1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
Fix CVE-2018-6556:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6556
https://bugzilla.suse.com/show_bug.cgi?id=988348#c8
Patch copied from upstream source repository:
https://github.com/lxc/lxc/commit/c1cf54ebf251fdbad1e971679614e81649f1c032
From c1cf54ebf251fdbad1e971679614e81649f1c032 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Wed, 25 Jul 2018 19:56:54 +0200
Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
src/lxc/utils.c | 12 ++++++++++++
src/lxc/utils.h | 5 +++++
3 files changed, 49 insertions(+), 3 deletions(-)
diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c
index ec9cd97e0..c5beb6c8d 100644
--- a/src/lxc/cmd/lxc_user_nic.c
+++ b/src/lxc/cmd/lxc_user_nic.c
@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[])
exit(EXIT_FAILURE);
}
} else if (request == LXC_USERNIC_DELETE) {
- netns_fd = open(args.pid, O_RDONLY);
+ char opath[LXC_PROC_PID_FD_LEN];
+
+ /* Open the path with O_PATH which will not trigger an actual
+ * open(). Don't report an errno to the caller to not leak
+ * information whether the path exists or not.
+ * When stracing setuid is stripped so this is not a concern
+ * either.
+ */
+ netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
if (netns_fd < 0) {
- usernic_error("Could not open \"%s\": %s\n", args.pid,
- strerror(errno));
+ usernic_error("Failed to open \"%s\"\n", args.pid);
+ exit(EXIT_FAILURE);
+ }
+
+ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
+ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
+ close(netns_fd);
+ exit(EXIT_FAILURE);
+ }
+
+ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
+ if (ret < 0 || (size_t)ret >= sizeof(opath)) {
+ close(netns_fd);
+ exit(EXIT_FAILURE);
+ }
+
+ /* Now get an fd that we can use in setns() calls. */
+ ret = open(opath, O_RDONLY | O_CLOEXEC);
+ if (ret < 0) {
+ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
+ close(netns_fd);
exit(EXIT_FAILURE);
}
+ close(netns_fd);
+ netns_fd = ret;
}
if (!create_db_dir(LXC_USERNIC_DB)) {
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 530b1f81a..3b854e35b 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -2544,6 +2544,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
return has_type;
}
+bool fhas_fs_type(int fd, fs_type_magic magic_val)
+{
+ int ret;
+ struct statfs sb;
+
+ ret = fstatfs(fd, &sb);
+ if (ret < 0)
+ return false;
+
+ return is_fs_type(&sb, magic_val);
+}
+
bool lxc_nic_exists(char *nic)
{
#define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index 6a0bebded..0805f5d0d 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -95,6 +95,10 @@
#define CGROUP2_SUPER_MAGIC 0x63677270
#endif
+#ifndef NSFS_MAGIC
+#define NSFS_MAGIC 0x6e736673
+#endif
+
/* Useful macros */
/* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
#define LXC_NUMSTRLEN64 21
@@ -580,6 +584,7 @@ extern void *must_realloc(void *orig, size_t sz);
/* __typeof__ should be safe to use with all compilers. */
typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
extern bool has_fs_type(const char *path, fs_type_magic magic_val);
+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
extern bool lxc_nic_exists(char *nic);
extern int lxc_make_tmpfile(char *template, bool rm);
|