moby-containerd-cc: sync to v1.7.7 (#8649)

SPECS/moby-containerd-cc/CVE-2023-44487.patch

@@ -0,0 +1,152 @@
+From 84b30b3380727ea94e05c438ab695ea24e38fb0c Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Fri, 6 Oct 2023 09:51:19 -0700
+Subject: [PATCH] http2: limit maximum handler goroutines to
+ MaxConcurrentStreams
+
+When the peer opens a new stream while we have MaxConcurrentStreams
+handler goroutines running, defer starting a handler until one
+of the existing handlers exits.
+
+Fixes golang/go#63417
+Fixes CVE-2023-39325
+
+Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-by: Ian Cottrell <iancottrell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/534215
+Reviewed-by: Michael Pratt <mpratt@google.com>
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
+Reviewed-by: Damien Neil <dneil@google.com>
+
+Modified to apply to vendored code by: Daniel McIlvaney <damcilva@microsoft.com>
+ - Adjusted paths
+ - Removed reference to server_test.go
+---
+ .../vendor/golang.org/x/net/http2/server.go   | 66 ++++++++++++++++++-
+ 1 file changed, 64 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
+index 8cb14f3..6000140 100644
+--- a/vendor/golang.org/x/net/http2/server.go
++++ b/vendor/golang.org/x/net/http2/server.go
+@@ -581,9 +581,11 @@ type serverConn struct {
+ 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
+ 	curClientStreams            uint32 // number of open streams initiated by the client
+ 	curPushedStreams            uint32 // number of open streams initiated by server push
++	curHandlers                 uint32 // number of running handler goroutines
+ 	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
+ 	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
+ 	streams                     map[uint32]*stream
++	unstartedHandlers           []unstartedHandler
+ 	initialStreamSendWindowSize int32
+ 	maxFrameSize                int32
+ 	peerMaxHeaderListSize       uint32            // zero means unknown (default)
+@@ -981,6 +983,8 @@ func (sc *serverConn) serve() {
+ 					return
+ 				case gracefulShutdownMsg:
+ 					sc.startGracefulShutdownInternal()
++				case handlerDoneMsg:
++					sc.handlerDone()
+ 				default:
+ 					panic("unknown timer")
+ 				}
+@@ -1028,6 +1032,7 @@ var (
+ 	idleTimerMsg        = new(serverMessage)
+ 	shutdownTimerMsg    = new(serverMessage)
+ 	gracefulShutdownMsg = new(serverMessage)
++	handlerDoneMsg      = new(serverMessage)
+ )
+
+ func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
+@@ -2022,8 +2027,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
+ 		}
+ 	}
+
+-	go sc.runHandler(rw, req, handler)
+-	return nil
++	return sc.scheduleHandler(id, rw, req, handler)
+ }
+
+ func (sc *serverConn) upgradeRequest(req *http.Request) {
+@@ -2043,6 +2047,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) {
+ 		sc.conn.SetReadDeadline(time.Time{})
+ 	}
+
++	// This is the first request on the connection,
++	// so start the handler directly rather than going
++	// through scheduleHandler.
++	sc.curHandlers++
+ 	go sc.runHandler(rw, req, sc.handler.ServeHTTP)
+ }
+
+@@ -2283,8 +2291,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response
+ 	return &responseWriter{rws: rws}
+ }
+
++type unstartedHandler struct {
++	streamID uint32
++	rw       *responseWriter
++	req      *http.Request
++	handler  func(http.ResponseWriter, *http.Request)
++}
++
++// scheduleHandler starts a handler goroutine,
++// or schedules one to start as soon as an existing handler finishes.
++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error {
++	sc.serveG.check()
++	maxHandlers := sc.advMaxStreams
++	if sc.curHandlers < maxHandlers {
++		sc.curHandlers++
++		go sc.runHandler(rw, req, handler)
++		return nil
++	}
++	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
++		return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm))
++	}
++	sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{
++		streamID: streamID,
++		rw:       rw,
++		req:      req,
++		handler:  handler,
++	})
++	return nil
++}
++
++func (sc *serverConn) handlerDone() {
++	sc.serveG.check()
++	sc.curHandlers--
++	i := 0
++	maxHandlers := sc.advMaxStreams
++	for ; i < len(sc.unstartedHandlers); i++ {
++		u := sc.unstartedHandlers[i]
++		if sc.streams[u.streamID] == nil {
++			// This stream was reset before its goroutine had a chance to start.
++			continue
++		}
++		if sc.curHandlers >= maxHandlers {
++			break
++		}
++		sc.curHandlers++
++		go sc.runHandler(u.rw, u.req, u.handler)
++		sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references
++	}
++	sc.unstartedHandlers = sc.unstartedHandlers[i:]
++	if len(sc.unstartedHandlers) == 0 {
++		sc.unstartedHandlers = nil
++	}
++}
++
+ // Run on its own goroutine.
+ func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
++	defer sc.sendServeMsg(handlerDoneMsg)
+ 	didPanic := true
+ 	defer func() {
+ 		rw.rws.stream.cancelCtx()
+--
+2.33.8

