!205 fix CVE-2024-40635

From: @jade_t Reviewed-by: @zhong-jiawei-1, @xuxuepeng Signed-off-by: @xuxuepeng
2025-03-19 03:35:04 +00:00 · 2025-03-19 03:35:04 +00:00 · 84a0d3eee5
commit 84a0d3eee5
parent 07f26312b2 6d9dea92a9
4 changed files with 82 additions and 2 deletions
--- a/containerd.spec
+++ b/containerd.spec
@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.2.0
 Name:           containerd
-Release:        320
+Release:        321
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@ -72,6 +72,12 @@ install -p -m 755 bin/ctr $RPM_BUILD_ROOT/%{_bindir}/ctr
 %{_bindir}/ctr

 %changelog
+* Tue Mar 18 2025 dongyuzhen <dongyuzhen@h-partners.com> - 1.2.0-321
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2024-40635
+
 * Tue Jun 18 2024 panchenbo <panchenbo@kylinsec.com.cn> - 1.2.0-320
 - Type:enhancement
 - ID:NA
--- a/2
+++ b/2
@ -1 +1 @@
-871075eb7cc979944ba2d987719cb534bbb87e5c
+bf4a8e0992bc7e28d12cb903250ebf1d99882eff
--- a/patch/0113-containerd-fix-CVE-2024-40635.patch
+++ b/patch/0113-containerd-fix-CVE-2024-40635.patch
@ -0,0 +1,73 @@
+From 9639b9625554183d0c4d8d072dccb84fedd2320f Mon Sep 17 00:00:00 2001
+From: Craig Ingram <Cjingram@google.com>
+Date: Fri, 7 Mar 2025 13:27:58 +0000
+Subject: [PATCH] validate uid/gid
+
+Signed-off-by: Craig Ingram <Cjingram@google.com>
+---
+ oci/spec_opts.go | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/oci/spec_opts.go b/oci/spec_opts.go
+index 718c482..2101642 100644
+--- a/oci/spec_opts.go
+++ b/oci/spec_opts.go
+@@ -20,6 +20,7 @@ import (
+ 	"context"
+ 	"encoding/json"
+ 	"fmt"
+	"math"
+ 	"io/ioutil"
+ 	"os"
+ 	"path/filepath"
+@@ -473,6 +474,20 @@ func WithUser(userstr string) SpecOpts {
+ 		defer ensureAdditionalGids(s)
+ 		setProcess(s)
+ 		s.Process.User.AdditionalGids = nil
+		// While the Linux kernel allows the max UID to be MaxUint32 - 2,
+                // and the OCI Runtime Spec has no definition about the max UID,
+                // the runc implementation is known to require the UID to be <= MaxInt32.
+                //
+                // containerd follows runc's limitation here.
+                //
+                // In future we may relax this limitation to allow MaxUint32 - 2,
+                // or, amend the OCI Runtime Spec to codify the implementation limitation.
+		const (
+			minUserID  = 0
+			maxUserID  = math.MaxInt32
+			minGroupID = 0
+			maxGroupID = math.MaxInt32
+		)
+ 
+ 		// For LCOW it's a bit harder to confirm that the user actually exists on the host as a rootfs isn't
+ 		// mounted on the host and shared into the guest, but rather the rootfs is constructed entirely in the
+@@ -489,8 +504,8 @@ func WithUser(userstr string) SpecOpts {
+ 		switch len(parts) {
+ 		case 1:
+ 			v, err := strconv.Atoi(parts[0])
+-			if err != nil {
+-				// if we cannot parse as a uint they try to see if it is a username
+			if err != nil || v < minUserID || v > maxUserID {
+				// if we cannot parse as an int32 then try to see if it is a username
+ 				return WithUsername(userstr)(ctx, client, c, s)
+ 			}
+ 			return WithUserID(uint32(v))(ctx, client, c, s)
+@@ -501,12 +516,13 @@ func WithUser(userstr string) SpecOpts {
+ 			)
+ 			var uid, gid uint32
+ 			v, err := strconv.Atoi(parts[0])
+-			if err != nil {
+			if err != nil || v < minUserID || v > maxUserID {
+ 				username = parts[0]
+ 			} else {
+ 				uid = uint32(v)
+ 			}
+-			if v, err = strconv.Atoi(parts[1]); err != nil {
+			v, err = strconv.Atoi(parts[1])
+			if err != nil || v < minGroupID || v > maxGroupID {
+ 				groupname = parts[1]
+ 			} else {
+ 				gid = uint32(v)
+-- 
+2.43.0
+
--- a/series.conf
+++ b/series.conf
@ -122,3 +122,4 @@ patch/0111-containerd-disable-Transparent-HugePage-for-shim-pro.patch
 patch/0112-containerd-cio-FIFOSet.Close-check-if-FIFOSet-is-nill-to-preven.patch
 sw64_patch/3001-thp-add-support-sw_64.patch
 # end
+patch/0113-containerd-fix-CVE-2024-40635.patch