Does CVE-2024-21626 only affect systems that support openat2?

[payall4u]

Runc supports opening the sub-path of cgroup through openat2 in a certain version. The logic is as follows:

1. Try to open /sys/fs/cgroup with syscall openat2
2. If the opening is successful, it means that the system supports openat2, save the file descriptor to a global variable, and subsequently call openat2(cgroupFd, subpath) to open the cgroup subpath.
3. If the opening fails, it means that the system most likely does not support openat2 and will not save the FD, and subsequent cgroup openings will fall back to the open system call.

Does it mean that if the system without supporting openat2 will not be attacked?

We have a large number of nodes with runc 1.1.4. I want to confirm whether it needs to be upgraded. Thanks.

[lifubang]

I think no, there were two fd leaks, the other one is here: 506552a

If you are concerned about the compatibility, you can use a minimum patch in 1.1.4 like this PR: lifubang#63

[vsxen]

Although this fd is not closed but there is no bug,

Because os.Open(defaultCgroupRoot) has the O_CLOEXEC flag

https://github.com/golang/go/blob/master/src/os/file_unix.go#L272

I think runc may not have version compatibility issues.

[lifubang]

Yes, you are right. Thanks. What I mean it’s that we may need to do more tests if we just only upgrade Runc from 1.1.4 to 1.1.12, the span of version upgrade is too large. Maybe we should upgrade containerd and other related upstream projects as well. But if you have test it and there is no compatibility issues, I think you can upgrade Runc to 1.1.12 ASAP.

[cyphar]

There were several other internal fd leaks we fixed, as well as adding hardening that will ensure future fd leaks won't cause issues in the future. In addition, runc 1.1.4 is also vulnerable to three different CVEs that we fixed in 1.1.5 (CVE-2023-25809, CVE-2023-27561, CVE-2023-28642). I would strongly suggest that you always upgrade to the latest version of runc as soon as possible, because we do not provide support for older versions.

Closing, since I believe your question has been answered.