SPECS/moby-containerd-cc/CVE-2023-47108.patch

@@ -0,0 +1,71 @@
+diff --git a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
+index b74d558..709f995 100644
+--- a/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
++++ b/vendor/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc/interceptor.go
+@@ -82,7 +82,7 @@ func UnaryClientInterceptor(opts ...Option) grpc.UnaryClientInterceptor {
+ 			return invoker(ctx, method, req, reply, cc, callOpts...)
+ 		}
+ 
+-		name, attr := spanInfo(method, cc.Target())
++		name, attr, _ := telemetryAttributes(method, cc.Target())
+ 		var span trace.Span
+ 		ctx, span = tracer.Start(
+ 			ctx,
+@@ -257,7 +257,7 @@ func StreamClientInterceptor(opts ...Option) grpc.StreamClientInterceptor {
+ 			return streamer(ctx, desc, cc, method, callOpts...)
+ 		}
+ 
+-		name, attr := spanInfo(method, cc.Target())
++		name, attr, _ := telemetryAttributes(method, cc.Target())
+ 		var span trace.Span
+ 		ctx, span = tracer.Start(
+ 			ctx,
+@@ -321,7 +321,7 @@ func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor {
+ 
+ 		ctx = extract(ctx, cfg.Propagators)
+ 
+-		name, attr := spanInfo(info.FullMethod, peerFromCtx(ctx))
++		name, attr, metricAttrs := telemetryAttributes(info.FullMethod, peerFromCtx(ctx))
+ 		ctx, span := tracer.Start(
+ 			trace.ContextWithRemoteSpanContext(ctx, trace.SpanContextFromContext(ctx)),
+ 			name,
+@@ -335,8 +335,8 @@ func UnaryServerInterceptor(opts ...Option) grpc.UnaryServerInterceptor {
+ 		var statusCode grpc_codes.Code
+ 		defer func(t time.Time) {
+ 			elapsedTime := time.Since(t) / time.Millisecond
+-			attr = append(attr, semconv.RPCGRPCStatusCodeKey.Int64(int64(statusCode)))
+-			cfg.rpcServerDuration.Record(ctx, int64(elapsedTime), attr...)
++			attr = append(metricAttrs, semconv.RPCGRPCStatusCodeKey.Int64(int64(statusCode)))
++			cfg.rpcServerDuration.Record(ctx, int64(elapsedTime), metricAttrs...)
+ 		}(time.Now())
+ 
+ 		resp, err := handler(ctx, req)
+@@ -423,7 +423,7 @@ func StreamServerInterceptor(opts ...Option) grpc.StreamServerInterceptor {
+ 
+ 		ctx = extract(ctx, cfg.Propagators)
+ 
+-		name, attr := spanInfo(info.FullMethod, peerFromCtx(ctx))
++		name, attr, _ := telemetryAttributes(info.FullMethod, peerFromCtx(ctx))
+ 		ctx, span := tracer.Start(
+ 			trace.ContextWithRemoteSpanContext(ctx, trace.SpanContextFromContext(ctx)),
+ 			name,
+@@ -445,14 +445,15 @@ func StreamServerInterceptor(opts ...Option) grpc.StreamServerInterceptor {
+ 	}
+ }
+ 
+-// spanInfo returns a span name and all appropriate attributes from the gRPC
+-// method and peer address.
+-func spanInfo(fullMethod, peerAddress string) (string, []attribute.KeyValue) {
++// telemetryAttributes returns a span name and span and metric attributes from
++// the gRPC method and peer address.
++func telemetryAttributes(fullMethod, peerAddress string) (string, []attribute.KeyValue, []attribute.KeyValue) {
+ 	attrs := []attribute.KeyValue{RPCSystemGRPC}
+ 	name, mAttrs := internal.ParseFullMethod(fullMethod)
+ 	attrs = append(attrs, mAttrs...)
++	metricAttrs := attrs[:1+len(mAttrs)]
+ 	attrs = append(attrs, peerAttr(peerAddress)...)
+-	return name, attrs
++	return name, attrs, metricAttrs
+ }
+ 
+ // peerAttr returns attributes about the peer address.

