docker-moby: Fix CVE-2024-36621

moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-36621 Upstream-patch: https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Praveen Kumar <praveen.kumar@windriver.com> 2025-03-26 19:50:08 +0000
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2025-04-02 02:21:37 +0000
commit: 5dfb3a6b222beb4239b1f62db6caa4868e2e9d46 (patch)
tree: d0fd75eac3d5b73676992e2f8b594d24be61858b
parent: 2bfcc55701824f37bf2d0dc3ef5f719d22e9919f (diff)
download: meta-virtualization-5dfb3a6b222beb4239b1f62db6caa4868e2e9d46.tar.gz
2 files changed, 84 insertions, 0 deletions
diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index a1879ed2..d274b002 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -57,6 +57,7 @@ SRC_URI = "\
        file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
        file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
        file://CVE-2024-36620.patch;patchdir=src/import \
+        file://CVE-2024-36621.patch;patchdir=src/import \
        "
 DOCKER_COMMIT = "${SRCREV_moby}"
diff --git a/recipes-containers/docker/files/CVE-2024-36621.patch b/recipes-containers/docker/files/CVE-2024-36621.patch
new file mode 100644
index 00000000..a6c06ef2
--- /dev/null
+++ b/recipes-containers/docker/files/CVE-2024-36621.patch
@@ -0,0 +1,83 @@
+From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Wed, 6 Mar 2024 23:11:32 -0800
+Subject: [PATCH] builder-next: fix missing lock in ensurelayer
+When this was called concurrently from the moby image
+exporter there could be a data race where a layer was
+written to the refs map when it was already there.
+In that case the reference count got mixed up and on
+release only one of these layers was actually released.
+CVE: CVE-2024-36621
+Upstream-Status:
+Backport [https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e]
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ .../builder-next/adapters/snapshot/layer.go   |  3 +++
+ .../adapters/snapshot/snapshot.go             | 19 +++++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go
+index 73120ea70b..fc83058339 100644
+--- a/builder/builder-next/adapters/snapshot/layer.go
+++ b/builder/builder-next/adapters/snapshot/layer.go
+@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
+ }
+ func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
+       s.layerCreateLocker.Lock(key)
+       defer s.layerCreateLocker.Unlock(key)
+
+        diffIDs, err := s.GetDiffIDs(ctx, key)
+        if err != nil {
+                return nil, err
+diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go
+index a0d28ad984..510ffefb49 100644
+--- a/builder/builder-next/adapters/snapshot/snapshot.go
+++ b/builder/builder-next/adapters/snapshot/snapshot.go
+@@ -17,6 +17,7 @@ import (
+        "github.com/moby/buildkit/identity"
+        "github.com/moby/buildkit/snapshot"
+        "github.com/moby/buildkit/util/leaseutil"
+       "github.com/moby/locker"
+        "github.com/opencontainers/go-digest"
+        "github.com/pkg/errors"
+        bolt "go.etcd.io/bbolt"
+@@ -51,10 +52,11 @@ type checksumCalculator interface {
+ type snapshotter struct {
+        opt Opt
+-       refs map[string]layer.Layer
+-       db   *bolt.DB
+-       mu   sync.Mutex
+-       reg  graphIDRegistrar
+       refs              map[string]layer.Layer
+       db                *bolt.DB
+       mu                sync.Mutex
+       reg               graphIDRegistrar
+       layerCreateLocker *locker.Locker
+ }
+ // NewSnapshotter creates a new snapshotter
+@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
+        }
+        s := &snapshotter{
+-               opt:  opt,
+-               db:   db,
+-               refs: map[string]layer.Layer{},
+-               reg:  reg,
+               opt:               opt,
+               db:                db,
+               refs:              map[string]layer.Layer{},
+               reg:               reg,
+               layerCreateLocker: locker.New(),
+        }
+        slm := newLeaseManager(s, prevLM)
+--
+2.40.0
author	Praveen Kumar <praveen.kumar@windriver.com>	2025-03-26 19:50:08 +0000
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2025-04-02 02:21:37 +0000
commit	5dfb3a6b222beb4239b1f62db6caa4868e2e9d46 (patch)
tree	d0fd75eac3d5b73676992e2f8b594d24be61858b
parent	2bfcc55701824f37bf2d0dc3ef5f719d22e9919f (diff)
download	meta-virtualization-5dfb3a6b222beb4239b1f62db6caa4868e2e9d46.tar.gz

diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb index a1879ed2..d274b002 100644 --- a/recipes-containers/docker/docker-moby_git.bb +++ b/recipes-containers/docker/docker-moby_git.bb
@@ -57,6 +57,7 @@ SRC_URI = "\
57	file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \	57	file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
58	file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \	58	file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
59	file://CVE-2024-36620.patch;patchdir=src/import \	59	file://CVE-2024-36620.patch;patchdir=src/import \
		60	file://CVE-2024-36621.patch;patchdir=src/import \
60	"	61	"
61		62
62	DOCKER_COMMIT = "${SRCREV_moby}"	63	DOCKER_COMMIT = "${SRCREV_moby}"


diff --git a/recipes-containers/docker/files/CVE-2024-36621.patch b/recipes-containers/docker/files/CVE-2024-36621.patch new file mode 100644 index 00000000..a6c06ef2 --- /dev/null +++ b/recipes-containers/docker/files/CVE-2024-36621.patch
@@ -0,0 +1,83 @@
		1	From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001
		2	From: Tonis Tiigi <tonistiigi@gmail.com>
		3	Date: Wed, 6 Mar 2024 23:11:32 -0800
		4	Subject: [PATCH] builder-next: fix missing lock in ensurelayer
		5
		6	When this was called concurrently from the moby image
		7	exporter there could be a data race where a layer was
		8	written to the refs map when it was already there.
		9
		10	In that case the reference count got mixed up and on
		11	release only one of these layers was actually released.
		12
		13	CVE: CVE-2024-36621
		14
		15	Upstream-Status:
		16	Backport [https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e]
		17
		18	Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
		19	---
		20	.../builder-next/adapters/snapshot/layer.go \| 3 +++
		21	.../adapters/snapshot/snapshot.go \| 19 +++++++++++--------
		22	2 files changed, 14 insertions(+), 8 deletions(-)
		23
		24	diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go
		25	index 73120ea70b..fc83058339 100644
		26	--- a/builder/builder-next/adapters/snapshot/layer.go
		27	+++ b/builder/builder-next/adapters/snapshot/layer.go
		28	@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
		29	}
		30
		31	func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
		32	+ s.layerCreateLocker.Lock(key)
		33	+ defer s.layerCreateLocker.Unlock(key)
		34	+
		35	diffIDs, err := s.GetDiffIDs(ctx, key)
		36	if err != nil {
		37	return nil, err
		38	diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go
		39	index a0d28ad984..510ffefb49 100644
		40	--- a/builder/builder-next/adapters/snapshot/snapshot.go
		41	+++ b/builder/builder-next/adapters/snapshot/snapshot.go
		42	@@ -17,6 +17,7 @@ import (
		43	"github.com/moby/buildkit/identity"
		44	"github.com/moby/buildkit/snapshot"
		45	"github.com/moby/buildkit/util/leaseutil"
		46	+ "github.com/moby/locker"
		47	"github.com/opencontainers/go-digest"
		48	"github.com/pkg/errors"
		49	bolt "go.etcd.io/bbolt"
		50	@@ -51,10 +52,11 @@ type checksumCalculator interface {
		51	type snapshotter struct {
		52	opt Opt
		53
		54	- refs map[string]layer.Layer
		55	- db *bolt.DB
		56	- mu sync.Mutex
		57	- reg graphIDRegistrar
		58	+ refs map[string]layer.Layer
		59	+ db *bolt.DB
		60	+ mu sync.Mutex
		61	+ reg graphIDRegistrar
		62	+ layerCreateLocker *locker.Locker
		63	}
		64
		65	// NewSnapshotter creates a new snapshotter
		66	@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
		67	}
		68
		69	s := &snapshotter{
		70	- opt: opt,
		71	- db: db,
		72	- refs: map[string]layer.Layer{},
		73	- reg: reg,
		74	+ opt: opt,
		75	+ db: db,
		76	+ refs: map[string]layer.Layer{},
		77	+ reg: reg,
		78	+ layerCreateLocker: locker.New(),
		79	}
		80
		81	slm := newLeaseManager(s, prevLM)
		82	--
		83	2.40.0