diff options
Diffstat (limited to '0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch')
| -rw-r--r-- | 0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch | 202 |
1 files changed, 202 insertions, 0 deletions
diff --git a/0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch b/0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch new file mode 100644 index 0000000..72b7774 --- /dev/null +++ b/0029-image-ensure-id-of-loaded-and-pulled-image-is-valid.patch @@ -0,0 +1,202 @@ +From 460c943125d9eca7cb4259d42c6c008a709e9dbe Mon Sep 17 00:00:00 2001 +From: haozi007 <liuhao27@huawei.com> +Date: Wed, 23 Aug 2023 15:42:42 +0800 +Subject: [PATCH 29/33] [image] ensure id of loaded and pulled image is valid + +Signed-off-by: haozi007 <liuhao27@huawei.com> +--- + src/daemon/modules/image/oci/oci_import.c | 14 ++++++++++--- + src/daemon/modules/image/oci/oci_load.c | 21 ++++++------------- + .../modules/image/oci/registry/registry.c | 8 ++++++- + src/daemon/modules/image/oci/utils_images.c | 17 ++++++++++++++- + src/daemon/modules/image/oci/utils_images.h | 3 +++ + src/utils/cutils/utils.h | 2 -- + src/utils/sha256/sha256.c | 1 - + 7 files changed, 43 insertions(+), 23 deletions(-) + +diff --git a/src/daemon/modules/image/oci/oci_import.c b/src/daemon/modules/image/oci/oci_import.c +index 1e14a916..0568c23f 100644 +--- a/src/daemon/modules/image/oci/oci_import.c ++++ b/src/daemon/modules/image/oci/oci_import.c +@@ -93,7 +93,7 @@ static int register_layer(import_desc *desc) + return -1; + } + +- id = util_without_sha256_prefix(desc->uncompressed_digest); ++ id = oci_image_id_from_digest(desc->uncompressed_digest); + if (id == NULL) { + ERROR("Invalid NULL param"); + return -1; +@@ -315,8 +315,16 @@ static int register_image(import_desc *desc) + opts.create_time = &desc->now_time; + opts.digest = desc->manifest_digest; + +- image_id = util_without_sha256_prefix(desc->config_digest); +- top_layer_id = util_without_sha256_prefix(desc->uncompressed_digest); ++ image_id = oci_image_id_from_digest(desc->config_digest); ++ if (image_id == NULL) { ++ ret = -1; ++ goto out; ++ } ++ top_layer_id = oci_image_id_from_digest(desc->uncompressed_digest); ++ if (top_layer_id == NULL) { ++ ret = -1; ++ goto out; ++ } + ret = storage_img_create(image_id, top_layer_id, NULL, &opts); + if (ret != 0) { + pre_top_layer = storage_get_img_top_layer(image_id); +diff --git a/src/daemon/modules/image/oci/oci_load.c b/src/daemon/modules/image/oci/oci_load.c +index fd707330..31ae3849 100644 +--- a/src/daemon/modules/image/oci/oci_load.c ++++ b/src/daemon/modules/image/oci/oci_load.c +@@ -290,16 +290,6 @@ out: + return full_digest; + } + +-static char *oci_load_without_sha256_prefix(char *digest) +-{ +- if (digest == NULL) { +- ERROR("Invalid digest NULL when strip sha256 prefix"); +- return NULL; +- } +- +- return digest + strlen(SHA256_PREFIX); +-} +- + static int registry_layer_from_tarball(const load_layer_blob_t *layer, const char *id, const char *parent) + { + int ret = 0; +@@ -345,7 +335,7 @@ static int oci_load_register_layers(load_image_t *desc) + } + + for (i = 0; i < desc->layers_len; i++) { +- id = oci_load_without_sha256_prefix(desc->layers[i]->chain_id); ++ id = oci_image_id_from_digest(desc->layers[i]->chain_id); + if (id == NULL) { + ERROR("layer %zu have NULL digest for image %s", i, desc->im_id); + ret = -1; +@@ -457,7 +447,7 @@ static int oci_load_create_image(load_image_t *desc, const char *dst_tag) + top_layer_index = desc->layers_len - 1; + opts.create_time = ×tamp; + opts.digest = desc->manifest_digest; +- top_layer_id = oci_load_without_sha256_prefix(desc->layers[top_layer_index]->chain_id); ++ top_layer_id = oci_image_id_from_digest(desc->layers[top_layer_index]->chain_id); + if (top_layer_id == NULL) { + ERROR("NULL top layer id found for image %s", desc->im_id); + ret = -1; +@@ -764,7 +754,7 @@ static int oci_load_set_layers_info(load_image_t *im, const image_manifest_items + } + parent_chain_id_sha256 = im->layers[i]->chain_id; + +- id = oci_load_without_sha256_prefix(im->layers[i]->chain_id); ++ id = oci_image_id_from_digest(im->layers[i]->chain_id); + if (id == NULL) { + ERROR("Wipe out sha256 prefix failed from layer with chain id : %s", im->layers[i]->chain_id); + ret = -1; +@@ -832,7 +822,8 @@ static load_image_t *oci_load_process_manifest(const image_manifest_items_elemen + goto out; + } + +- image_id = oci_load_without_sha256_prefix(image_digest); ++ // call util_valid_digest to ensure digest is valid, so image id is valid ++ image_id = oci_image_id_from_digest(image_digest); + if (image_id == NULL) { + ret = -1; + ERROR("Remove sha256 prefix error from image digest %s", image_digest); +@@ -872,7 +863,7 @@ static int64_t get_layer_size_from_storage(char *chain_id_pre) + return -1; + } + +- id = oci_load_without_sha256_prefix(chain_id_pre); ++ id = oci_image_id_from_digest(chain_id_pre); + if (id == NULL) { + ERROR("Get chain id failed from value:%s", chain_id_pre); + return -1; +diff --git a/src/daemon/modules/image/oci/registry/registry.c b/src/daemon/modules/image/oci/registry/registry.c +index 35753c79..4124281d 100644 +--- a/src/daemon/modules/image/oci/registry/registry.c ++++ b/src/daemon/modules/image/oci/registry/registry.c +@@ -877,7 +877,13 @@ static int register_image(pull_descriptor *desc) + + // lock when create image to make sure image content all exist + mutex_lock(&g_shared->image_mutex); +- image_id = util_without_sha256_prefix(desc->config.digest); ++ image_id = oci_image_id_from_digest(desc->config.digest); ++ if (image_id == NULL) { ++ ERROR("Invalid digest: %s", desc->config.digest); ++ isulad_try_set_error_message("invalid image digest: %s", desc->config.digest); ++ ret = -1; ++ goto out; ++ } + ret = create_image(desc, image_id, &reuse); + if (ret != 0) { + ERROR("create image %s failed", desc->image_name); +diff --git a/src/daemon/modules/image/oci/utils_images.c b/src/daemon/modules/image/oci/utils_images.c +index 4342db5b..f92ee59a 100644 +--- a/src/daemon/modules/image/oci/utils_images.c ++++ b/src/daemon/modules/image/oci/utils_images.c +@@ -691,4 +691,19 @@ int oci_split_search_name(const char *search_name, char **host, char **name) + + return 0; + } +-#endif +\ No newline at end of file ++#endif ++ ++char *oci_image_id_from_digest(char *digest) ++{ ++ if (digest == NULL) { ++ ERROR("Empty digest"); ++ return NULL; ++ } ++ ++ if (!util_valid_digest(digest)) { ++ ERROR("Load image with invalid digest: %s", digest); ++ return NULL; ++ } ++ ++ return digest + strlen(SHA256_PREFIX); ++} +diff --git a/src/daemon/modules/image/oci/utils_images.h b/src/daemon/modules/image/oci/utils_images.h +index 2238bb91..ea0fb20a 100644 +--- a/src/daemon/modules/image/oci/utils_images.h ++++ b/src/daemon/modules/image/oci/utils_images.h +@@ -61,6 +61,9 @@ char *get_hostname_to_strip(void); + + char *oci_image_digest_pos(const char *name); + ++// return a pointer to digest string without 'sha256:' prefix ++char *oci_image_id_from_digest(char *digest); ++ + #ifdef __cplusplus + } + #endif +diff --git a/src/utils/cutils/utils.h b/src/utils/cutils/utils.h +index 83b20e5e..3acf0698 100644 +--- a/src/utils/cutils/utils.h ++++ b/src/utils/cutils/utils.h +@@ -388,8 +388,6 @@ int util_generate_random_str(char *id, size_t len); + + int util_check_inherited_exclude_fds(bool closeall, int *fds_to_ignore, size_t len_fds); + +-char *util_without_sha256_prefix(char *digest); +- + int util_normalized_host_os_arch(char **host_os, char **host_arch, char **host_variant); + + int util_read_pid_ppid_info(uint32_t pid, pid_ppid_info_t *pid_info); +diff --git a/src/utils/sha256/sha256.c b/src/utils/sha256/sha256.c +index 54cc2862..4e692355 100644 +--- a/src/utils/sha256/sha256.c ++++ b/src/utils/sha256/sha256.c +@@ -388,7 +388,6 @@ char *sha256_full_digest_str(char *str) + char *util_without_sha256_prefix(char *digest) + { + if (digest == NULL || !util_has_prefix(digest, SHA256_PREFIX)) { +- ERROR("Invalid digest when strip sha256 prefix"); + return NULL; + } + +-- +2.40.1 + |