SPECS/moby-containerd-cc/fix_cc_tests_for_golang1.21.patch

@@ -0,0 +1,47 @@
+Backported from upstream 5d9bf7d1398f645882e5c2becc7815daa1770c26
+
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Signed-off-by: Henry Beberman <henry.beberman@microsoft.com>
+
+diff -Naur a/contrib/apparmor/apparmor.go b/contrib/apparmor/apparmor.go
+--- a/contrib/apparmor/apparmor.go	2024-02-09 13:19:03.000000000 +0000
++++ b/contrib/apparmor/apparmor.go	2024-02-22 00:22:43.993021818 +0000
+@@ -39,6 +39,11 @@
+ 
+ // WithDefaultProfile will generate a default apparmor profile under the provided name
+ // for the container.  It is only generated if a profile under that name does not exist.
++//
++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
++// since Go 1.21.
++//
++//go:noinline
+ func WithDefaultProfile(name string) oci.SpecOpts {
+ 	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
+ 		if err := LoadDefaultProfile(name); err != nil {
+diff -Naur a/contrib/seccomp/seccomp.go b/contrib/seccomp/seccomp.go
+--- a/contrib/seccomp/seccomp.go	2024-02-09 13:19:03.000000000 +0000
++++ b/contrib/seccomp/seccomp.go	2024-02-22 00:49:25.471844786 +0000
+@@ -30,6 +30,11 @@
+ // WithProfile receives the name of a file stored on disk comprising a json
+ // formatted seccomp profile, as specified by the opencontainers/runtime-spec.
+ // The profile is read from the file, unmarshaled, and set to the spec.
++//
++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
++// since Go 1.21.
++//
++//go:noinline
+ func WithProfile(profile string) oci.SpecOpts {
+ 	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
+ 		s.Linux.Seccomp = &specs.LinuxSeccomp{}
+@@ -46,6 +51,11 @@
+ 
+ // WithDefaultProfile sets the default seccomp profile to the spec.
+ // Note: must follow the setting of process capabilities
++//
++// FIXME: pkg/cri/[sb]server/container_create_linux_test.go depends on go:noinline
++// since Go 1.21.
++//
++//go:noinline
+ func WithDefaultProfile() oci.SpecOpts {
+ 	return func(_ context.Context, _ oci.Client, _ *containers.Container, s *specs.Spec) error {
+ 		s.Linux.Seccomp = DefaultProfile(s)

SPECS/moby-containerd-cc/moby-containerd-cc.signatures.json

@@ -1,7 +1,7 @@
 {
-  "Signatures": {
-    "containerd.service": "a07bfcf412669b06673190b0779f48e652c9adcf1758289e849a00802804eec8",
-    "containerd.toml": "a228a28965a30845c10bae150fb5bc60a07f5bc0f78d5b17bfaa6cf48a47a7ca",
-    "moby-containerd-cc-1.7.1.tar.gz": "f8969a4e03d42f49a7788d2021f38861f34c9136829a2906fcbd9a0bf79c8f96"
-  }
+ "Signatures": {
+  "containerd.service": "a07bfcf412669b06673190b0779f48e652c9adcf1758289e849a00802804eec8",
+  "containerd.toml": "a228a28965a30845c10bae150fb5bc60a07f5bc0f78d5b17bfaa6cf48a47a7ca",
+  "moby-containerd-cc-1.7.7.tar.gz": "90cfcd3b2776f1b0869f8ca37513963de5f2305b81b409c84804297217f8414b"
+ }
 }

SPECS/moby-containerd-cc/moby-containerd-cc.spec

@@ -1,21 +1,24 @@
 %global debug_package %{nil}
 %define upstream_name containerd-cc
 %define upstream_repo confidential-containers-containerd
-%define commit_hash 4a2809f776500dfb8e4ed33db7f4e05ed68edfbf
+%define commit_hash e55e17bb9c75834c863d422bc38b54b0056e467a
 
