fix-CVE-2024-40635

containerd.spec

@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.2.0
 Name:           containerd
-Release:        320
+Release:        321
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@@ -72,6 +72,12 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr
 %{_bindir}/ctr
 
 %changelog
+* Tue Mar 18 2025 dongyuzhen <dongyuzhen@h-partners.com> - 1.2.0-321
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2024-40635
+
 * Tue Jun 18 2024 panchenbo <panchenbo@kylinsec.com.cn> - 1.2.0-320
 - Type:enhancement
 - ID:NA

git-commit

@@ -1 +1 @@
-871075eb7cc979944ba2d987719cb534bbb87e5c
+bf4a8e0992bc7e28d12cb903250ebf1d99882eff

patch/0113-containerd-fix-CVE-2024-40635.patch

@@ -0,0 +1,73 @@
+From 9639b9625554183d0c4d8d072dccb84fedd2320f Mon Sep 17 00:00:00 2001
+From: Craig Ingram <Cjingram@google.com>
+Date: Fri, 7 Mar 2025 13:27:58 +0000
+Subject: [PATCH] validate uid/gid
+
+Signed-off-by: Craig Ingram <Cjingram@google.com>
+---
+ oci/spec_opts.go | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/oci/spec_opts.go b/oci/spec_opts.go
+index 718c482..2101642 100644
+--- a/oci/spec_opts.go
++++ b/oci/spec_opts.go
+@@ -20,6 +20,7 @@ import (
+ 	"context"
+ 	"encoding/json"
+ 	"fmt"
++	"math"
+ 	"io/ioutil"
+ 	"os"
+ 	"path/filepath"
+@@ -473,6 +474,20 @@ func WithUser(userstr string) SpecOpts {
+ 		defer ensureAdditionalGids(s)
+ 		setProcess(s)
+ 		s.Process.User.AdditionalGids = nil
++		// While the Linux kernel allows the max UID to be MaxUint32 - 2,
++                // and the OCI Runtime Spec has no definition about the max UID,
++                // the runc implementation is known to require the UID to be <= MaxInt32.
++                //
++                // containerd follows runc's limitation here.
++                //
++                // In future we may relax this limitation to allow MaxUint32 - 2,
++                // or, amend the OCI Runtime Spec to codify the implementation limitation.
++		const (
++			minUserID  = 0
++			maxUserID  = math.MaxInt32
++			minGroupID = 0
++			maxGroupID = math.MaxInt32
++		)
+ 
+ 		// For LCOW it's a bit harder to confirm that the user actually exists on the host as a rootfs isn't
+ 		// mounted on the host and shared into the guest, but rather the rootfs is constructed entirely in the
+@@ -489,8 +504,8 @@ func WithUser(userstr string) SpecOpts {
+ 		switch len(parts) {
+ 		case 1:
+ 			v, err := strconv.Atoi(parts[0])
+-			if err != nil {
+-				// if we cannot parse as a uint they try to see if it is a username
++			if err != nil || v < minUserID || v > maxUserID {
++				// if we cannot parse as an int32 then try to see if it is a username
+ 				return WithUsername(userstr)(ctx, client, c, s)
+ 			}
+ 			return WithUserID(uint32(v))(ctx, client, c, s)
+@@ -501,12 +516,13 @@ func WithUser(userstr string) SpecOpts {
+ 			)
+ 			var uid, gid uint32
+ 			v, err := strconv.Atoi(parts[0])
+-			if err != nil {
++			if err != nil || v < minUserID || v > maxUserID {
+ 				username = parts[0]
+ 			} else {
+ 				uid = uint32(v)
+ 			}
+-			if v, err = strconv.Atoi(parts[1]); err != nil {
++			v, err = strconv.Atoi(parts[1])
++			if err != nil || v < minGroupID || v > maxGroupID {
+ 				groupname = parts[1]
+ 			} else {
+ 				gid = uint32(v)
+-- 
+2.43.0
+

series.conf

@@ -122,3 +122,4 @@ patch/0111-containerd-disable-Transparent-HugePage-for-shim-pro.patch
 patch/0112-containerd-cio-FIFOSet.Close-check-if-FIFOSet-is-nill-to-preven.patch
 sw64_patch/3001-thp-add-support-sw_64.patch
 # end
+patch/0113-containerd-fix-CVE-2024-40635.patch