From 0a3b2bda3495e259208c49b08f5bd208078f9371 Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Tue, 12 May 2020 13:21:48 +0900
Subject: [PATCH] pkg/archive: escape ":" symbol in overlay lowerdir

lowerdir needs escaping:
https://github.com/torvalds/linux/blob/v5.4/fs/overlayfs/super.c#L835-L853

Fix #40939

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 6a5e3547fbe0d17eb99762cf2c24fae485308473)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 pkg/archive/archive_linux.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/archive/archive_linux.go b/pkg/archive/archive_linux.go
index 0601f7b0d1..c0f81ac3d6 100644
--- a/pkg/archive/archive_linux.go
+++ b/pkg/archive/archive_linux.go
@@ -151,7 +151,9 @@ func mknodChar0Overlay(cleansedOriginalPath string) error {
 	if err := ioutil.WriteFile(lowerDummy, []byte{}, 0600); err != nil {
 		return errors.Wrapf(err, "failed to create a dummy lower file %s", lowerDummy)
 	}
-	mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lower, upper, work)
+	// lowerdir needs ":" to be escaped: https://github.com/moby/moby/issues/40939#issuecomment-627098286
+	lowerEscaped := strings.ReplaceAll(lower, ":", "\\:")
+	mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lowerEscaped, upper, work)
 	// docker/pkg/mount.Mount() requires procfs to be mounted. So we use syscall.Mount() directly instead.
 	if err := syscall.Mount("overlay", merged, "overlay", uintptr(0), mOpts); err != nil {
 		return errors.Wrapf(err, "failed to mount overlay (%s) on %s", mOpts, merged)
@@ -236,7 +238,9 @@ func createDirWithOverlayOpaque(tmp string) (string, error) {
 	if err := os.MkdirAll(lowerDummy, 0700); err != nil {
 		return "", errors.Wrapf(err, "failed to create a dummy lower directory %s", lowerDummy)
 	}
-	mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lower, upper, work)
+	// lowerdir needs ":" to be escaped: https://github.com/moby/moby/issues/40939#issuecomment-627098286
+	lowerEscaped := strings.ReplaceAll(lower, ":", "\\:")
+	mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lowerEscaped, upper, work)
 	// docker/pkg/mount.Mount() requires procfs to be mounted. So we use syscall.Mount() directly instead.
 	if err := syscall.Mount("overlay", merged, "overlay", uintptr(0), mOpts); err != nil {
 		return "", errors.Wrapf(err, "failed to mount overlay (%s) on %s", mOpts, merged)