From 4da521b4440f57b10ba70091ee0e31b1085e665e Mon Sep 17 00:00:00 2001 From: Vijay Anusuri Date: Mon, 10 Nov 2025 17:00:49 +0530 Subject: containerd-opencontainers: fix CVE-2025-64329 Upstream-Status: Backport from https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750 Signed-off-by: Vijay Anusuri Signed-off-by: Bruce Ashfield --- .../containerd-opencontainers/CVE-2025-64329.patch | 80 ++++++++++++++++++++++ .../containerd/containerd-opencontainers_git.bb | 1 + 2 files changed, 81 insertions(+) create mode 100644 recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch diff --git a/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch new file mode 100644 index 00000000..a3cc5e85 --- /dev/null +++ b/recipes-containers/containerd/containerd-opencontainers/CVE-2025-64329.patch @@ -0,0 +1,80 @@ +From c575d1b5f4011f33b32f71ace75367a92b08c750 Mon Sep 17 00:00:00 2001 +From: wheat2018 <1151937289@qq.com> +Date: Tue, 13 Aug 2024 15:56:31 +0800 +Subject: [PATCH] fix goroutine leak of container Attach + +The monitor goroutine (runs (*ContainerIO).Attach.func1) of Attach will +never finish if it attaches to a container without any stdout or stderr +output. Wait for http context cancel and break the pipe actively to +address the issue. + +Signed-off-by: wheat2018 <1151937289@qq.com> +Signed-off-by: Akihiro Suda +(cherry picked from commit a0d0f0ef68935338d2c710db164fa7820f692530) +Signed-off-by: Akihiro Suda + +Excluded pkg/cri/sbserver/container_attach.go changes as the file not +present in our current vrsion 1.6.19 + +Upstream-Status: Backport [https://github.com/containerd/containerd/commit/c575d1b5f4011f33b32f71ace75367a92b08c750] +CVE: CVE-2025-64329 +Signed-off-by: Vijay Anusuri +--- + pkg/cri/io/container_io.go | 14 +++++++++++--- + pkg/cri/server/container_attach.go | 2 +- + 2 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/pkg/cri/io/container_io.go b/pkg/cri/io/container_io.go +index 70bc8b789..e1584100f 100644 +--- a/pkg/cri/io/container_io.go ++++ b/pkg/cri/io/container_io.go +@@ -17,6 +17,7 @@ + package io + + import ( ++ "context" + "errors" + "io" + "strings" +@@ -134,7 +135,7 @@ func (c *ContainerIO) Pipe() { + + // Attach attaches container stdio. + // TODO(random-liu): Use pools.Copy in docker to reduce memory usage? +-func (c *ContainerIO) Attach(opts AttachOptions) { ++func (c *ContainerIO) Attach(ctx context.Context, opts AttachOptions) { + var wg sync.WaitGroup + key := util.GenerateID() + stdinKey := streamKey(c.id, "attach-"+key, Stdin) +@@ -175,8 +176,15 @@ func (c *ContainerIO) Attach(opts AttachOptions) { + } + + attachStream := func(key string, close <-chan struct{}) { +- <-close +- logrus.Infof("Attach stream %q closed", key) ++ select { ++ case <-close: ++ logrus.Infof("Attach stream %q closed", key) ++ case <-ctx.Done(): ++ logrus.Infof("Attach client of %q cancelled", key) ++ // Avoid writeGroup heap up ++ c.stdoutGroup.Remove(key) ++ c.stderrGroup.Remove(key) ++ } + // Make sure stdin gets closed. + if stdinStreamRC != nil { + stdinStreamRC.Close() +diff --git a/pkg/cri/server/container_attach.go b/pkg/cri/server/container_attach.go +index a95215051..3625229f9 100644 +--- a/pkg/cri/server/container_attach.go ++++ b/pkg/cri/server/container_attach.go +@@ -79,6 +79,6 @@ func (c *criService) attachContainer(ctx context.Context, id string, stdin io.Re + }, + } + // TODO(random-liu): Figure out whether we need to support historical output. +- cntr.IO.Attach(opts) ++ cntr.IO.Attach(ctx, opts) + return nil + } +-- +2.25.1 + diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb index 264d37a6..05683d26 100644 --- a/recipes-containers/containerd/containerd-opencontainers_git.bb +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb @@ -11,6 +11,7 @@ SRC_URI = "git://github.com/containerd/containerd;branch=release/1.6;protocol=ht file://0001-build-don-t-use-gcflags-to-define-trimpath.patch \ file://CVE-2024-40635.patch \ file://CVE-2024-25621.patch \ + file://CVE-2025-64329.patch \ " # Apache-2.0 for containerd -- cgit v1.2.3-54-g00ecf