Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mount: null deref when not running with a userns #25241

Open
cgwalters opened this issue Feb 5, 2025 · 0 comments
Open

mount: null deref when not running with a userns #25241

cgwalters opened this issue Feb 5, 2025 · 0 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@cgwalters
Copy link
Contributor

Issue Description

I got this NULL deref when trying podman mount in a container set up for nested container builds, without outer privileges (i.e. I'd been using mount_program = fuse-overlayfs and also BUILDAH_ISOLATION=chroot):

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x56090fdff30a]

goroutine 1 gp=0xc0000041c0 m=7 mp=0xc000480008 [running]:
panic({0x5609107295c0?, 0x560911680050?})
	/usr/lib/golang/src/runtime/panic.go:804 +0x168 fp=0xc00004b5e0 sp=0xc00004b530 pc=0x56090ed0c4c8
runtime.panicmem(...)
	/usr/lib/golang/src/runtime/panic.go:262
runtime.sigpanic()
	/usr/lib/golang/src/runtime/signal_unix.go:900 +0x359 fp=0xc00004b640 sp=0xc00004b5e0 pc=0x56090ed0e8f9
github.com/containers/podman/v5/libpod.(*storageService).MountContainerImage(0x0, {0xc0000e9a00?, 0x56090faf888f?})
	/builddir/build/BUILD/podman-4cbdfde5d862dcdbe450c0f1d76ad75360f67a3c/libpod/storage.go:211 +0x2a fp=0xc00004b6f8 sp=0xc00004b640 pc=0x56090fdff30a
github.com/containers/podman/v5/libpod.(*Container).mount(0xc0005168c0)
	/builddir/build/BUILD/podman-4cbdfde5d862dcdbe450c0f1d76ad75360f67a3c/libpod/container_internal.go:2465 +0xe5 fp=0xc00004b7d0 sp=0xc00004b6f8 pc=0x56090fd52ac5
github.com/containers/podman/v5/libpod.(*Container).Mount(0xc0005168c0?)
	/builddir/build/BUILD/podman-4cbdfde5d862dcdbe450c0f1d76ad75360f67a3c/libpod/container_api.go:417 +0xc5 fp=0xc00004b848 sp=0xc00004b7d0 pc=0x56090fd257e5
github.com/containers/podman/v5/pkg/domain/infra/abi.(*ContainerEngine).ContainerMount(0xc0001268d0, {0xcc58600b00000000?, 0xc00004b9b0?}, {0xc000297130, 0x1, 0x0?}, {0x0, {0x0, 0x0}, 0x0, ...})
	/builddir/build/BUILD/podman-4cbdfde5d862dcdbe450c0f1d76ad75360f67a3c/pkg/domain/infra/abi/containers.go:1398 +0x552 fp=0xc00004ba60 sp=0xc00004b848 pc=0x56090fe735f2
github.com/containers/podman/v5/cmd/podman/containers.mount(0x5609116d2580, {0xc000296b30, 0x1, 0x1?})
	/builddir/build/BUILD/podman-4cbdfde5d862dcdbe450c0f1d76ad75360f67a3c/cmd/podman/containers/mount.go:90 +0x24c fp=0xc00004bbc0 sp=0xc00004ba60 pc=0x56090ffb45cc
github.com/spf13/cobra.(*Command).execute(0x5609116d2580, {0xc000148040, 0x1, 0x1})
	/builddir/build/BUILD/podman-4cbdfde5d862dcdbe450c0f1d76ad75360f67a3c/vendor/github.com/spf13/cobra/command.go:985 +0xaaa fp=0xc00004bd48 sp=0xc00004bbc0 pc=0x56090f1cc0aa
github.com/spf13/cobra.(*Command).ExecuteC(0x5609116b25c0)
	/builddir/build/BUILD/podman-4cbdfde5d862dcdbe450c0f1d76ad75360f67a3c/vendor/github.com/spf13/cobra/command.go:1117 +0x3ff fp=0xc00004be20 sp=0xc00004bd48 pc=0x56090f1cc97f
github.com/spf13/cobra.(*Command).Execute(...)
	/builddir/build/BUILD/podman-4cbdfde5d862dcdbe450c0f1d76ad75360f67a3c/vendor/github.com/spf13/cobra/command.go:1041
github.com/spf13/cobra.(*Command).ExecuteContext(...)
	/builddir/build/BUILD/podman-4cbdfde5d862dcdbe450c0f1d76ad75360f67a3c/vendor/github.com/spf13/cobra/command.go:1034
main.Execute()
	/builddir/build/BUILD/podman-4cbdfde5d862dcdbe450c0f1d76ad75360f67a3c/cmd/podman/root.go:116 +0xb4 fp=0xc00004bea8 sp=0xc00004be20 pc=0x5609100993f4
main.main()
	/builddir/build/BUILD/podman-4cbdfde5d862dcdbe450c0f1d76ad75360f67a3c/cmd/podman/main.go:61 +0x4b2 fp=0xc00004bf50 sp=0xc00004bea8 pc=0x560910098b52
runtime.main()
	/usr/lib/golang/src/runtime/proc.go:272 +0x29d fp=0xc00004bfe0 sp=0xc00004bf50 pc=0x56090ecd56bd
runtime.goexit({})
	/usr/lib/golang/src/runtime/asm_amd64.s:1700 +0x1 fp=0xc00004bfe8 sp=0xc00004bfe0 pc=0x56090ed15001

