From 732f77064830bb91062d475407b761ade2e4fe6b Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 1 Oct 2024 11:01:45 -0400 Subject: [PATCH] CVE-2024-9407: validate "bind-propagation" flag settings CVE-2024-9407: validate that the value for the "bind-propagation" flag when handling "bind" and "cache" mounts in `buildah run` or in RUN instructions is one of the values that we would accept without the "bind-propagation=" prefix. Signed-off-by: Nalin Dahyabhai --- internal/volumes/volumes.go | 12 ++++++++++++ tests/bud.bats | 25 +++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go index 3d20ccb6899..ab97f80aea9 100644 --- a/internal/volumes/volumes.go +++ b/internal/volumes/volumes.go @@ -104,6 +104,12 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st if !hasArgValue { return newMount, "", fmt.Errorf("%v: %w", argName, errBadOptionArg) } + switch argValue { + default: + return newMount, "", fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption) + case "shared", "rshared", "private", "rprivate", "slave", "rslave": + // this should be the relevant parts of the same list of options we accepted above + } newMount.Options = append(newMount.Options, argValue) case "src", "source": if !hasArgValue { @@ -276,6 +282,12 @@ func GetCacheMount(args []string, _ storage.Store, _ string, additionalMountPoin if !hasArgValue { return newMount, nil, fmt.Errorf("%v: %w", argName, errBadOptionArg) } + switch argValue { + default: + return newMount, nil, fmt.Errorf("%v: %q: %w", argName, argValue, errBadMntOption) + case "shared", "rshared", "private", "rprivate", "slave", "rslave": + // this should be the relevant parts of the same list of options we accepted above + } newMount.Options = append(newMount.Options, argValue) case "id": if !hasArgValue { diff --git a/tests/bud.bats b/tests/bud.bats index 0a5c66ba345..76f7005a61a 100644 --- a/tests/bud.bats +++ b/tests/bud.bats @@ -6946,3 +6946,28 @@ _EOF run_buildah run testctr -- sh -c 'cd podman-tag && git ls-remote --tags origin v5.0.0^{} | cut -f1' assert "$output" = "$local_head_hash" } + +@test "build-validates-bind-bind-propagation" { + _prefetch alpine + + cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF +FROM alpine as base +FROM alpine +RUN --mount=type=bind,from=base,source=/,destination=/var/empty,rw,bind-propagation=suid pwd +_EOF + + run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR} + expect_output --substring "invalid mount option" +} + +@test "build-validates-cache-bind-propagation" { + _prefetch alpine + + cat > ${TEST_SCRATCH_DIR}/Containerfile << _EOF +FROM alpine +RUN --mount=type=cache,destination=/var/empty,rw,bind-propagation=suid pwd +_EOF + + run_buildah 125 build $WITH_POLICY_JSON ${TEST_SCRATCH_DIR} + expect_output --substring "invalid mount option" +}