Re: [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: praveen.kumar@windriver.com
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621
Date: Wed, 2 Apr 2025 02:22:12 +0000	[thread overview]
Message-ID: <Z-yfVPCgWsRzCaq9@gmail.com> (raw)
In-Reply-To: <20250326195009.757247-2-praveen.kumar@windriver.com>

merged.

Bruce

In message: [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621
on 26/03/2025 Praveen Kumar via lists.yoctoproject.org wrote:

> moby v25.0.5 is affected by a Race Condition in
> builder/builder-next/adapters/snapshot/layer.go. The vulnerability could
> be used to trigger concurrent builds that call the EnsureLayer function
> resulting in resource leaks/exhaustion.
> 
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2024-36621
> 
> Upstream-patch:
> https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e
> 
> Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
> ---
>  recipes-containers/docker/docker-moby_git.bb  |  1 +
>  .../docker/files/CVE-2024-36621.patch         | 83 +++++++++++++++++++
>  2 files changed, 84 insertions(+)
>  create mode 100644 recipes-containers/docker/files/CVE-2024-36621.patch
> 
> diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
> index a1879ed2..d274b002 100644
> --- a/recipes-containers/docker/docker-moby_git.bb
> +++ b/recipes-containers/docker/docker-moby_git.bb
> @@ -57,6 +57,7 @@ SRC_URI = "\
>          file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
>          file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
>          file://CVE-2024-36620.patch;patchdir=src/import \
> +        file://CVE-2024-36621.patch;patchdir=src/import \
>  	"
>  
>  DOCKER_COMMIT = "${SRCREV_moby}"
> diff --git a/recipes-containers/docker/files/CVE-2024-36621.patch b/recipes-containers/docker/files/CVE-2024-36621.patch
> new file mode 100644
> index 00000000..a6c06ef2
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2024-36621.patch
> @@ -0,0 +1,83 @@
> +From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001
> +From: Tonis Tiigi <tonistiigi@gmail.com>
> +Date: Wed, 6 Mar 2024 23:11:32 -0800
> +Subject: [PATCH] builder-next: fix missing lock in ensurelayer
> +
> +When this was called concurrently from the moby image
> +exporter there could be a data race where a layer was
> +written to the refs map when it was already there.
> +
> +In that case the reference count got mixed up and on
> +release only one of these layers was actually released.
> +
> +CVE: CVE-2024-36621
> +
> +Upstream-Status:
> +Backport [https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e]
> +
> +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
> +---
> + .../builder-next/adapters/snapshot/layer.go   |  3 +++
> + .../adapters/snapshot/snapshot.go             | 19 +++++++++++--------
> + 2 files changed, 14 insertions(+), 8 deletions(-)
> +
> +diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go
> +index 73120ea70b..fc83058339 100644
> +--- a/builder/builder-next/adapters/snapshot/layer.go
> ++++ b/builder/builder-next/adapters/snapshot/layer.go
> +@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
> + }
> +
> + func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
> ++	s.layerCreateLocker.Lock(key)
> ++	defer s.layerCreateLocker.Unlock(key)
> ++
> +	diffIDs, err := s.GetDiffIDs(ctx, key)
> +	if err != nil {
> +		return nil, err
> +diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go
> +index a0d28ad984..510ffefb49 100644
> +--- a/builder/builder-next/adapters/snapshot/snapshot.go
> ++++ b/builder/builder-next/adapters/snapshot/snapshot.go
> +@@ -17,6 +17,7 @@ import (
> +	"github.com/moby/buildkit/identity"
> +	"github.com/moby/buildkit/snapshot"
> +	"github.com/moby/buildkit/util/leaseutil"
> ++	"github.com/moby/locker"
> +	"github.com/opencontainers/go-digest"
> +	"github.com/pkg/errors"
> +	bolt "go.etcd.io/bbolt"
> +@@ -51,10 +52,11 @@ type checksumCalculator interface {
> + type snapshotter struct {
> +	opt Opt
> +
> +-	refs map[string]layer.Layer
> +-	db   *bolt.DB
> +-	mu   sync.Mutex
> +-	reg  graphIDRegistrar
> ++	refs              map[string]layer.Layer
> ++	db                *bolt.DB
> ++	mu                sync.Mutex
> ++	reg               graphIDRegistrar
> ++	layerCreateLocker *locker.Locker
> + }
> +
> + // NewSnapshotter creates a new snapshotter
> +@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
> +	}
> +
> +	s := &snapshotter{
> +-		opt:  opt,
> +-		db:   db,
> +-		refs: map[string]layer.Layer{},
> +-		reg:  reg,
> ++		opt:               opt,
> ++		db:                db,
> ++		refs:              map[string]layer.Layer{},
> ++		reg:               reg,
> ++		layerCreateLocker: locker.New(),
> +	}
> +
> +	slm := newLeaseManager(s, prevLM)
> +--
> +2.40.0
> -- 
> 2.40.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9175): https://lists.yoctoproject.org/g/meta-virtualization/message/9175
> Mute This Topic: https://lists.yoctoproject.org/mt/111924195/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

next prev parent reply	other threads:[~2025-04-02  2:22 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-26 19:50 [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Praveen Kumar
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 Praveen Kumar
2025-04-02  2:22   ` Bruce Ashfield [this message]
2025-04-02 13:59   ` Martin Jansa
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 Praveen Kumar
2025-03-26 20:05   ` Bruce Ashfield
2025-08-20  6:08   ` [scarthgap][PATCH " Hitendra Prajapati
2025-08-20 13:03     ` [meta-virtualization] " Bruce Ashfield
2025-04-02  2:21 ` [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Bruce Ashfield

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z-yfVPCgWsRzCaq9@gmail.com \
    --to=bruce.ashfield@gmail.com \
    --cc=meta-virtualization@lists.yoctoproject.org \
    --cc=praveen.kumar@windriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.