containerd-opencontainers: fix CVE-2025-64329

Upstream-Status: Backport from https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750 Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2025-11-10 17:00:49 +0530
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2025-11-19 18:28:22 -0500
commit: 4da521b4440f57b10ba70091ee0e31b1085e665e (patch)
tree: 737324c5249eb495ecb2ece3be584e19a0365725
parent: 9f4afbb21a91eab9917a25811f1d2ba7d223e071 (diff)
download: meta-virtualization-4da521b4440f57b10ba70091ee0e31b1085e665e.tar.gz
2 files changed, 81 insertions, 0 deletions
diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
new file mode 100644
index 00000000..a3cc5e85
--- /dev/null
+++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
@@ -0,0 +1,80 @@
+From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001
+From: wheat2018 <1151937289@qq.com>
+Date: Tue, 13 Aug 2024 15:56:31 +0800
+Subject: [PATCH] fix goroutine leak of container Attach
+The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will
+never finish if it attaches to a container without any stdout or stderr
+output. Wait for http context cancel and break the pipe actively to
+address the issue.
+Signed-off-by: wheat2018 <1151937289@qq.com>
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530)
+Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
+Excluded pkg/cri/sbserver/container_attach.go changes as the file not
+present in our current vrsion 1.6.19
+Upstream-Status: Backport [https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750]
+CVE: CVE-2025-64329
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/cri/io/container_io.go         | 14 +++++++++++---
+ pkg/cri/server/container_attach.go |  2 +-
+ 2 files changed, 12 insertions(+), 4 deletions(-)
+diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go
+index 70bc8b789..e1584100f 100644
+--- a/pkg/cri/io/container_io.go
+++ b/pkg/cri/io/container_io.go
+@@ -17,6 +17,7 @@
+ package io
+ 
+ import (
+       "context"
+        "errors"
+        "io"
+        "strings"
+@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() {
+ 
+ // Attach attaches container stdio.
+ // TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
+-func (c *ContainerIO) Attach(opts AttachOptions) {
+func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
+        var wg sync.WaitGroup
+        key := util.GenerateID()
+        stdinKey := streamKey(c.id, "attach-"+key, Stdin)
+@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
+        }
+ 
+        attachStream := func(key string, close <-chan struct{}) {
+-               <-close
+-               logrus.Infof("Attach stream %q closed", key)
+               select {
+               case <-close:
+                       logrus.Infof("Attach stream %q closed", key)
+               case <-ctx.Done():
+                       logrus.Infof("Attach client of %q cancelled", key)
+                       // Avoid writeGroup heap up
+                       c.stdoutGroup.Remove(key)
+                       c.stderrGroup.Remove(key)
+               }
+                // Make sure stdin gets closed.
+                if stdinStreamRC != nil {
+                        stdinStreamRC.Close()
+diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go
+index a95215051..3625229f9 100644
+--- a/pkg/cri/server/container_attach.go
+++ b/pkg/cri/server/container_attach.go
+@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re
+                },
+        }
+        // TODO(random-liu): Figure out whether we need to support historical output.
+-       cntr.IO.Attach(opts)
+       cntr.IO.Attach(ctx, opts)
+        return nil
+ }
+-- 
+2.25.1
diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
index 264d37a6..05683d26 100644
--- a/recipes-containers/containerd/containerd-opencontainers_git.bb
+++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
           file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
           file://CVE-2024-40635.patch \
           file://CVE-2024-25621.patch \
+           file://CVE-2025-64329.patch \
          "
 # Apache-2.0 for containerd
author	Vijay Anusuri <vanusuri@mvista.com>	2025-11-10 17:00:49 +0530
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2025-11-19 18:28:22 -0500
commit	4da521b4440f57b10ba70091ee0e31b1085e665e (patch)
tree	737324c5249eb495ecb2ece3be584e19a0365725
parent	9f4afbb21a91eab9917a25811f1d2ba7d223e071 (diff)
download	meta-virtualization-4da521b4440f57b10ba70091ee0e31b1085e665e.tar.gz

diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch new file mode 100644 index 00000000..a3cc5e85 --- /dev/null +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch
@@ -0,0 +1,80 @@
		1	From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001
		2	From: wheat2018 <1151937289@qq.com>
		3	Date: Tue, 13 Aug 2024 15:56:31 +0800
		4	Subject: [PATCH] fix goroutine leak of container Attach
		5
		6	The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will
		7	never finish if it attaches to a container without any stdout or stderr
		8	output. Wait for http context cancel and break the pipe actively to
		9	address the issue.
		10
		11	Signed-off-by: wheat2018 <1151937289@qq.com>
		12	Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
		13	(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530)
		14	Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
		15
		16	Excluded pkg/cri/sbserver/container_attach.go changes as the file not
		17	present in our current vrsion 1.6.19
		18
		19	Upstream-Status: Backport [https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750]
		20	CVE: CVE-2025-64329
		21	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		22	---
		23	pkg/cri/io/container_io.go \| 14 +++++++++++---
		24	pkg/cri/server/container_attach.go \| 2 +-
		25	2 files changed, 12 insertions(+), 4 deletions(-)
		26
		27	diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go
		28	index 70bc8b789..e1584100f 100644
		29	--- a/pkg/cri/io/container_io.go
		30	+++ b/pkg/cri/io/container_io.go
		31	@@ -17,6 +17,7 @@
		32	package io
		33
		34	import (
		35	+ "context"
		36	"errors"
		37	"io"
		38	"strings"
		39	@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() {
		40
		41	// Attach attaches container stdio.
		42	// TODO(random-liu): Use pools.Copy in docker to reduce memory usage?
		43	-func (c *ContainerIO) Attach(opts AttachOptions) {
		44	+func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) {
		45	var wg sync.WaitGroup
		46	key := util.GenerateID()
		47	stdinKey := streamKey(c.id, "attach-"+key, Stdin)
		48	@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) {
		49	}
		50
		51	attachStream := func(key string, close <-chan struct{}) {
		52	- <-close
		53	- logrus.Infof("Attach stream %q closed", key)
		54	+ select {
		55	+ case <-close:
		56	+ logrus.Infof("Attach stream %q closed", key)
		57	+ case <-ctx.Done():
		58	+ logrus.Infof("Attach client of %q cancelled", key)
		59	+ // Avoid writeGroup heap up
		60	+ c.stdoutGroup.Remove(key)
		61	+ c.stderrGroup.Remove(key)
		62	+ }
		63	// Make sure stdin gets closed.
		64	if stdinStreamRC != nil {
		65	stdinStreamRC.Close()
		66	diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go
		67	index a95215051..3625229f9 100644
		68	--- a/pkg/cri/server/container_attach.go
		69	+++ b/pkg/cri/server/container_attach.go
		70	@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re
		71	},
		72	}
		73	// TODO(random-liu): Figure out whether we need to support historical output.
		74	- cntr.IO.Attach(opts)
		75	+ cntr.IO.Attach(ctx, opts)
		76	return nil
		77	}
		78	--
		79	2.25.1
		80


diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb index 264d37a6..05683d26 100644 --- a/recipes-containers/containerd/containerd-opencontainers_git.bb +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht
11	file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \	11	file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \
12	file://CVE-2024-40635.patch \	12	file://CVE-2024-40635.patch \
13	file://CVE-2024-25621.patch \	13	file://CVE-2024-25621.patch \
		14	file://CVE-2025-64329.patch \
14	"	15	"
15		16
16	# Apache-2.0 for containerd	17	# Apache-2.0 for containerd