From 3e4dba95e6b5f5f68d0b3a5899b106c89da59428 Mon Sep 17 00:00:00 2001 From: Archana Polampalli Date: Fri, 11 Jul 2025 17:07:22 +0530 Subject: cri-o: fix CVE-2023-6476 A flaw was found in CRI-O that involves an experimental annotation leading to a container being unconfined. This may allow a pod to specify and get any amount of memory/cpu, circumventing the kubernetes scheduler and potentially resulting in a denial of service in the node. Signed-off-by: Archana Polampalli Signed-off-by: Bruce Ashfield --- recipes-containers/cri-o/cri-o_git.bb | 1 + recipes-containers/cri-o/files/CVE-2023-6476.patch | 61 ++++++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 recipes-containers/cri-o/files/CVE-2023-6476.patch diff --git a/recipes-containers/cri-o/cri-o_git.bb b/recipes-containers/cri-o/cri-o_git.bb index 429c49a7..1e8353f8 100644 --- a/recipes-containers/cri-o/cri-o_git.bb +++ b/recipes-containers/cri-o/cri-o_git.bb @@ -20,6 +20,7 @@ SRC_URI = "\ file://0001-Makefile-force-symlinks.patch \ file://crio.conf \ file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/import/vendor/github.com/containers/storage \ + file://CVE-2023-6476.patch;patchdir=src/import \ " # Apache-2.0 for docker diff --git a/recipes-containers/cri-o/files/CVE-2023-6476.patch b/recipes-containers/cri-o/files/CVE-2023-6476.patch new file mode 100644 index 00000000..baa3bb54 --- /dev/null +++ b/recipes-containers/cri-o/files/CVE-2023-6476.patch @@ -0,0 +1,61 @@ +From 5faee5d82556a6bf4dd1144d2a86e70d097ab200 Mon Sep 17 00:00:00 2001 +From: Peter Hunt +Date: Thu, 7 Dec 2023 16:07:12 -0500 +Subject: [PATCH] allowed annotations: correctly filter prefixed annotations + +without this fix, a pod is able to gain access to experimental annotations that are prefixes of container names. +The most problematic of these is io.kubernetes.cri-o.UnifiedCgroup, which allows a user to arbitrarily +change the resources of the pod, potentially leading to OOM. + +Fixes CVE-2023-6476 + +Signed-off-by: Peter Hunt + +CVE: CVE-2023-6476 + +Upstream-Status: Backport [https://github.com/cri-o/cri-o/commit/5faee5d82556a6bf4dd1144d2a86e70d097ab200] + +Signed-off-by: Archana Polampalli +--- + pkg/config/workloads.go | 2 +- + test/workloads.bats | 15 +++++++++++++++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +diff --git a/pkg/config/workloads.go b/pkg/config/workloads.go +index d5eeaf1ef..37a22fe76 100644 +--- a/pkg/config/workloads.go ++++ b/pkg/config/workloads.go +@@ -102,7 +102,7 @@ func (w Workloads) FilterDisallowedAnnotations(allowed []string, toFilter map[st + for ann := range toFilter { + for _, d := range disallowed { + if strings.HasPrefix(ann, d) { +- delete(toFilter, d) ++ delete(toFilter, ann) + } + } + } +diff --git a/test/workloads.bats b/test/workloads.bats +index 6102d6326..0f4d6e4f0 100644 +--- a/test/workloads.bats ++++ b/test/workloads.bats +@@ -327,3 +327,18 @@ function check_conmon_fields() { + df=$(crictl exec --sync "$ctr_id" df | grep /dev/shm) + [[ "$df" == *'16384'* ]] + } ++ ++@test "test workload pod should not be set if annotation not specified even if prefix" { ++ start_crio ++ ++ jq ' .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" | ++ .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \ ++ "$TESTDATA"/sandbox_config.json > "$sboxconfig" ++ ++ jq ' .annotations["io.kubernetes.cri-o.UnifiedCgroup.podsandbox-sleep"] = "memory.max=4294967296" | ++ .labels["io.kubernetes.container.name"] = "podsandbox-sleep"' \ ++ "$TESTDATA"/container_sleep.json > "$ctrconfig" ++ ++ ctr_id=$(crictl run "$ctrconfig" "$sboxconfig") ++ [[ $(crictl exec "$ctr_id" cat /sys/fs/cgroup/memory.max) != 4294967296 ]] ++} +-- +2.40.0 -- cgit v1.2.3-54-g00ecf