src/libcrun: fix handling of device paths with trailing slashes

[sohankunkerkar]

This change handles device paths with trailing slashes correctly. It address the following issue when we use crun as the default container runtime:

Error: container create failed: mknod `/mnt/`: No such file or directory .

[haircommander]

FYI this came up because of kubernetes/kubernetes#126641

[haircommander]

I think SecureJoin is why this works for runc

[packit-as-a-service]

podman system tests failed. @containers/packit-build please check.

[kolyshkin]

This won't work if there are two slashes at the end (which is otherwise OK).

[kolyshkin]

Basically need to replace if with while.

[kolyshkin]

Having said that, I'd rather fix it in e.g. cri-o. Asking to create a block device with a slash at the end is somewhat weird.

OTOH runc for some reason works.

[rhatdan]

I agree CRI-O is handing crun garbage. I am fine with fixing this, but the real source of the problem is a device with a trailing "/" is and invalid device.

[sohankunkerkar]

OTOH runc for some reason works.

#1517 (comment)

[kwilczynski]

@haircommander, should we try to handle this in CRI-O before it even gets to a runtime?

[haircommander]

we could for sure, the code would be easier to write in go

[sohankunkerkar]

I wouldn't mind handling this in CRI-O. The only caveat is that if some other CRI implementation hits the same issue, then they might question the crun code because this case is already handled in runc

[haircommander]

I think that's a "cross the bridge when we get there" scenario. This was opened up because it's a bug in the test and it's arguable whether runc should even silently allow it (it's undefined in the runtime spec).

[kwilczynski]

Yeah, I would prefer, personally, that the user receive feedback earlier that their path is not conformant (per what @rhatdan said above) rather than us correcting it behind the scenes, so to speak.

If not, then we need to clean the paths up in runc and crun, too. Perhaps even in CRI-O as the first line of defence against malformed values.

[kwilczynski]

consume_trailing_slashes(normalized_path);

See my other comment below.

[kwilczynski]

The previous code looks for the directory name and base directory. We can update it a bit, given the use of normalized_path, or keep it at large as-is per the current version.

cleanup_close int dirfd = -1;
cleanup_free char dirname = NULL;
char *basename, *found;

dirname = strdup(normalized_path);

found = strrchr(dirname, '/');
*found = '\0';

basename = found + 1;

[sohankunkerkar]

Okay, I think the previous implementation will still work, but the dirname points to the same memory as normalized_path and any modifications to dirname would also affect normalized_path, which can lead to unintended result if not handled properly. I believe we need a slight modification the code you suggested. Thanks for the pointers.

          cleanup_close int dirfd = -1;
          cleanup_free char *dirname = NULL;
          char *basename, *found;

          dirname = strdup (normalized_path);

          found = strrchr (dirname, '/');
          if (found)
              *found = '\0';

          basename = found + 1;

[kwilczynski]

@sohankunkerkar, we might have to add a special case, if possible, where the path would be simply a single forward slash (so "/") or any value that is not a path, like "test" (not sure if ever possible to get such a value), then the code would misbehave.

Problematic values: "" (empty string; strlen() == 0), "/", "test", "test/"; at the moment.

[kwilczynski]

We could move it right below the following:

• https://github.com/containers/crun/pull/1517/files#diff-e84345e78d59b60cc2aadd7662467f8959e7baa95c1ec9b58ad04f7196ae2273R228-R234

[sohankunkerkar]

ok

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[kwilczynski]

There is something interesting about this implementation, generally.

The added NULL check above is fine. However, if we ever get a NULL in found, then we would have a value of 1 in basename, and then the attempt to read from it will be either SIGSEGV, hopefully, or some undefined behaviour (worst case; should not happen on Linux, hopefully).

The old (original) code also has this problem.

[kwilczynski]

This probably does not belong here, as it is a utility function.

Why? The handling of a single slash is a use case specific to the code that calls this function.

[sohankunkerkar]

ok, I don't think we need to handle this condition separately. It will covered as part of the below snippet:

  cleanup_free char *normalized_path = xstrdup (fullname);
  consume_trailing_slashes (normalized_path);
  if (normalized_path[0] == '\0')
    strcpy (normalized_path, "/");

[kwilczynski]

Would this be the correct behaviour here?

[sohankunkerkar]

This ensures that if there are no slashes in the path, basename is set to the entire path. This prevents any uninitialized variables and potential segmentation faults. Just an improvement over the original code. We need to clarify with @kolyshkin or @giuseppe to understand if there's any repercussion to it.

[sohankunkerkar]

Example Scenarios:

• Path with Slashes:
  Input: "/path/to/file.txt"
  Operation:
  found = strrchr(dirname, '/') will point to the last slash ('/').
  *found = '\0' will truncate dirname to "/path/to".
  basename = found + 1 will set basename to "file.txt" (the part after the last slash).
  Result:
  dirname = "/path/to"
  basename = "file.txt"

• Path Without Slashes:
  Input: "file.txt"
  Operation:
  found = strrchr(dirname, '/') will return NULL since there are no slashes in the path.
  The line basename = found ? found + 1 : dirname; will evaluate to basename = dirname;, meaning basename will be set to "file.txt".
  Result:
  dirname = "file.txt"
  basename = "file.txt"

• Single Slash:
  Input: "/"
  Operation:
  found = strrchr(dirname, '/') will point to the single slash.
  *found = '\0' will truncate dirname to an empty string ("").
  basename = found ? found + 1 : dirname; will evaluate to basename = ""; (because found + 1 points to the character after the null terminator).
  Result:
  dirname = ""
  basename = ""

• Empty String:
  Input: ""
  Operation:
  found = strrchr(dirname, '/') will return NULL.
  basename = found ? found + 1 : dirname; will evaluate to basename = ""; (because dirname is empty).
  Result:
  dirname = ""
  basename = ""

[kwilczynski]

Ditto. See my above comment.

[giuseppe]

just a minor comment, otherwise LGTM

[kwilczynski]

Suggested change

	if (normalized_path[0] == '\0')
	if (is_empty_string(normalized_path))

This can also be used to check if the fullname variable is empty, per @giuseppe's request.

[kwilczynski]

@sohankunkerkar, not using is_empty_string() here?

[giuseppe]

please use is_empty_string() here

[sohankunkerkar]

I think is_empty_string would be redundant in this case as consume_trailing_slashes already handles the null and empty string cases, checking normalized_path[0] = '\0' immediately afterward is sufficient. Let me know if I'm missing out any test case.

[kwilczynski]

The helper would be fine. I think we should use it. Also, it improves readability a bit (since the intent will be obvious given the function name).

[kwilczynski]

A bit of a shame we didn't use the helper here. Consistency would be nice.

[kwilczynski]

@giuseppe, are you OK with this refactoring here? Especially how the basename will be set to dirname. I want to make sure we won't break anything.

[giuseppe]

that seems OK to me

[packit-as-a-service]

podman system tests failed. @containers/packit-build please check.

[giuseppe]

strdup can return NULL. Let's use xstrdup

[giuseppe]

that seems OK to me

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service]

podman system tests failed. @containers/packit-build please check.

[giuseppe]

users don't know what fullname is. Let's clarify the error message

[packit-as-a-service]

Ephemeral COPR build failed. @containers/packit-build please check.

[packit-as-a-service]

podman system tests failed. @containers/packit-build please check.

[giuseppe]

LGTM