Fails to build on mips64le

[tianon]

As of the latest releases, we're now failing to build for mips64le:

$ GOARCH=mips64le go build ./libcontainer
# github.com/opencontainers/runc/libcontainer
libcontainer/console_linux.go:36:60: invalid operation: stat.Rdev != unix.Mkdev(PTMX_MAJOR, PTMX_MINOR) (mismatched types uint32 and uint64)
libcontainer/console_linux.go:38:39: cannot use stat.Rdev (variable of type uint32) as uint64 value in argument to unix.Major
libcontainer/console_linux.go:38:62: cannot use stat.Rdev (variable of type uint32) as uint64 value in argument to unix.Minor
libcontainer/console_linux.go:82:60: invalid operation: stat.Rdev != wantPeerDev (mismatched types uint32 and uint64)
libcontainer/console_linux.go:84:48: cannot use stat.Rdev (variable of type uint32) as uint64 value in argument to unix.Major
libcontainer/console_linux.go:84:71: cannot use stat.Rdev (variable of type uint32) as uint64 value in argument to unix.Minor
libcontainer/rootfs_linux.go:1047:19: invalid operation: stat.Rdev != dev (mismatched types uint32 and uint64)
libcontainer/rootfs_linux.go:1050:16: cannot use stat.Rdev (variable of type uint32) as uint64 value in argument to unix.Major
libcontainer/rootfs_linux.go:1050:39: cannot use stat.Rdev (variable of type uint32) as uint64 value in argument to unix.Minor
libcontainer/rootfs_linux.go:1321:59: invalid operation: st.Rdev == unix.Mkdev(1, 3) (mismatched types uint32 and uint64)

This was on latest main - the same command completes successfully on v1.4.0-rc.2, and whatever broke this was backported all the way back to the 1.2 branch as part of today's security releases.

This is a similar issue to moby/buildkit#5129, where the root cause is technically a stdlib (or at least x/unix) bug because unix.Mkdev's return type is not platform-specific like the types it's intended to be used with/for.

I was pretty sure it was caused by 8476df8 (just looking through the commits), but did an explicit git bisect just to be Extra and confirmed:

8476df83b534a2522b878c0507b3491def48db9f is the first bad commit
commit 8476df83b534a2522b878c0507b3491def48db9f
Author: Kir Kolyshkin <kolyshkin@gmail.com>
Date:   Thu Mar 6 08:19:45 2025 -0800

    libct: add/use isDevNull, verifyDevNull
    
    The /dev/null in a container should not be trusted, because when /dev
    is a bind mount, /dev/null is not created by runc itself.
    
    1. Add isDevNull which checks the fd minor/major and device type,
       and verifyDevNull which does the stat and the check.
    
    2. Rewrite maskPath to open and check /dev/null, and use its fd to
       perform mounts. Move the loop over the MaskPaths into the function,
       and rename it to maskPaths.
    
    3. reOpenDevNull: use verifyDevNull and isDevNull.
    
    4. fixStdioPermissions: use isDevNull instead of stat.
    
    Fixes: GHSA-9493-h29p-rfm2 CVE-2025-31133
    Co-authored-by: Rodrigo Campos <rodrigoca@microsoft.com>
    Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
    Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>

 libcontainer/init_linux.go          | 11 +++-----
 libcontainer/rootfs_linux.go        | 53 +++++++++++++++++++++++++++++--------
 libcontainer/standard_init_linux.go |  7 +++--
 3 files changed, 49 insertions(+), 22 deletions(-)
bisect found first bad commit

[tianon]

This naïve change seems to fix the compilation issue, although I'd love more eyes on its correctness:

diff --git a/libcontainer/console_linux.go b/libcontainer/console_linux.go
index 6ce171f0..04a1d810 100644
--- a/libcontainer/console_linux.go
+++ b/libcontainer/console_linux.go
@@ -33,9 +33,9 @@ func checkPtmxHandle(ptmx *os.File) error {
 		if stat.Ino != PTMX_INO {
 			return fmt.Errorf("ptmx handle has wrong inode number: %v", stat.Ino)
 		}
-		if stat.Mode&unix.S_IFMT != unix.S_IFCHR || stat.Rdev != unix.Mkdev(PTMX_MAJOR, PTMX_MINOR) {
+		if stat.Mode&unix.S_IFMT != unix.S_IFCHR || uint64(stat.Rdev) != unix.Mkdev(PTMX_MAJOR, PTMX_MINOR) {
 			return fmt.Errorf("ptmx handle is not a real char ptmx device: ftype %#x %d:%d",
-				stat.Mode&unix.S_IFMT, unix.Major(stat.Rdev), unix.Minor(stat.Rdev))
+				stat.Mode&unix.S_IFMT, unix.Major(uint64(stat.Rdev)), unix.Minor(uint64(stat.Rdev)))
 		}
 		return nil
 	})
@@ -79,9 +79,9 @@ func getPtyPeer(pty console.Console, unsafePeerPath string, flags int) (*os.File
 		if statfs.Type != unix.DEVPTS_SUPER_MAGIC {
 			return fmt.Errorf("pty peer handle is not on a real devpts mount: super magic is %#x", statfs.Type)
 		}
-		if stat.Mode&unix.S_IFMT != unix.S_IFCHR || stat.Rdev != wantPeerDev {
+		if stat.Mode&unix.S_IFMT != unix.S_IFCHR || uint64(stat.Rdev) != wantPeerDev {
 			return fmt.Errorf("pty peer handle is not the real char device for pty %d: ftype %#x %d:%d",
-				peerNum, stat.Mode&unix.S_IFMT, unix.Major(stat.Rdev), unix.Minor(stat.Rdev))
+				peerNum, stat.Mode&unix.S_IFMT, unix.Major(uint64(stat.Rdev)), unix.Minor(uint64(stat.Rdev)))
 		}
 		return nil
 	}); err != nil {
diff --git a/libcontainer/rootfs_linux.go b/libcontainer/rootfs_linux.go
index 96607379..1382f4b9 100644
--- a/libcontainer/rootfs_linux.go
+++ b/libcontainer/rootfs_linux.go
@@ -1044,10 +1044,10 @@ func mknodDevice(destDir *os.File, destName string, node *devices.Device) error
 				node.Type, node.Path,
 				stat.Mode&unix.S_IFMT, fileMode&unix.S_IFMT)
 		}
-		if stat.Rdev != dev {
+		if uint64(stat.Rdev) != dev {
 			return fmt.Errorf("new %c device inode %s has incorrect major:minor: %d:%d doesn't match expected %d:%d",
 				node.Type, node.Path,
-				unix.Major(stat.Rdev), unix.Minor(stat.Rdev),
+				unix.Major(uint64(stat.Rdev)), unix.Minor(uint64(stat.Rdev)),
 				unix.Major(dev), unix.Minor(dev))
 		}
 		return nil
@@ -1318,7 +1318,7 @@ func remountReadonly(m *configs.Mount) error {
 }
 
 func isDevNull(st *unix.Stat_t) bool {
-	return st.Mode&unix.S_IFMT == unix.S_IFCHR && st.Rdev == unix.Mkdev(1, 3)
+	return st.Mode&unix.S_IFMT == unix.S_IFCHR && uint64(st.Rdev) == unix.Mkdev(1, 3)
 }
 
 func verifyDevNull(f *os.File) error {

[kolyshkin]

It's actually three commits that add these cases and we totally missed it because we don't compile on mips (which is quite hard to achieve as Debian is losing mips support).

Yes, Rdev field is uint32 on all mips arches.

The fix above LGTM, except we also need to add unconvert linter annotations. I'll open a PR soon.