Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: vanusuri@mvista.com
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
Date: Mon, 1 Dec 2025 20:11:54 -0500	[thread overview]
Message-ID: <aS482uMvjz7PCB2Y@gmail.com> (raw)
In-Reply-To: <20251110113049.120549-2-vanusuri@mvista.com>

This patch says 2/2, but I can't find patch 1/2. What was the
subject of 1/2 ? Or rather than just telling me the subject, if
you resend it, that would be great.

Bruce

In message: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:

> From: Vijay Anusuri <vanusuri@mvista.com>
> 
> Upstream-Status: Backport from https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750
> 
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
>  .../CVE-2025-64329.patch                      | 80 +++++++++++++++++++
>  .../containerd-opencontainers_git.bb          |  1 +
>  2 files changed, 81 insertions(+)
>  create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> 
> diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> new file mode 100644
> index 00000000..a3cc5e85
> --- /dev/null
> +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> @@ -0,0 +1,80 @@
> +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001
> +From: wheat2018 <1151937289@qq.com>
> +Date: Tue, 13 Aug 2024 15:56:31 +0800
> +Subject: [PATCH] fix goroutine leak of container Attach
> +
> +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will
> +never finish if it attaches to a container without any stdout or stderr
> +output. Wait for http context cancel and break the pipe actively to
> +address the issue.
> +
> +Signed-off-by: wheat2018 <1151937289@qq.com>
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530)
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +
> +Excluded pkg/cri/sbserver/container_attach.go changes as the file not
> +present in our current vrsion 1.6.19
> +
> +Upstream-Status: Backport [https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750]
> +CVE: CVE-2025-64329
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/cri/io/container_io.go         | 14 +++++++++++---
> + pkg/cri/server/container_attach.go |  2 +-
> + 2 files changed, 12 insertions(+), 4 deletions(-)
> +
> +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go
> +index 70bc8b789..e1584100f 100644
> +--- a/pkg/cri/io/container_io.go
> ++++ b/pkg/cri/io/container_io.go
> +@@ -17,6 +17,7 @@
> + package io
> + 
> + import (
> ++	"context"
> + 	"errors"
> + 	"io"
> + 	"strings"
> +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() {
> + 
> + // Attach attaches container stdio.
> + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
> +-func (c *ContainerIO) Attach(opts AttachOptions) {
> ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
> + 	var wg sync.WaitGroup
> + 	key := util.GenerateID()
> + 	stdinKey := streamKey(c.id, "attach-"+key, Stdin)
> +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
> + 	}
> + 
> + 	attachStream := func(key string, close <-chan struct{}) {
> +-		<-close
> +-		logrus.Infof("Attach stream %q closed", key)
> ++		select {
> ++		case <-close:
> ++			logrus.Infof("Attach stream %q closed", key)
> ++		case <-ctx.Done():
> ++			logrus.Infof("Attach client of %q cancelled", key)
> ++			// Avoid writeGroup heap up
> ++			c.stdoutGroup.Remove(key)
> ++			c.stderrGroup.Remove(key)
> ++		}
> + 		// Make sure stdin gets closed.
> + 		if stdinStreamRC != nil {
> + 			stdinStreamRC.Close()
> +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go
> +index a95215051..3625229f9 100644
> +--- a/pkg/cri/server/container_attach.go
> ++++ b/pkg/cri/server/container_attach.go
> +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re
> + 		},
> + 	}
> + 	// TODO(random-liu): Figure out whether we need to support historical output.
> +-	cntr.IO.Attach(opts)
> ++	cntr.IO.Attach(ctx, opts)
> + 	return nil
> + }
> +-- 
> +2.25.1
> +
> diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
> index 264d37a6..05683d26 100644
> --- a/recipes-containers/containerd/containerd-opencontainers_git.bb
> +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
> @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
>             file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
>             file://CVE-2024-40635.patch \
>             file://CVE-2024-25621.patch \
> +           file://CVE-2025-64329.patch \
>            "
>  
>  # Apache-2.0 for containerd
> -- 
> 2.25.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9437): https://lists.yoctoproject.org/g/meta-virtualization/message/9437
> Mute This Topic: https://lists.yoctoproject.org/mt/116217320/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

next prev parent reply	other threads:[~2025-12-02  1:12 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-10 11:30 [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 vanusuri
2025-11-10 11:30 ` [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 vanusuri
2025-12-02  1:11   ` Bruce Ashfield [this message]
2025-12-02  2:48     ` Vijay Anusuri
2025-12-02  4:45       ` Bruce Ashfield
2025-11-19 23:28 ` [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 Bruce Ashfield

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aS482uMvjz7PCB2Y@gmail.com \
    --to=bruce.ashfield@gmail.com \
    --cc=meta-virtualization@lists.yoctoproject.org \
    --cc=vanusuri@mvista.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.