!209 fix CVE-2024-40635

From: @jade_t 
Reviewed-by: @xuxuepeng 
Signed-off-by: @xuxuepeng

containerd.spec

@@ -2,7 +2,7 @@
 %global debug_package %{nil}
 Version:        1.6.22
 Name:           containerd
-Release:        11
+Release:        16
 Summary:        An industry-standard container runtime
 License:        ASL 2.0
 URL:            https://containerd.io
@@ -42,7 +42,7 @@ ln -fs $PWD $GO_BUILD_PATH/src/%{goipath}
 cd $GO_BUILD_PATH/src/%{goipath}
 export GO111MODULE=off
 export GOPATH=$GO_BUILD_PATH:%{gopath}
-export BUILDTAGS="no_btrfs no_cri"
+export BUILDTAGS="no_btrfs"
 make
 
 %install
@@ -68,6 +68,37 @@ install -D -p -m 0644 %{S:7} %{buildroot}%{_sysconfdir}/containerd/config.toml
 %exclude %{_bindir}/containerd-stress
 
 %changelog
+* Wed Mar 19 2025 dongyuzhen <dongyuzhen@h-partners.com> - 1.6.22-16
+- Type:CVE
+- ID:NA
+- SUG:NA
+- DESC:fix CVE-2024-40635
+
+* Wed Jun 12 2024 zhongjiawei <zhongjiawei1@huawei.com> - 1.6.22-15
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:modify make options
+
+* Tue May 21 2024 zhangzikang <zhangzikang@kylinos.cn> - 1.6.22-14
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:add loong64 to THP patch, fix build error for loongarch64
+       fix incorrect dates
+
+* Tue Apr 23 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.6.22-13
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:enable cri
+
+* Sun Apr 07 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1.6.22-12
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:modify Makefile for go build options
+
 * Thu Mar 21 2024 tiberium<jinzhe.oerv@isrc.iscas.ac.cn> - 1.6.22-11
 - Type:bugfix
 - ID:NA
@@ -134,7 +165,7 @@ install -D -p -m 0644 %{S:7} %{buildroot}%{_sysconfdir}/containerd/config.toml
 - SUG:NA
 - DESC:upgrade to contained 1.6.22
 
-* Fri July 21 2023 vegbir<yangjiaqi16@huawei.com> - 1.6.21-1
+* Fri Jul 21 2023 vegbir<yangjiaqi16@huawei.com> - 1.6.21-1
 - Type:bugfix
 - ID:NA
 - SUG:NA
@@ -164,7 +195,7 @@ install -D -p -m 0644 %{S:7} %{buildroot}%{_sysconfdir}/containerd/config.toml
 - SUG:NA
 - DESC:fix CVE-2023-25153 and CVE-2023-25173
 
-* Thu Dec 16 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-308
+* Fri Dec 16 2022 zhongjiawei<zhongjiawei1@huawei.com> - 1.2.0-308
 - Type:bugfix
 - ID:NA
 - SUG:NA

git-commit

@@ -1 +1 @@
-4d153fc0e0ed7a2cf8b54c7de8632cbe7a4281ec
+4d7c825e5bf216b911a4f8fee207ca9a73c3a242

patch/0034-containerd-disable-Transparent-HugePage-for-shim-pro.patch

@@ -11,12 +11,14 @@ Subject: [PATCH] containerd:disable Transparent HugePage for shim process if
  sys/thp_amd64.go                              |  3 ++
  sys/thp_arm64.go                              |  3 ++
  sys/thp_riscv64.go                            |  3 ++
+ sys/thp_loong64.go                            |  3 ++
  .../github.com/containerd/go-runc/monitor.go  | 54 ++++++++++++-------
- 7 files changed, 104 insertions(+), 20 deletions(-)
+ 8 files changed, 107 insertions(+), 20 deletions(-)
  create mode 100644 sys/thp.go
  create mode 100644 sys/thp_amd64.go
  create mode 100644 sys/thp_arm64.go
  create mode 100644 sys/thp_riscv64.go
+ create mode 100644 sys/thp_loong64.go
 
 diff --git a/runtime/v1/shim/client/client.go b/runtime/v1/shim/client/client.go
 index 965a5cf..af4917c 100644
@@ -147,6 +149,15 @@ index 0000000..a6db8d6
 +package sys
 +
 +const PRCTL_SYSCALL = 167
+diff --git a/sys/thp_loong64.go b/sys/thp_loong64.go
+new file mode 100644
+index 0000000..a6db8d6
+--- /dev/null
++++ b/sys/thp_loong64.go
+@@ -0,0 +1,3 @@
++package sys
++
++const PRCTL_SYSCALL = 167
 diff --git a/vendor/github.com/containerd/go-runc/monitor.go b/vendor/github.com/containerd/go-runc/monitor.go
 index 73c8ac1..c7b4451 100644
 --- a/vendor/github.com/containerd/go-runc/monitor.go

