1 files changed, 61 insertions, 0 deletions
diff --git a/recipes-containers/cri-o/files/CVE-2023-6476.patch b/recipes-containers/cri-o/files/CVE-2023-6476.patch
new file mode 100644
index 00000000..baa3bb54
--- /dev/null
+++ b/recipes-containers/cri-o/files/CVE-2023-6476.patch
@@ -0,0 +1,61 @@
+From 5faee5d82556a6bf4dd1144d2a86e70d097ab200 Mon Sep 17 00:00:00 2001
+From: Peter Hunt <pehunt@redhat.com>
+Date: Thu, 7 Dec 2023 16:07:12 -0500
+Subject: [PATCH] allowed annotations: correctly filter prefixed annotations
+without this fix, a pod is able to gain access to experimental annotations that are prefixes of container names.
+The most problematic of these is io.kubernetes.cri-o.UnifiedCgroup, which allows a user to arbitrarily
+change the resources of the pod, potentially leading to OOM.
+Fixes CVE-2023-6476
+Signed-off-by: Peter Hunt <pehunt@redhat.com>
+CVE: CVE-2023-6476
+Upstream-Status: Backport [https://github.com/cri-o/cri-o/commit/5faee5d82556a6bf4dd1144d2a86e70d097ab200]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ pkg/config/workloads.go |  2 +-
+ test/workloads.bats     | 15 +++++++++++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+diff --git a/pkg/config/workloads.go b/pkg/config/workloads.go
+index d5eeaf1ef..37a22fe76 100644
+--- a/pkg/config/workloads.go
+++ b/pkg/config/workloads.go
+@@ -102,7 +102,7 @@ func (w Workloads) FilterDisallowedAnnotations(allowed []string, toFilter map[st
+        for ann := range toFilter {
+                for _, d := range disallowed {
+                        if strings.HasPrefix(ann, d) {
+-                               delete(toFilter, d)
+                               delete(toFilter, ann)
+                        }
+                }
+        }
+diff --git a/test/workloads.bats b/test/workloads.bats
+index 6102d6326..0f4d6e4f0 100644
+--- a/test/workloads.bats
+++ b/test/workloads.bats
+@@ -327,3 +327,18 @@ function check_conmon_fields() {
+        df=$(crictl exec --sync "$ctr_id" df | grep /dev/shm)
+        [[ "$df" == *'16384'* ]]
+ }
+
+@test "test workload pod should not be set if annotation not specified even if prefix" {
+       start_crio
+
+       jq '   .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" |
+         .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \
+       "$TESTDATA"/sandbox_config.json > "$sboxconfig"
+
+       jq '   .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" |
+         .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \
+       "$TESTDATA"/container_sleep.json > "$ctrconfig"
+
+       ctr_id=$(crictl run "$ctrconfig" "$sboxconfig")
+       [[ $(crictl exec "$ctr_id" cat /sys/fs/cgroup/memory.max) != 4294967296 ]]
+}
+--
+2.40.0

diff --git a/recipes-containers/cri-o/files/CVE-2023-6476.patch b/recipes-containers/cri-o/files/CVE-2023-6476.patch new file mode 100644 index 00000000..baa3bb54 --- /dev/null +++ b/recipes-containers/cri-o/files/CVE-2023-6476.patch
@@ -0,0 +1,61 @@
	1	From 5faee5d82556a6bf4dd1144d2a86e70d097ab200 Mon Sep 17 00:00:00 2001
	2	From: Peter Hunt <pehunt@redhat.com>
	3	Date: Thu, 7 Dec 2023 16:07:12 -0500
	4	Subject: [PATCH] allowed annotations: correctly filter prefixed annotations
	5
	6	without this fix, a pod is able to gain access to experimental annotations that are prefixes of container names.
	7	The most problematic of these is io.kubernetes.cri-o.UnifiedCgroup, which allows a user to arbitrarily
	8	change the resources of the pod, potentially leading to OOM.
	9
	10	Fixes CVE-2023-6476
	11
	12	Signed-off-by: Peter Hunt <pehunt@redhat.com>
	13
	14	CVE: CVE-2023-6476
	15
	16	Upstream-Status: Backport [https://github.com/cri-o/cri-o/commit/5faee5d82556a6bf4dd1144d2a86e70d097ab200]
	17
	18	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
	19	---
	20	pkg/config/workloads.go \| 2 +-
	21	test/workloads.bats \| 15 +++++++++++++++
	22	2 files changed, 16 insertions(+), 1 deletion(-)
	23
	24	diff --git a/pkg/config/workloads.go b/pkg/config/workloads.go
	25	index d5eeaf1ef..37a22fe76 100644
	26	--- a/pkg/config/workloads.go
	27	+++ b/pkg/config/workloads.go
	28	@@ -102,7 +102,7 @@ func (w Workloads) FilterDisallowedAnnotations(allowed []string, toFilter map[st
	29	for ann := range toFilter {
	30	for _, d := range disallowed {
	31	if strings.HasPrefix(ann, d) {
	32	- delete(toFilter, d)
	33	+ delete(toFilter, ann)
	34	}
	35	}
	36	}
	37	diff --git a/test/workloads.bats b/test/workloads.bats
	38	index 6102d6326..0f4d6e4f0 100644
	39	--- a/test/workloads.bats
	40	+++ b/test/workloads.bats
	41	@@ -327,3 +327,18 @@ function check_conmon_fields() {
	42	df=$(crictl exec --sync "$ctr_id" df \| grep /dev/shm)
	43	[[ "$df" == '16384' ]]
	44	}
	45	+
	46	+@test "test workload pod should not be set if annotation not specified even if prefix" {
	47	+ start_crio
	48	+
	49	+ jq ' .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" \|
	50	+ .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \
	51	+ "$TESTDATA"/sandbox_config.json > "$sboxconfig"
	52	+
	53	+ jq ' .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" \|
	54	+ .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \
	55	+ "$TESTDATA"/container_sleep.json > "$ctrconfig"
	56	+
	57	+ ctr_id=$(crictl run "$ctrconfig" "$sboxconfig")
	58	+ [[ $(crictl exec "$ctr_id" cat /sys/fs/cgroup/memory.max) != 4294967296 ]]
	59	+}
	60	--
	61	2.40.0