Fix CVE-2018-6556: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6556 https://bugzilla.suse.com/show_bug.cgi?id=988348#c8 Patch copied from upstream source repository: https://github.com/lxc/lxc/commit/c1cf54ebf251fdbad1e971679614e81649f1c032 From c1cf54ebf251fdbad1e971679614e81649f1c032 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Wed, 25 Jul 2018 19:56:54 +0200 Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic Signed-off-by: Christian Brauner --- src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- src/lxc/utils.c | 12 ++++++++++++ src/lxc/utils.h | 5 +++++ 3 files changed, 49 insertions(+), 3 deletions(-) diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c index ec9cd97e0..c5beb6c8d 100644 --- a/src/lxc/cmd/lxc_user_nic.c +++ b/src/lxc/cmd/lxc_user_nic.c @@ -1179,12 +1179,41 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } } else if (request == LXC_USERNIC_DELETE) { - netns_fd = open(args.pid, O_RDONLY); + char opath[LXC_PROC_PID_FD_LEN]; + + /* Open the path with O_PATH which will not trigger an actual + * open(). Don't report an errno to the caller to not leak + * information whether the path exists or not. + * When stracing setuid is stripped so this is not a concern + * either. + */ + netns_fd = open(args.pid, O_PATH | O_CLOEXEC); if (netns_fd < 0) { - usernic_error("Could not open \"%s\": %s\n", args.pid, - strerror(errno)); + usernic_error("Failed to open \"%s\"\n", args.pid); + exit(EXIT_FAILURE); + } + + if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { + usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); + close(netns_fd); + exit(EXIT_FAILURE); + } + + ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); + if (ret < 0 || (size_t)ret >= sizeof(opath)) { + close(netns_fd); + exit(EXIT_FAILURE); + } + + /* Now get an fd that we can use in setns() calls. */ + ret = open(opath, O_RDONLY | O_CLOEXEC); + if (ret < 0) { + usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno)); + close(netns_fd); exit(EXIT_FAILURE); } + close(netns_fd); + netns_fd = ret; } if (!create_db_dir(LXC_USERNIC_DB)) { diff --git a/src/lxc/utils.c b/src/lxc/utils.c index 530b1f81a..3b854e35b 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -2544,6 +2544,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val) return has_type; } +bool fhas_fs_type(int fd, fs_type_magic magic_val) +{ + int ret; + struct statfs sb; + + ret = fstatfs(fd, &sb); + if (ret < 0) + return false; + + return is_fs_type(&sb, magic_val); +} + bool lxc_nic_exists(char *nic) { #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1 diff --git a/src/lxc/utils.h b/src/lxc/utils.h index 6a0bebded..0805f5d0d 100644 --- a/src/lxc/utils.h +++ b/src/lxc/utils.h @@ -95,6 +95,10 @@ #define CGROUP2_SUPER_MAGIC 0x63677270 #endif +#ifndef NSFS_MAGIC +#define NSFS_MAGIC 0x6e736673 +#endif + /* Useful macros */ /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */ #define LXC_NUMSTRLEN64 21 @@ -580,6 +584,7 @@ extern void *must_realloc(void *orig, size_t sz); /* __typeof__ should be safe to use with all compilers. */ typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic; extern bool has_fs_type(const char *path, fs_type_magic magic_val); +extern bool fhas_fs_type(int fd, fs_type_magic magic_val); extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val); extern bool lxc_nic_exists(char *nic); extern int lxc_make_tmpfile(char *template, bool rm);