From 2ccd8b25f2fe8383f5696e1924f46fea60135fbf Mon Sep 17 00:00:00 2001
From: weiyucheng123 <weiyucheng@kylinos.cn>
Date: Wed, 10 Dec 2025 16:50:32 +0800
Subject: [PATCH] fix CVE-2024-40635

---
 0008-fix-CVE-2024-40635.patch | 188 ++++++++++++++++++++++++++++++++++
 k3s-containerd.spec           |   9 +-
 2 files changed, 196 insertions(+), 1 deletion(-)
 create mode 100644 0008-fix-CVE-2024-40635.patch

diff --git a/0008-fix-CVE-2024-40635.patch b/0008-fix-CVE-2024-40635.patch
new file mode 100644
index 0000000..09b123f
--- /dev/null
+++ b/0008-fix-CVE-2024-40635.patch
@@ -0,0 +1,188 @@
+From d2e8885c506d9df22c1c9b712d5539025ae9daba Mon Sep 17 00:00:00 2001
+From: weiyucheng123 <weiyucheng@kylinos.cn>
+Date: Wed, 10 Dec 2025 16:11:29 +0800
+Subject: [PATCH] fix CVE-2024-40635
+
+---
+ oci/spec_opts.go            | 24 ++++++++--
+ oci/spec_opts_linux_test.go | 95 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 115 insertions(+), 4 deletions(-)
+
+diff --git a/oci/spec_opts.go b/oci/spec_opts.go
+index c9e1832..c342715 100644
+--- a/oci/spec_opts.go
++++ b/oci/spec_opts.go
+@@ -22,6 +22,7 @@ import (
+ 	"encoding/json"
+ 	"errors"
+ 	"fmt"
++	"math"
+ 	"os"
+ 	"path/filepath"
+ 	"runtime"
+@@ -535,6 +536,20 @@ func WithUser(userstr string) SpecOpts {
+ 		defer ensureAdditionalGids(s)
+ 		setProcess(s)
+ 		s.Process.User.AdditionalGids = nil
++		// While the Linux kernel allows the max UID to be MaxUint32 - 2,
++                // and the OCI Runtime Spec has no definition about the max UID,
++                // the runc implementation is known to require the UID to be <= MaxInt32.
++                //
++                // containerd follows runc's limitation here.
++                //
++                // In future we may relax this limitation to allow MaxUint32 - 2,
++                // or, amend the OCI Runtime Spec to codify the implementation limitation.
++		const (
++			minUserID  = 0
++			maxUserID  = math.MaxInt32
++			minGroupID = 0
++			maxGroupID = math.MaxInt32
++		)
+ 
+ 		// For LCOW it's a bit harder to confirm that the user actually exists on the host as a rootfs isn't
+ 		// mounted on the host and shared into the guest, but rather the rootfs is constructed entirely in the
+@@ -551,8 +566,8 @@ func WithUser(userstr string) SpecOpts {
+ 		switch len(parts) {
+ 		case 1:
+ 			v, err := strconv.Atoi(parts[0])
+-			if err != nil {
+-				// if we cannot parse as a uint they try to see if it is a username
++			if err != nil || v < minUserID || v > maxUserID {
++				// if we cannot parse as an int32 then try to see if it is a username
+ 				return WithUsername(userstr)(ctx, client, c, s)
+ 			}
+ 			return WithUserID(uint32(v))(ctx, client, c, s)
+@@ -563,12 +578,13 @@ func WithUser(userstr string) SpecOpts {
+ 			)
+ 			var uid, gid uint32
+ 			v, err := strconv.Atoi(parts[0])
+-			if err != nil {
++			if err != nil || v < minUserID || v > maxUserID {
+ 				username = parts[0]
+ 			} else {
+ 				uid = uint32(v)
+ 			}
+-			if v, err = strconv.Atoi(parts[1]); err != nil {
++			v, err = strconv.Atoi(parts[1])
++			if err != nil || v < minGroupID || v > maxGroupID {
+ 				groupname = parts[1]
+ 			} else {
+ 				gid = uint32(v)
+diff --git a/oci/spec_opts_linux_test.go b/oci/spec_opts_linux_test.go
+index 28dfd78..f947fba 100644
+--- a/oci/spec_opts_linux_test.go
++++ b/oci/spec_opts_linux_test.go
+@@ -18,15 +18,110 @@ package oci
+ 
+ import (
+ 	"context"
++	"github.com/containerd/continuity/fs/fstest"