 Summary: Industry-standard container runtime for confidential containers
 Name: moby-%{upstream_name}
-Version: 1.7.1
-Release: 9%{?dist}
+Version: 1.7.7
+Release: 3%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
 Vendor: Microsoft Corporation
-Distribution:   Azure Linux
+Distribution: Azure Linux
 
 Source0:  https://github.com/microsoft/confidential-containers-containerd/archive/refs/tags/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1: containerd.service
 Source2: containerd.toml
+Patch0: CVE-2023-47108.patch
+Patch1: CVE-2023-44487.patch
+Patch2: fix_cc_tests_for_golang1.21.patch
 
 %{?systemd_requires}
 
@@ -73,14 +76,32 @@ fi
 %config(noreplace) %{_sysconfdir}/containerd/config.toml
 
 %changelog
+* Mon Apr 08 2024 Mitch Zhu <mitchzhu@microsoft.com> - 1.7.7-3
+- Drop obsolete btrfs-progs-devel build dependency
+
 * Mon Apr 01 2024 Henry Beberman <henry.beberman@microsoft.com> - 1.7.1-9
 - Remove Obsoletes containerd as it was causing dnf to pick moby-containerd-cc over containerd.
 
 * Fri Mar 08 2024 Henry Beberman <henry.beberman@microsoft.com> - 1.7.1-8
 - Add OOMScoreAdjust -999 to containerd.service
 
-* Wed Mar 06 2024 Manuel Huber <mahuber@microsoft.com> - 1.7.1-7
-- Drop obsolete 'btrfs-progs-devel' build dependency
+* Wed Feb 21 2024 Henry Beberman <henry.beberman@microsoft.com> - 1.7.7-2
+- Backport upstream patch for no-inlining seccomp and apparmor functions to fix tests.
+
+* Tue Feb 20 2024 Mitch Zhu <mitchzhu@microsoft.com> - 1.7.7-1
+- Upgrade to upstream containerd v1.7.7.
+
+* Fri Feb 02 2024 Daniel McIlvaney <damcilva@microsoft.com> - 1.7.2-4
+- Address CVE-2023-44487 by patching vendored golang.org/x/net
+
+* Wed Dec 20 2023 Manuel Huber <mahuber@microsoft.com> - 1.7.2-3
+- Set oom_score_adj of containerd to -999
+
+* Wed Nov 23 2023 Bala <balakumaran.kannan@gmail.com> - 1.7.2-2
+- Fix CVE-2023-47108 by backporting the fix made for otel-grpc-0.40.0
+
+* Fri Nov 08 2023 Saul Paredes <saulparedes@microsoft.com> - 1.7.2-1
+- Always add TargetLayerDigestLabel label to snapshots
 
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.7.1-6
 - Bump release to rebuild with go 1.20.10
@@ -97,13 +118,13 @@ fi
 * Thu Jun 15 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.7.1-2
 - Bump release to rebuild with go 1.19.10
 
-*   Mon May 22 2023 Dallas Delaney <dadelan@microsoft.com> - 1.7.1-1
--   Fix unit test arguments for TestSnapshotterFromPodSandboxConfig
+* Mon May 22 2023 Dallas Delaney <dadelan@microsoft.com> - 1.7.1-1
+- Fix unit test arguments for TestSnapshotterFromPodSandboxConfig
 
-*   Wed May 17 2023 Dallas Delaney <dadelan@microsoft.com> - 1.7.0-2
--   Add build version dependency on golang
+* Wed May 17 2023 Dallas Delaney <dadelan@microsoft.com> - 1.7.0-2
+- Add build version dependency on golang
 
-*   Tue Apr 25 2023 Dallas Delaney <dadelan@microsoft.com> - 1.7.0-1
--   Add initial spec
--   License verified.
--   Original version for CBL-Mariner
+* Tue Apr 25 2023 Dallas Delaney <dadelan@microsoft.com> - 1.7.0-1
+- Add initial spec
+- License verified.
+- Original version for CBL-Mariner

cgmanifest.json

@@ -13142,8 +13142,8 @@
         "type": "other",
         "other": {
           "name": "moby-containerd-cc",
-          "version": "1.7.1",
-          "downloadUrl": "https://github.com/microsoft/confidential-containers-containerd/archive/refs/tags/1.7.1.tar.gz"
+          "version": "1.7.7",
+          "downloadUrl": "https://github.com/microsoft/confidential-containers-containerd/archive/refs/tags/1.7.7.tar.gz"
         }
       }
     },