From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: vanusuri@mvista.com
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621
Date: Wed, 19 Nov 2025 18:28:38 -0500 [thread overview]
Message-ID: <aR5SpnDZRfu9jk91@gmail.com> (raw)
In-Reply-To: <20251110113049.120549-2-vanusuri@mvista.com> <20251110113049.120549-1-vanusuri@mvista.com>
merged.
Bruce
In message: [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621
on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> Upstream-Status: Backport from https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../CVE-2024-25621.patch | 103 ++++++++++++++++++
> .../containerd-opencontainers_git.bb | 1 +
> 2 files changed, 104 insertions(+)
> create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch
>
> diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch
> new file mode 100644
> index 00000000..4ae9bb63
> --- /dev/null
> +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2024-25621.patch
> @@ -0,0 +1,103 @@
> +From 0450f046e6942e513d0ebf1ef5c2aff13daa187f Mon Sep 17 00:00:00 2001
> +From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +Date: Mon, 27 Oct 2025 16:42:59 +0900
> +Subject: [PATCH] Fix directory permissions
> +
> +- Create /var/lib/containerd with 0o700 (was: 0o711).
> +- Create config.TempDir with 0o700 (was: 0o711).
> +- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755).
> +- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711).
> +- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711,
> + as required by userns-remapped containers.
> + /run/containerd/io.containerd.runtime.v2.task/<NS>/<ID> is created with:
> + - 0o700 for non-userns-remapped containers
> + - 0o710 for userns-remapped containers with the remapped root group as the owner group.
> +
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96)
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +
> +Upstream-Status: Backport [https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f]
> +CVE: CVE-2024-25621
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/cri/cri.go | 8 ++++++++
> + runtime/v2/manager.go | 2 ++
> + services/server/server.go | 14 ++++++++++++--
> + 3 files changed, 22 insertions(+), 2 deletions(-)
> +
> +diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go
> +index 7182716b6..dec810196 100644
> +--- a/pkg/cri/cri.go
> ++++ b/pkg/cri/cri.go
> +@@ -19,6 +19,7 @@ package cri
> + import (
> + "flag"
> + "fmt"
> ++ "os"
> + "path/filepath"
> +
> + "github.com/containerd/containerd"
> +@@ -68,6 +69,13 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
> + return nil, fmt.Errorf("invalid plugin config: %w", err)
> + }
> +
> ++ if err := os.MkdirAll(ic.State, 0700); err != nil {
> ++ return nil, err
> ++ }
> ++ // chmod is needed for upgrading from an older release that created the dir with 0755
> ++ if err := os.Chmod(ic.State, 0700); err != nil {
> ++ return nil, err
> ++ }
> + c := criconfig.Config{
> + PluginConfig: *pluginConfig,
> + ContainerdRootDir: filepath.Dir(ic.Root),
> +diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go
> +index 1927cbb3f..1f26bbeac 100644
> +--- a/runtime/v2/manager.go
> ++++ b/runtime/v2/manager.go
> +@@ -109,6 +109,8 @@ type ManagerConfig struct {
> + // NewShimManager creates a manager for v2 shims
> + func NewShimManager(ctx context.Context, config *ManagerConfig) (*ShimManager, error) {
> + for _, d := range []string{config.Root, config.State} {
> ++ // root: the parent of this directory is created as 0700, not 0711.
> ++ // state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers.