It looks like the code flow that ends up leaving this null is

podman/libpod/runtime.go

Line 441 in 2d42b13

logrus.Debug("Not configuring container store")

Probably a root confusion here is BUILDAH_ISOLATION=chroot not controlling podman in general?

I guess really the thing to aim for here is not using chroot isolation, but ensuring we have at least the more reasonable scenario of a userns in the outer container (actually, the default for rootless). Which I guess all of this is effectively equivalent to containers/buildah#5818

But anyways, just filing this in case we care; we could at least avoid crashing.

Steps to reproduce the issue

See above

Describe the results you received

panic

Describe the results you expected

At least a useful error

podman info output

# podman info
host:
  arch: amd64
  buildahVersion: 1.38.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - hugetlb
  - pids
  cgroupManager: cgroupfs
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-3.el10.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 99.93
    systemPercent: 0.02
    userPercent: 0.05
  cpus: 16
  databaseBackend: sqlite
  distribution:
    distribution: centos
    version: "10"
  eventLogger: file
  freeLocks: 2048
  hostname: 95494d3fbb0f
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 6.11.3-200.fc40.x86_64
  linkmode: dynamic
  logDriver: k8s-file
  memFree: 1593704448
  memTotal: 8314159104
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.13.1-1.el10.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: netavark-1.13.1-1.el10.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.1
  ociRuntime:
    name: crun
    package: crun-1.19-1.el10.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.19
      commit: db31c42ac46e20b5527f5339dcbf6f023fcd539c
      rundir: /run/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20241121.g238c69f-1.el10.x86_64
    version: |
      pasta 0^20241121.g238c69f-1.el10.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: false
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 0
  swapTotal: 0
  uptime: 175h 59m 4.00s (Approximately 7.29 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.access.redhat.com
  - registry.redhat.io
  - docker.io
store:
  configFile: /usr/share/containers/storage.conf
  containerStore:
    number: 0
    paused: 0
    running: 0
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: fuse-overlayfs-1.14-2.el10.x86_64
      Version: |-
        fusermount3 version: 3.16.2
        fuse-overlayfs: version 1.13-dev
        FUSE library version 3.16.2
        using FUSE kernel interface version 7.38
    overlay.mountopt: nodev,fsync=0
  graphRoot: /var/lib/containers/storage
  graphRootAllocated: 106769133568
  graphRootUsed: 100942483456
  graphStatus:
    Backing Filesystem: overlayfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Supports shifting: "true"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/containers/storage
  transientStore: false
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 5.3.1
  Built: 1733097600
  BuiltTime: Mon Dec  2 00:00:00 2024
  GitCommit: ""
  GoVersion: go1.23.1 (Red Hat 1.23.1-3.el10)
  Os: linux
  OsArch: linux/amd64
  Version: 5.3.1

Podman in a container

Yes

Privileged Or Rootless

Rootless

Upstream Latest Release

Yes

Additional environment details

podman-5.3.1-3.el10.x86_64

Additional information

No response
@cgwalters cgwalters added the kind/bug Categorizes issue or PR as related to a bug. label Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cgwalters