From: Brian Goff <cpuguy83@gmail.com>
Date: Mon, 12 Oct 2020 18:08:28 +0000 (+0000)
Subject: [PATCH] pull: Validate layer digest format
X-Git-Tag: archive/raspbian/18.09.1+dfsg1-7.1+rpi1+deb10u3^2~20
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=a84d20778d287d7a85f2ce1d2e6fdd4604126033;p=docker.io.git

[PATCH] pull: Validate layer digest format

Otherwise a malformed or empty digest may cause a panic.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit a7d4af84bd2f189b921c3ec60796aa825e3a0f2a)
Signed-off-by: Tibor Vass <tibor@docker.com>

Gbp-Pq: Name cve-2021-21285.patch
---

diff --git a/engine/builder/builder-next/adapters/containerimage/pull.go b/engine/builder/builder-next/adapters/containerimage/pull.go
index b1e44d95..51a9783c 100644
--- a/engine/builder/builder-next/adapters/containerimage/pull.go
+++ b/engine/builder/builder-next/adapters/containerimage/pull.go
@@ -496,6 +496,9 @@ func (p *puller) Snapshot(ctx context.Context) (cache.ImmutableRef, error) {
 	layers := make([]xfer.DownloadDescriptor, 0, len(mfst.Layers))
 
 	for i, desc := range mfst.Layers {
+		if err := desc.Digest.Validate(); err != nil {
+			return nil, errors.Wrap(err, "layer digest could not be validated")
+		}
 		ongoing.add(desc)
 		layers = append(layers, &layerDescriptor{
 			desc:    desc,
diff --git a/engine/distribution/pull_v2.go b/engine/distribution/pull_v2.go
index 8f05cfa0..2c96570b 100644
--- a/engine/distribution/pull_v2.go
+++ b/engine/distribution/pull_v2.go
@@ -462,6 +462,9 @@ func (p *v2Puller) pullSchema1(ctx context.Context, ref reference.Reference, unv
 	// to top-most, so that the downloads slice gets ordered correctly.
 	for i := len(verifiedManifest.FSLayers) - 1; i >= 0; i-- {
 		blobSum := verifiedManifest.FSLayers[i].BlobSum
+		if err = blobSum.Validate(); err != nil {
+			return "", "", errors.Wrapf(err, "could not validate layer digest %q", blobSum)
+		}
 
 		var throwAway struct {
 			ThrowAway bool `json:"throwaway,omitempty"`
@@ -566,6 +569,9 @@ func (p *v2Puller) pullSchema2(ctx context.Context, ref reference.Named, mfst *s
 	// Note that the order of this loop is in the direction of bottom-most
 	// to top-most, so that the downloads slice gets ordered correctly.
 	for _, d := range mfst.Layers {
+		if err := d.Digest.Validate(); err != nil {
+			return "", "", errors.Wrapf(err, "could not validate layer digest %q", d.Digest)
+		}
 		layerDescriptor := &v2LayerDescriptor{
 			digest:            d.Digest,
 			repo:              p.repo,