patch/0035-containerd-modify-Makefile-for-go-build-options.patch

@@ -0,0 +1,62 @@
+From 9683e5c946c3f72aaa13822e485b17197f5e3ff7 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Sun, 7 Apr 2024 09:54:07 +0800
+Subject: [PATCH] =?UTF-8?q?containerd=EF=BC=9Amodify=20Makefile=20for=20go?=
+ =?UTF-8?q?=20build=20options?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ Makefile | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 8bf9530..9d3b3e5 100644
+--- a/Makefile
++++ b/Makefile
+@@ -97,7 +97,7 @@ GO_TAGS=$(if $(GO_BUILDTAGS),-tags "$(strip $(GO_BUILDTAGS))",)
+ BEP_DIR=/tmp/containerd-build-bep
+ BEP_FLAGS=-tmpdir=/tmp/containerd-build-bep
+ 
+-GO_LDFLAGS=-ldflags ' -buildid=IdByIsula -extldflags=-Wl,-z,relro,-z,now $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(EXTRA_LDFLAGS)'
++GO_LDFLAGS=-ldflags ' -buildid=IdByIsula -extldflags=-Wl,-z,relro,-z,now $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION)'
+ SHIM_GO_LDFLAGS=-ldflags '-extldflags=-static' -ldflags '-buildid=IdByIsula $(BEP_FLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) -linkmode=external -extldflags=-Wl,-z,relro,-z,now'
+ 
+ # Project packages.
+@@ -246,7 +246,7 @@ bin/%: cmd/% FORCE
+ 	CGO_CPPFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+-	go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${GO_LDFLAGS} ${GO_TAGS}  ./$<
++	go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${SHIM_GO_LDFLAGS} ${GO_TAGS}  ./$<
+ 
+ bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
+ 	@echo "$(WHALE) $@"
+@@ -259,11 +259,21 @@ bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a sta
+ 
+ bin/containerd-shim-runc-v1: cmd/containerd-shim-runc-v1 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
+ 	@echo "$(WHALE) $@"
+-	@CGO_ENABLED=${SHIM_CGO_ENABLED} $(GO) build ${GO_BUILD_FLAGS} -o $@ ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v1
++	CGO_ENABLED=1 \
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
++	$(GO) build -buildmode=pie ${GO_BUILD_FLAGS} -o $@ ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v1
+ 
+ bin/containerd-shim-runc-v2: cmd/containerd-shim-runc-v2 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
+ 	@echo "$(WHALE) $@"
+-	@CGO_ENABLED=${SHIM_CGO_ENABLED} $(GO) build ${GO_BUILD_FLAGS} -o $@ ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v2
++	CGO_ENABLED=1 \
++	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
++	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
++	$(GO) build -buildmode=pie ${GO_BUILD_FLAGS} -o $@ ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v2
+ 
+ binaries: $(BINARIES) ## build binaries
+ 	@echo "$(WHALE) $@"
+-- 
+2.33.0
+

