--- Begin Message ---
Package: containerd
Version: 1.6.20~ds1-1+deb12u1
Severity: important
Tags: security patch
User: [email protected]
Usertags: CVE-2024-40635
Dear Maintainer,
I'm submitting a patch for CVE-2024-40635 in the containerd package.
Vulnerability details:
- CVE ID: CVE-2024-40635
- Description: Integer overflow in UID/GID handling allows containers to run as
root
- Affected versions: All versions prior to 1.6.38, 1.7.27, and 2.0.4
- Fixed upstream in:
https://github.com/containerd/containerd/commit/11504c3fc5f45634f2d93d57743a998194430b82
The vulnerability allows containers launched with a User set as a UID:GID
larger than the maximum 32-bit signed integer to cause an overflow condition
where the container ultimately runs as root (UID 0) .
My patch adds validation for UID/GID values to prevent integer overflow,
backported from the upstream fix. I've tested the patch and confirmed it
correctly rejects values larger than MaxInt32.
The patch has been tested on Debian bookworm and works correctly.
Thank you for considering this contribution.
Best regards,
Mostafa Amin
Description: Fix integer overflow in UID/GID validation
This patch adds validation to prevent integer overflow when parsing
user IDs larger than MaxInt32, which could cause containers to run as root.
.
Without the fix, values larger than MaxInt32 are accepted and incorrectly
converted to uint32, potentially allowing containers to run as root (UID 0).
.
CVE-2024-40635
Author: Mostafa Amin <[email protected]>
Origin: upstream, https://github.com/containerd/containerd/commit/11504c3fc5f45634f2d93d57743a998194430b82
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100806
Last-Update: 2025-04-14
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: containerd-1.6.20~ds1/oci/spec_opts.go
===================================================================
--- containerd-1.6.20~ds1.orig/oci/spec_opts.go
+++ containerd-1.6.20~ds1/oci/spec_opts.go
@@ -22,6 +22,7 @@ import (
"encoding/json"
"errors"
"fmt"
+ "math"
"os"
"path/filepath"
"runtime"
@@ -582,6 +583,20 @@ func WithUser(userstr string) SpecOpts {
defer ensureAdditionalGids(s)
setProcess(s)
s.Process.User.AdditionalGids = nil
+ // While the Linux kernel allows the max UID to be MaxUint32 - 2,
+ // and the OCI Runtime Spec has no definition about the max UID,
+ // the runc implementation is known to require the UID to be <= MaxInt32.
+ //
+ // containerd follows runc's limitation here.
+ //
+ // In future we may relax this limitation to allow MaxUint32 - 2,
+ // or, amend the OCI Runtime Spec to codify the implementation limitation.
+ const (
+ minUserID = 0
+ maxUserID = math.MaxInt32
+ minGroupID = 0
+ maxGroupID = math.MaxInt32
+ )
// For LCOW it's a bit harder to confirm that the user actually exists on the host as a rootfs isn't
// mounted on the host and shared into the guest, but rather the rootfs is constructed entirely in the
@@ -598,8 +613,8 @@ func WithUser(userstr string) SpecOpts {
switch len(parts) {
case 1:
v, err := strconv.Atoi(parts[0])
- if err != nil {
- // if we cannot parse as a uint they try to see if it is a username
+ if err != nil || v < minUserID || v > maxUserID {
+ // if we cannot parse as an int32 then try to see if it is a username
return WithUsername(userstr)(ctx, client, c, s)
}
return WithUserID(uint32(v))(ctx, client, c, s)
@@ -610,12 +625,13 @@ func WithUser(userstr string) SpecOpts {
)
var uid, gid uint32
v, err := strconv.Atoi(parts[0])
- if err != nil {
+ if err != nil || v < minUserID || v > maxUserID {
username = parts[0]
} else {
uid = uint32(v)
}
- if v, err = strconv.Atoi(parts[1]); err != nil {
+ v, err = strconv.Atoi(parts[1])
+ if err != nil || v < minGroupID || v > maxGroupID {
groupname = parts[1]
} else {
gid = uint32(v)
Index: containerd-1.6.20~ds1/oci/spec_opts_linux_test.go
===================================================================
--- containerd-1.6.20~ds1.orig/oci/spec_opts_linux_test.go
+++ containerd-1.6.20~ds1/oci/spec_opts_linux_test.go
@@ -32,6 +32,97 @@ import (
)
//nolint:gosec
+func TestWithUser(t *testing.T) {
+ t.Parallel()
+
+ expectedPasswd := `root:x:0:0:root:/root:/bin/ash
+ guest:x:405:100:guest:/dev/null:/sbin/nologin
+ `
+ expectedGroup := `root:x:0:root
+ bin:x:1:root,bin,daemon
+ daemon:x:2:root,bin,daemon
+ sys:x:3:root,bin,adm
+ guest:x:100:guest
+ `
+ td := t.TempDir()
+ apply := fstest.Apply(
+ fstest.CreateDir("/etc", 0777),
+ fstest.CreateFile("/etc/passwd", []byte(expectedPasswd), 0777),
+ fstest.CreateFile("/etc/group", []byte(expectedGroup), 0777),
+ )
+ if err := apply.Apply(td); err != nil {
+ t.Fatalf("failed to apply: %v", err)
+ }
+ c := containers.Container{ID: t.Name()}
+ testCases := []struct {
+ user string
+ expectedUID uint32
+ expectedGID uint32
+ err string
+ }{
+ {
+ user: "0",
+ expectedUID: 0,
+ expectedGID: 0,
+ },
+ {
+ user: "root:root",
+ expectedUID: 0,
+ expectedGID: 0,
+ },
+ {
+ user: "guest",
+ expectedUID: 405,
+ expectedGID: 100,
+ },
+ {
+ user: "guest:guest",
+ expectedUID: 405,
+ expectedGID: 100,
+ },
+ {
+ user: "guest:nobody",
+ err: "no groups found",
+ },
+ {
+ user: "405:100",
+ expectedUID: 405,
+ expectedGID: 100,
+ },
+ {
+ user: "405:2147483648",
+ err: "no groups found",
+ },
+ {
+ user: "-1000",
+ err: "no users found",
+ },
+ {
+ user: "2147483648",
+ err: "no users found",
+ },
+ }
+ for _, testCase := range testCases {
+ testCase := testCase
+ t.Run(testCase.user, func(t *testing.T) {
+ t.Parallel()
+ s := Spec{
+ Version: specs.Version,
+ Root: &specs.Root{
+ Path: td,
+ },
+ Linux: &specs.Linux{},
+ }
+ err := WithUser(testCase.user)(context.Background(), nil, &c, &s)
+ if err != nil {
+ assert.EqualError(t, err, testCase.err)
+ }
+ assert.Equal(t, testCase.expectedUID, s.Process.User.UID)
+ assert.Equal(t, testCase.expectedGID, s.Process.User.GID)
+ })
+ }
+ }
+
func TestWithUserID(t *testing.T) {
t.Parallel()
--- End Message ---
pgpJvvaH9LdJt.pgp