++	"github.com/stretchr/testify/assert"
+ 	"os"
+ 	"path/filepath"
+ 	"testing"
+ 
++	"github.com/containerd/containerd/containers"
+ 	"github.com/containerd/containerd/pkg/testutil"
+ 	specs "github.com/opencontainers/runtime-spec/specs-go"
+ 	"golang.org/x/sys/unix"
+ )
+ 
++//nolint:gosec
++func TestWithUser(t *testing.T) {
++	t.Parallel()
++
++	expectedPasswd := `root:x:0:0:root:/root:/bin/ash
++guest:x:405:100:guest:/dev/null:/sbin/nologin
++`
++	expectedGroup := `root:x:0:root
++bin:x:1:root,bin,daemon
++daemon:x:2:root,bin,daemon
++sys:x:3:root,bin,adm
++guest:x:100:guest
++`
++	td := t.TempDir()
++	apply := fstest.Apply(
++		fstest.CreateDir("/etc", 0777),
++		fstest.CreateFile("/etc/passwd", []byte(expectedPasswd), 0777),
++		fstest.CreateFile("/etc/group", []byte(expectedGroup), 0777),
++	)
++	if err := apply.Apply(td); err != nil {
++		t.Fatalf("failed to apply: %v", err)
++	}
++	c := containers.Container{ID: t.Name()}
++	testCases := []struct {
++		user        string
++		expectedUID uint32
++		expectedGID uint32
++		err         string
++	}{
++		{
++			user:        "0",
++			expectedUID: 0,
++			expectedGID: 0,
++		},
++		{
++			user:        "root:root",
++			expectedUID: 0,
++			expectedGID: 0,
++		},
++		{
++			user:        "guest",
++			expectedUID: 405,
++			expectedGID: 100,
++		},
++		{
++			user:        "guest:guest",
++			expectedUID: 405,
++			expectedGID: 100,
++		},
++		{
++			user: "guest:nobody",
++			err:  "no groups found",
++		},
++		{
++			user:        "405:100",
++			expectedUID: 405,
++			expectedGID: 100,
++		},
++		{
++			user: "405:2147483648",
++			err:  "no groups found",
++		},
++		{
++			user: "-1000",
++			err:  "no users found",
++		},
++		{
++			user: "2147483648",
++			err:  "no users found",
++		},
++	}
++	for _, testCase := range testCases {
++		testCase := testCase
++		t.Run(testCase.user, func(t *testing.T) {
++			t.Parallel()
++			s := Spec{
++				Version: specs.Version,
++				Root: &specs.Root{
++					Path: td,
++				},
++				Linux: &specs.Linux{},
++			}
++			err := WithUser(testCase.user)(context.Background(), nil, &c, &s)
++			if err != nil {
++				assert.EqualError(t, err, testCase.err)
++			}
++			assert.Equal(t, testCase.expectedUID, s.Process.User.UID)
++			assert.Equal(t, testCase.expectedGID, s.Process.User.GID)
++		})
++	}
++}
++
+ func TestAddCaps(t *testing.T) {
+ 	t.Parallel()
+ 
+-- 
+2.25.1
+
diff --git a/k3s-containerd.spec b/k3s-containerd.spec
index f94026c..7c181c0 100644
--- a/k3s-containerd.spec
+++ b/k3s-containerd.spec
@@ -3,7 +3,7 @@
 %global version_suffix k3s1
 Version:        1.6.6
 Name:           k3s-containerd
-Release:        11
+Release:        12
 Summary:        An industry-standard container runtime
 License:        Apache 2.0
 URL:            https://github.com/k3s-io/containerd
@@ -19,6 +19,7 @@ Patch0004:      0004-fix-CVE-2023-25173.patch
 Patch0005:      0005-fix-CVE-2023-39325.patch
 Patch0006:      0006-fix-CVE-2022-41723.patch
 Patch0007:      0007-fix-CVE-2024-24786.patch
+Patch0008:      0008-fix-CVE-2024-40635.patch
 
 BuildRequires:  golang glibc-static make btrfs-progs-devel
 
@@ -83,6 +84,12 @@ cp -rf %{_builddir}/containerd-%{version}-%{version_suffix}/. %{buildroot}%{_lib
 
 
 %changelog
+* Wed Dec 10 2025 weiyucheng <weiyucheng@kylinos.cn> - 1.6.6-12
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2024-40635
+
 * Mon Mar 25 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.6.6-k3s1-11
 - Type:bugfix
 - CVE:NA
-- 
Gitee