patch/0036-containerd-modify-makefile-options.patch

@@ -0,0 +1,60 @@
+From c4c6839a0284188abc5d931e73a73f9730f0509a Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Wed, 12 Jun 2024 11:25:10 +0800
+Subject: [PATCH] containerd:modify makefile options
+
+---
+ Makefile | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 9d3b3e5..09957ce 100644
+--- a/Makefile
++++ b/Makefile
+@@ -242,8 +242,8 @@ bin/%: cmd/% FORCE
+ 	mkdir -p $(BEP_DIR)
+ 	@echo "$(WHALE) $@${BINARY_SUFFIX}"
+ 	CGO_ENABLED=1 \
+-	CGO_CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \
+-	CGO_CPPFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_CFLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_CPPFLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build ${GO_GCFLAGS} ${GO_BUILD_FLAGS} -o $@${BINARY_SUFFIX} ${SHIM_GO_LDFLAGS} ${GO_TAGS}  ./$<
+@@ -251,8 +251,8 @@ bin/%: cmd/% FORCE
+ bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
+ 	@echo "$(WHALE) $@"
+ 	CGO_ENABLED=1 \
+-	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+-	CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_CFLAGS="-fstack-protector-all -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_CPPFLAGS="-fstack-protector-all -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	go build -buildmode=pie ${GO_BUILD_FLAGS} -o bin/containerd-shim ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim
+@@ -260,8 +260,8 @@ bin/containerd-shim: cmd/containerd-shim FORCE # set !cgo and omit pie for a sta
+ bin/containerd-shim-runc-v1: cmd/containerd-shim-runc-v1 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
+ 	@echo "$(WHALE) $@"
+ 	CGO_ENABLED=1 \
+-	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+-	CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_CFLAGS="-fstack-protector-all -fPIC -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_CPPFLAGS="-fstack-protector-all -fPIC -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	$(GO) build -buildmode=pie ${GO_BUILD_FLAGS} -o $@ ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v1
+@@ -269,8 +269,8 @@ bin/containerd-shim-runc-v1: cmd/containerd-shim-runc-v1 FORCE # set !cgo and om
+ bin/containerd-shim-runc-v2: cmd/containerd-shim-runc-v2 FORCE # set !cgo and omit pie for a static shim build: https://github.com/golang/go/issues/17789#issuecomment-258542220
+ 	@echo "$(WHALE) $@"
+ 	CGO_ENABLED=1 \
+-	CGO_CFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
+-	CGO_CPPFLAGS="-fstack-protector-strong -fPIE -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_CFLAGS="-fstack-protector-all -fPIC -D_FORTIFY_SOURCE=2 -O2" \
++	CGO_CPPFLAGS="-fstack-protector-all -fPIC -D_FORTIFY_SOURCE=2 -O2" \
+ 	CGO_LDFLAGS_ALLOW='-Wl,-z,relro,-z,now' \
+ 	CGO_LDFLAGS="-Wl,-z,relro,-z,now -Wl,-z,noexecstack" \
+ 	$(GO) build -buildmode=pie ${GO_BUILD_FLAGS} -o $@ ${SHIM_GO_LDFLAGS} ${GO_TAGS} ./cmd/containerd-shim-runc-v2
+-- 
+2.33.0
+

