.Reference, unv
528528
// to top-most, so that the downloads slice gets ordered correctly.
529529
for i := len(verifiedManifest.FSLayers) - 1; i >= 0; i-- {
530530
blobSum := verifiedManifest.FSLayers[i].BlobSum
531+
if err = blobSum.Validate(); err != nil {
532+
return "", "", errors.Wrapf(err, "could not validate layer digest %q", blobSum)
533+
}
531534

532535
var throwAway struct {
533536
ThrowAway bool `json:"throwaway,omitempty"`
@@ -626,6 +629,9 @@ func (p *v2Puller) pullSchema2Layers(ctx context.Context, target distribution.De
626629
// Note that the order of this loop is in the direction of bottom-most
627630
// to top-most, so that the downloads slice gets ordered correctly.
628631
for _, d := range layers {
632+
if err := d.Digest.Validate(); err != nil {
633+
return "", errors.Wrapf(err, "could not validate layer digest %q", d.Digest)
634+
}
629635
layerDescriptor := &v2LayerDescriptor{
630636
digest: d.Digest,
631637
repo: p.repo,

0 commit comments

Comments
 (0)