From 3b34805efbff7bf8ab59239a3f9be13144b17c77 Mon Sep 17 00:00:00 2001
From: ruiwen-zhao <ruiwen@google.com>
Date: Fri, 11 Feb 2022 04:21:58 +0000
Subject: [PATCH] [PATCH] Use fs.RootPath when mounting volumes

Signed-off-by: Ruiwen Zhao <ruiwen@google.com>

Gbp-Pq: Name CVE-2022-23648.patch
---
 pkg/cri/opts/container.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkg/cri/opts/container.go b/pkg/cri/opts/container.go
index 472104b..5a4c94b 100644
--- a/pkg/cri/opts/container.go
+++ b/pkg/cri/opts/container.go
@@ -20,7 +20,6 @@ import (
 	"context"
 	"io/ioutil"
 	"os"
-	"path/filepath"
 
 	"github.com/containerd/containerd"
 	"github.com/containerd/containerd/containers"
@@ -89,7 +88,10 @@ func WithVolumes(volumeMounts map[string]string) containerd.NewContainerOpts {
 		}()
 
 		for host, volume := range volumeMounts {
-			src := filepath.Join(root, volume)
+			src, err := fs.RootPath(root, volume)
+			if err != nil {
+				return errors.Wrapf(err, "rootpath on root %s, volume %s", root, volume)
+			}
 			if _, err := os.Stat(src); err != nil {
 				if os.IsNotExist(err) {
 					// Skip copying directory if it does not exist.