patch/0037-containerd-fix-CVE-2024-40635.patch

@@ -0,0 +1,177 @@
+From 9639b9625554183d0c4d8d072dccb84fedd2320f Mon Sep 17 00:00:00 2001
+From: Craig Ingram <Cjingram@google.com>
+Date: Fri, 7 Mar 2025 13:27:58 +0000
+Subject: [PATCH] validate uid/gid
+
+Signed-off-by: Craig Ingram <Cjingram@google.com>
+---
+ oci/spec_opts.go            | 24 ++++++++--
+ oci/spec_opts_linux_test.go | 92 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 112 insertions(+), 4 deletions(-)
+
+diff --git a/oci/spec_opts.go b/oci/spec_opts.go
+index 65811fc..4bcacc6 100644
+--- a/oci/spec_opts.go
++++ b/oci/spec_opts.go
+@@ -22,6 +22,7 @@ import (
+ 	"encoding/json"
+ 	"errors"
+ 	"fmt"
++	"math"
+ 	"os"
+ 	"path/filepath"
+ 	"runtime"
+@@ -582,6 +583,20 @@ func WithUser(userstr string) SpecOpts {
+ 		defer ensureAdditionalGids(s)
+ 		setProcess(s)
+ 		s.Process.User.AdditionalGids = nil
++		// While the Linux kernel allows the max UID to be MaxUint32 - 2,
++                // and the OCI Runtime Spec has no definition about the max UID,
++                // the runc implementation is known to require the UID to be <= MaxInt32.
++                //
++                // containerd follows runc's limitation here.
++                //
++                // In future we may relax this limitation to allow MaxUint32 - 2,
++                // or, amend the OCI Runtime Spec to codify the implementation limitation.
++		const (
++			minUserID  = 0
++			maxUserID  = math.MaxInt32
++			minGroupID = 0
++			maxGroupID = math.MaxInt32
++		)
+ 
+ 		// For LCOW it's a bit harder to confirm that the user actually exists on the host as a rootfs isn't
+ 		// mounted on the host and shared into the guest, but rather the rootfs is constructed entirely in the
+@@ -598,8 +613,8 @@ func WithUser(userstr string) SpecOpts {
+ 		switch len(parts) {
+ 		case 1:
+ 			v, err := strconv.Atoi(parts[0])
+-			if err != nil {
+-				// if we cannot parse as a uint they try to see if it is a username
++			if err != nil || v < minUserID || v > maxUserID {
++				// if we cannot parse as an int32 then try to see if it is a username
+ 				return WithUsername(userstr)(ctx, client, c, s)
+ 			}
+ 			return WithUserID(uint32(v))(ctx, client, c, s)
+@@ -610,12 +625,13 @@ func WithUser(userstr string) SpecOpts {
+ 			)
+ 			var uid, gid uint32
+ 			v, err := strconv.Atoi(parts[0])
+-			if err != nil {
++			if err != nil || v < minUserID || v > maxUserID {
+ 				username = parts[0]
+ 			} else {
+ 				uid = uint32(v)
+ 			}
+-			if v, err = strconv.Atoi(parts[1]); err != nil {
++			v, err = strconv.Atoi(parts[1])
++			if err != nil || v < minGroupID || v > maxGroupID {
+ 				groupname = parts[1]
+ 			} else {
+ 				gid = uint32(v)
+diff --git a/oci/spec_opts_linux_test.go b/oci/spec_opts_linux_test.go
+index 60f3ced..fd77d22 100644
+--- a/oci/spec_opts_linux_test.go
++++ b/oci/spec_opts_linux_test.go
+@@ -31,6 +31,98 @@ import (
+ 	"golang.org/x/sys/unix"
+ )
+ 
++//nolint:gosec
++func TestWithUser(t *testing.T) {
++	t.Parallel()
++
++	expectedPasswd := `root:x:0:0:root:/root:/bin/ash
++guest:x:405:100:guest:/dev/null:/sbin/nologin
++`
++	expectedGroup := `root:x:0:root
++bin:x:1:root,bin,daemon
++daemon:x:2:root,bin,daemon
++sys:x:3:root,bin,adm
++guest:x:100:guest
++`
++	td := t.TempDir()
++	apply := fstest.Apply(
++		fstest.CreateDir("/etc", 0777),
++		fstest.CreateFile("/etc/passwd", []byte(expectedPasswd), 0777),
++		fstest.CreateFile("/etc/group", []byte(expectedGroup), 0777),
++	)
++	if err := apply.Apply(td); err != nil {
++		t.Fatalf("failed to apply: %v", err)
++	}
++	c := containers.Container{ID: t.Name()}
++	testCases := []struct {
++		user        string
++		expectedUID uint32
++		expectedGID uint32
++		err         string
++	}{
++		{
++			user:        "0",
++			expectedUID: 0,
++			expectedGID: 0,
++		},
++		{
++			user:        "root:root",
++			expectedUID: 0,
++			expectedGID: 0,
++		},
++		{
++			user:        "guest",
++			expectedUID: 405,
++			expectedGID: 100,
++		},
++		{
++			user:        "guest:guest",
++			expectedUID: 405,
++			expectedGID: 100,
++		},
++		{
++			user: "guest:nobody",
++			err:  "no groups found",
++		},
++		{
++			user:        "405:100",
++			expectedUID: 405,
++			expectedGID: 100,
++		},
++		{
++			user: "405:2147483648",
++			err:  "no groups found",
++		},
++		{
++			user: "-1000",
++			err:  "no users found",
++		},
++		{
++			user: "2147483648",
++			err:  "no users found",
++		},
++	}
++	for _, testCase := range testCases {
++		testCase := testCase
++		t.Run(testCase.user, func(t *testing.T) {
++			t.Parallel()
++			s := Spec{
++				Version: specs.Version,
++				Root: &specs.Root{
++					Path: td,
++				},
++				Linux: &specs.Linux{},
++			}
++			err := WithUser(testCase.user)(context.Background(), nil, &c, &s)
++			if err != nil {
++				assert.EqualError(t, err, testCase.err)
++			}
++			assert.Equal(t, testCase.expectedUID, s.Process.User.UID)
++			assert.Equal(t, testCase.expectedGID, s.Process.User.GID)
++		})
++	}
++}
++
+ //nolint:gosec
+ func TestWithUserID(t *testing.T) {
+ 	t.Parallel()
+-- 
+2.43.0
+

series.conf

@@ -31,3 +31,6 @@ patch/0031-containerd-fix-some-containerd-bug.patch
 patch/0032-containerd-vendor-golang.org-x-net-v0.17.0.patch
 patch/0033-containerd-Fix-missing-closed-fifo.patch
 patch/0034-containerd-disable-Transparent-HugePage-for-shim-pro.patch
+patch/0035-containerd-modify-Makefile-for-go-build-options.patch
+patch/0036-containerd-modify-makefile-options.patch
+patch/0037-containerd-fix-CVE-2024-40635.patch