> + if err := os.MkdirAll(d, 0711); err != nil {
> + return nil, err
> + }
> +diff --git a/services/server/server.go b/services/server/server.go
> +index 857cc9c76..bc2ddbf1f 100644
> +--- a/services/server/server.go
> ++++ b/services/server/server.go
> +@@ -82,16 +82,26 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
> + return errors.New("root and state must be different paths")
> + }
> +
> +- if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil {
> ++ if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil {
> ++ return err
> ++ }
> ++ // chmod is needed for upgrading from an older release that created the dir with 0o711
> ++ if err := os.Chmod(config.Root, 0700); err != nil {
> + return err
> + }
> +
> ++ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
> ++ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
> + if err := sys.MkdirAllWithACL(config.State, 0711); err != nil {
> + return err
> + }
> +
> + if config.TempDir != "" {
> +- if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil {
> ++ if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil {
> ++ return err
> ++ }
> ++ // chmod is needed for upgrading from an older release that created the dir with 0o711
> ++ if err := os.Chmod(config.Root, 0700); err != nil {
> + return err
> + }
> + if runtime.GOOS == "windows" {
> +--
> +2.25.1
> +
> diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
> index dd621705..264d37a6 100644
> --- a/recipes-containers/containerd/containerd-opencontainers_git.bb
> +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
> @@ -10,6 +10,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
> file://0001-Makefile-allow-GO_BUILD_FLAGS-to-be-externally-speci.patch \
> file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
> file://CVE-2024-40635.patch \
> + file://CVE-2024-25621.patch \
> "
>
> # Apache-2.0 for containerd
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9436): https://lists.yoctoproject.org/g/meta-virtualization/message/9436
> Mute This Topic: https://lists.yoctoproject.org/mt/116217319/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
In message: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:
> From: Vijay Anusuri <vanusuri@mvista.com>
>
> Upstream-Status: Backport from https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../CVE-2025-64329.patch | 80 +++++++++++++++++++
> .../containerd-opencontainers_git.bb | 1 +
> 2 files changed, 81 insertions(+)
> create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
>
> diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> new file mode 100644
> index 00000000..a3cc5e85
> --- /dev/null
> +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> @@ -0,0 +1,80 @@
> +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001
> +From: wheat2018 <1151937289@qq.com>
> +Date: Tue, 13 Aug 2024 15:56:31 +0800
> +Subject: [PATCH] fix goroutine leak of container Attach
> +
> +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will
> +never finish if it attaches to a container without any stdout or stderr
> +output. Wait for http context cancel and break the pipe actively to
> +address the issue.
> +
> +Signed-off-by: wheat2018 <1151937289@qq.com>
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530)
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +
> +Excluded pkg/cri/sbserver/container_attach.go changes as the file not
> +present in our current vrsion 1.6.19
> +
> +Upstream-Status: Backport [https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750]
> +CVE: CVE-2025-64329
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/cri/io/container_io.go | 14 +++++++++++---
> + pkg/cri/server/container_attach.go | 2 +-
> + 2 files changed, 12 insertions(+), 4 deletions(-)
> +
> +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go
> +index 70bc8b789..e1584100f 100644
> +--- a/pkg/cri/io/container_io.go
> ++++ b/pkg/cri/io/container_io.go
> +@@ -17,6 +17,7 @@
> + package io
> +
> + import (
> ++ "context"
> + "errors"
> + "io"
> + "strings"
> +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() {
> +
> + // Attach attaches container stdio.
> + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
> +-func (c *ContainerIO) Attach(opts AttachOptions) {
> ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
> + var wg sync.WaitGroup
> + key := util.GenerateID()
> + stdinKey := streamKey(c.id, "attach-"+key, Stdin)
> +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
> + }
> +
> + attachStream := func(key string, close <-chan struct{}) {
> +- <-close
> +- logrus.Infof("Attach stream %q closed", key)
> ++ select {
> ++ case <-close:
> ++ logrus.Infof("Attach stream %q closed", key)
> ++ case <-ctx.Done():
> ++ logrus.Infof("Attach client of %q cancelled", key)
> ++ // Avoid writeGroup heap up
> ++ c.stdoutGroup.Remove(key)
> ++ c.stderrGroup.Remove(key)
> ++ }
> + // Make sure stdin gets closed.
> + if stdinStreamRC != nil {
> + stdinStreamRC.Close()
> +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go
> +index a95215051..3625229f9 100644
> +--- a/pkg/cri/server/container_attach.go
> ++++ b/pkg/cri/server/container_attach.go
> +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re
> + },
> + }
> + // TODO(random-liu): Figure out whether we need to support historical output.
> +- cntr.IO.Attach(opts)
> ++ cntr.IO.Attach(ctx, opts)
> + return nil
> + }
> +--
> +2.25.1
> +
> diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
> index 264d37a6..05683d26 100644
> --- a/recipes-containers/containerd/containerd-opencontainers_git.bb
> +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
> @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
> file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
> file://CVE-2024-40635.patch \
> file://CVE-2024-25621.patch \
> + file://CVE-2025-64329.patch \
> "
>
> # Apache-2.0 for containerd
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9437): https://lists.yoctoproject.org/g/meta-virtualization/message/9437
> Mute This Topic: https://lists.yoctoproject.org/mt/116217320/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2025-11-19 23:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-10 11:30 [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 vanusuri
2025-11-10 11:30 ` [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 vanusuri
2025-12-02 1:11 ` Bruce Ashfield
2025-12-02 2:48 ` Vijay Anusuri
2025-12-02 4:45 ` Bruce Ashfield
2025-11-19 23:28 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aR5SpnDZRfu9jk91@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=vanusuri@mvista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox