[meta-virtualization][kirkstone][PATCH 1/1] cri-o: fix CVE-2023-6476

meta-virtualization.lists.yoctoproject.org archive mirror
 help / color / mirror / Atom feed

* [meta-virtualization][kirkstone][PATCH 1/1] cri-o: fix CVE-2023-6476
@ 2025-07-11 11:37 archana.polampalli
  2025-07-16 18:49 ` Bruce Ashfield
  0 siblings, 1 reply; 2+ messages in thread
From: archana.polampalli @ 2025-07-11 11:37 UTC (permalink / raw)
  To: meta-virtualization

From: Archana Polampalli <archana.polampalli@windriver.com>

A flaw was found in CRI-O that involves an experimental annotation leading to a
container being unconfined. This may allow a pod to specify and get any amount
of memory/cpu, circumventing the kubernetes scheduler and potentially resulting
in a denial of service in the node.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 recipes-containers/cri-o/cri-o_git.bb         |  1 +
 .../cri-o/files/CVE-2023-6476.patch           | 61 +++++++++++++++++++
 2 files changed, 62 insertions(+)
 create mode 100644 recipes-containers/cri-o/files/CVE-2023-6476.patch

diff --git a/recipes-containers/cri-o/cri-o_git.bb b/recipes-containers/cri-o/cri-o_git.bb
index 429c49a7..1e8353f8 100644
--- a/recipes-containers/cri-o/cri-o_git.bb
+++ b/recipes-containers/cri-o/cri-o_git.bb
@@ -20,6 +20,7 @@ SRC_URI = "\
 	file://0001-Makefile-force-symlinks.patch \
         file://crio.conf \
         file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
+        file://CVE-2023-6476.patch;patchdir=src/import \
 	"
 
 # Apache-2.0 for docker
diff --git a/recipes-containers/cri-o/files/CVE-2023-6476.patch b/recipes-containers/cri-o/files/CVE-2023-6476.patch
new file mode 100644
index 00000000..baa3bb54
--- /dev/null
+++ b/recipes-containers/cri-o/files/CVE-2023-6476.patch
@@ -0,0 +1,61 @@
+From 5faee5d82556a6bf4dd1144d2a86e70d097ab200 Mon Sep 17 00:00:00 2001
+From: Peter Hunt <pehunt@redhat.com>
+Date: Thu, 7 Dec 2023 16:07:12 -0500
+Subject: [PATCH] allowed annotations: correctly filter prefixed annotations
+
+without this fix, a pod is able to gain access to experimental annotations that are prefixes of container names.
+The most problematic of these is io.kubernetes.cri-o.UnifiedCgroup, which allows a user to arbitrarily
+change the resources of the pod, potentially leading to OOM.
+
+Fixes CVE-2023-6476
+
+Signed-off-by: Peter Hunt <pehunt@redhat.com>
+
+CVE: CVE-2023-6476
+
+Upstream-Status: Backport [https://github.com/cri-o/cri-o/commit/5faee5d82556a6bf4dd1144d2a86e70d097ab200]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ pkg/config/workloads.go |  2 +-
+ test/workloads.bats     | 15 +++++++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/pkg/config/workloads.go b/pkg/config/workloads.go
+index d5eeaf1ef..37a22fe76 100644
+--- a/pkg/config/workloads.go
++++ b/pkg/config/workloads.go
+@@ -102,7 +102,7 @@ func (w Workloads) FilterDisallowedAnnotations(allowed []string, toFilter map[st
+	for ann := range toFilter {
+		for _, d := range disallowed {
+			if strings.HasPrefix(ann, d) {
+-				delete(toFilter, d)
++				delete(toFilter, ann)
+			}
+		}
+	}
+diff --git a/test/workloads.bats b/test/workloads.bats
+index 6102d6326..0f4d6e4f0 100644
+--- a/test/workloads.bats
++++ b/test/workloads.bats
+@@ -327,3 +327,18 @@ function check_conmon_fields() {
+	df=$(crictl exec --sync "$ctr_id" df | grep /dev/shm)
+	[[ "$df" == *'16384'* ]]
+ }
++
++@test "test workload pod should not be set if annotation not specified even if prefix" {
++	start_crio
++
++	jq '   .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" |
++	  .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \
++	"$TESTDATA"/sandbox_config.json > "$sboxconfig"
++
++	jq '   .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" |
++	  .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \
++	"$TESTDATA"/container_sleep.json > "$ctrconfig"
++
++	ctr_id=$(crictl run "$ctrconfig" "$sboxconfig")
++	[[ $(crictl exec "$ctr_id" cat /sys/fs/cgroup/memory.max) != 4294967296 ]]
++}
+--
+2.40.0
-- 
2.40.0



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [meta-virtualization][kirkstone][PATCH 1/1] cri-o: fix CVE-2023-6476
  2025-07-11 11:37 [meta-virtualization][kirkstone][PATCH 1/1] cri-o: fix CVE-2023-6476 archana.polampalli
@ 2025-07-16 18:49 ` Bruce Ashfield
  0 siblings, 0 replies; 2+ messages in thread
From: Bruce Ashfield @ 2025-07-16 18:49 UTC (permalink / raw)
  To: archana.polampalli; +Cc: meta-virtualization


In message: [meta-virtualization][kirkstone][PATCH 1/1] cri-o: fix CVE-2023-6476
on 11/07/2025 Polampalli, Archana via lists.yoctoproject.org wrote:

> From: Archana Polampalli <archana.polampalli@windriver.com>
> 
> A flaw was found in CRI-O that involves an experimental annotation leading to a
> container being unconfined. This may allow a pod to specify and get any amount
> of memory/cpu, circumventing the kubernetes scheduler and potentially resulting
> in a denial of service in the node.

merged.

Bruce

> 
> Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
> ---
>  recipes-containers/cri-o/cri-o_git.bb         |  1 +
>  .../cri-o/files/CVE-2023-6476.patch           | 61 +++++++++++++++++++
>  2 files changed, 62 insertions(+)
>  create mode 100644 recipes-containers/cri-o/files/CVE-2023-6476.patch
> 
> diff --git a/recipes-containers/cri-o/cri-o_git.bb b/recipes-containers/cri-o/cri-o_git.bb
> index 429c49a7..1e8353f8 100644
> --- a/recipes-containers/cri-o/cri-o_git.bb
> +++ b/recipes-containers/cri-o/cri-o_git.bb
> @@ -20,6 +20,7 @@ SRC_URI = "\
>  	file://0001-Makefile-force-symlinks.patch \
>          file://crio.conf \
>          file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \
> +        file://CVE-2023-6476.patch;patchdir=src/import \
>  	"
>  
>  # Apache-2.0 for docker
> diff --git a/recipes-containers/cri-o/files/CVE-2023-6476.patch b/recipes-containers/cri-o/files/CVE-2023-6476.patch
> new file mode 100644
> index 00000000..baa3bb54
> --- /dev/null
> +++ b/recipes-containers/cri-o/files/CVE-2023-6476.patch
> @@ -0,0 +1,61 @@
> +From 5faee5d82556a6bf4dd1144d2a86e70d097ab200 Mon Sep 17 00:00:00 2001
> +From: Peter Hunt <pehunt@redhat.com>
> +Date: Thu, 7 Dec 2023 16:07:12 -0500
> +Subject: [PATCH] allowed annotations: correctly filter prefixed annotations
> +
> +without this fix, a pod is able to gain access to experimental annotations that are prefixes of container names.
> +The most problematic of these is io.kubernetes.cri-o.UnifiedCgroup, which allows a user to arbitrarily
> +change the resources of the pod, potentially leading to OOM.
> +
> +Fixes CVE-2023-6476
> +
> +Signed-off-by: Peter Hunt <pehunt@redhat.com>
> +
> +CVE: CVE-2023-6476
> +
> +Upstream-Status: Backport [https://github.com/cri-o/cri-o/commit/5faee5d82556a6bf4dd1144d2a86e70d097ab200]
> +
> +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
> +---
> + pkg/config/workloads.go |  2 +-
> + test/workloads.bats     | 15 +++++++++++++++
> + 2 files changed, 16 insertions(+), 1 deletion(-)
> +
> +diff --git a/pkg/config/workloads.go b/pkg/config/workloads.go
> +index d5eeaf1ef..37a22fe76 100644
> +--- a/pkg/config/workloads.go
> ++++ b/pkg/config/workloads.go
> +@@ -102,7 +102,7 @@ func (w Workloads) FilterDisallowedAnnotations(allowed []string, toFilter map[st
> +	for ann := range toFilter {
> +		for _, d := range disallowed {
> +			if strings.HasPrefix(ann, d) {
> +-				delete(toFilter, d)
> ++				delete(toFilter, ann)
> +			}
> +		}
> +	}
> +diff --git a/test/workloads.bats b/test/workloads.bats
> +index 6102d6326..0f4d6e4f0 100644
> +--- a/test/workloads.bats
> ++++ b/test/workloads.bats
> +@@ -327,3 +327,18 @@ function check_conmon_fields() {
> +	df=$(crictl exec --sync "$ctr_id" df | grep /dev/shm)
> +	[[ "$df" == *'16384'* ]]
> + }
> ++
> ++@test "test workload pod should not be set if annotation not specified even if prefix" {
> ++	start_crio
> ++
> ++	jq '   .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" |
> ++	  .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \
> ++	"$TESTDATA"/sandbox_config.json > "$sboxconfig"
> ++
> ++	jq '   .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" |
> ++	  .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \
> ++	"$TESTDATA"/container_sleep.json > "$ctrconfig"
> ++
> ++	ctr_id=$(crictl run "$ctrconfig" "$sboxconfig")
> ++	[[ $(crictl exec "$ctr_id" cat /sys/fs/cgroup/memory.max) != 4294967296 ]]
> ++}
> +--
> +2.40.0
> -- 
> 2.40.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9306): https://lists.yoctoproject.org/g/meta-virtualization/message/9306
> Mute This Topic: https://lists.yoctoproject.org/mt/114098577/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-07-16 18:50 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-11 11:37 [meta-virtualization][kirkstone][PATCH 1/1] cri-o: fix CVE-2023-6476 archana.polampalli
2025-07-16 18:49 ` Bruce Ashfield

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).