Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329

Yocto Meta Virtualization
 help / color / mirror / Atom feed

From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: vanusuri@mvista.com
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
Date: Mon, 1 Dec 2025 20:11:54 -0500	[thread overview]
Message-ID: <aS482uMvjz7PCB2Y@gmail.com> (raw)
In-Reply-To: <20251110113049.120549-2-vanusuri@mvista.com>

This patch says 2/2, but I can't find patch 1/2. What was the
subject of 1/2 ? Or rather than just telling me the subject, if
you resend it, that would be great.

Bruce

In message: [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329
on 10/11/2025 Vijay Anusuri via lists.yoctoproject.org wrote:

> From: Vijay Anusuri <vanusuri@mvista.com>
> 
> Upstream-Status: Backport from https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750
> 
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
>  .../CVE-2025-64329.patch                      | 80 +++++++++++++++++++
>  .../containerd-opencontainers_git.bb          |  1 +
>  2 files changed, 81 insertions(+)
>  create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> 
> diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> new file mode 100644
> index 00000000..a3cc5e85
> --- /dev/null
> +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
> @@ -0,0 +1,80 @@
> +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001
> +From: wheat2018 <1151937289@qq.com>
> +Date: Tue, 13 Aug 2024 15:56:31 +0800
> +Subject: [PATCH] fix goroutine leak of container Attach
> +
> +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will
> +never finish if it attaches to a container without any stdout or stderr
> +output. Wait for http context cancel and break the pipe actively to
> +address the issue.
> +
> +Signed-off-by: wheat2018 <1151937289@qq.com>
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530)
> +Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
> +
> +Excluded pkg/cri/sbserver/container_attach.go changes as the file not
> +present in our current vrsion 1.6.19
> +
> +Upstream-Status: Backport [https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750]
> +CVE: CVE-2025-64329
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + pkg/cri/io/container_io.go         | 14 +++++++++++---
> + pkg/cri/server/container_attach.go |  2 +-
> + 2 files changed, 12 insertions(+), 4 deletions(-)
> +
> +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go
> +index 70bc8b789..e1584100f 100644
> +--- a/pkg/cri/io/container_io.go
> ++++ b/pkg/cri/io/container_io.go
> +@@ -17,6 +17,7 @@
> + package io
> + 
> + import (
> ++	"context"
> + 	"errors"
> + 	"io"
> + 	"strings"
> +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() {
> + 
> + // Attach attaches container stdio.
> + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
> +-func (c *ContainerIO) Attach(opts AttachOptions) {
> ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
> + 	var wg sync.WaitGroup
> + 	key := util.GenerateID()
> + 	stdinKey := streamKey(c.id, "attach-"+key, Stdin)
> +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
> + 	}
> + 
> + 	attachStream := func(key string, close <-chan struct{}) {
> +-		<-close
> +-		logrus.Infof("Attach stream %q closed", key)
> ++		select {
> ++		case <-close:
> ++			logrus.Infof("Attach stream %q closed", key)
> ++		case <-ctx.Done():
> ++			logrus.Infof("Attach client of %q cancelled", key)
> ++			// Avoid writeGroup heap up
> ++			c.stdoutGroup.Remove(key)
> ++			c.stderrGroup.Remove(key)
> ++		}
> + 		// Make sure stdin gets closed.
> + 		if stdinStreamRC != nil {
> + 			stdinStreamRC.Close()
> +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go
> +index a95215051..3625229f9 100644
> +--- a/pkg/cri/server/container_attach.go
> ++++ b/pkg/cri/server/container_attach.go
> +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re
> + 		},
> + 	}
> + 	// TODO(random-liu): Figure out whether we need to support historical output.
> +-	cntr.IO.Attach(opts)
> ++	cntr.IO.Attach(ctx, opts)
> + 	return nil
> + }
> +-- 
> +2.25.1
> +
> diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
> index 264d37a6..05683d26 100644
> --- a/recipes-containers/containerd/containerd-opencontainers_git.bb
> +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
> @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
>             file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
>             file://CVE-2024-40635.patch \
>             file://CVE-2024-25621.patch \
> +           file://CVE-2025-64329.patch \
>            "
>  
>  # Apache-2.0 for containerd
> -- 
> 2.25.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9437): https://lists.yoctoproject.org/g/meta-virtualization/message/9437
> Mute This Topic: https://lists.yoctoproject.org/mt/116217320/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

next prev parent reply	other threads:[~2025-12-02  1:12 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-10 11:30 [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 vanusuri
2025-11-10 11:30 ` [meta-virtualization][kirkstone][PATCH 2/2] containerd-opencontainers: fix CVE-2025-64329 vanusuri
2025-12-02  1:11   ` Bruce Ashfield [this message]
2025-12-02  2:48     ` Vijay Anusuri
2025-12-02  4:45       ` Bruce Ashfield
2025-11-19 23:28 ` [meta-virtualization][kirkstone][PATCH 1/2] containerd-opencontainers: fix CVE-2024-25621 Bruce Ashfield

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aS482uMvjz7PCB2Y@gmail.com \
    --to=bruce.ashfield@gmail.com \
    --cc=meta-virtualization@lists.yoctoproject.org \
    --cc=vanusuri@mvista.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox