Fix CVE-2018-6556: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6556 https://bugzilla.suse.com/show_bug.cgi?id=988348#c8 Patch copied from upstream source repository: https://github.com/lxc/lxc/commit/c1cf54ebf251fdbad1e971679614e81649f1c032 From c1cf54ebf251fdbad1e971679614e81649f1c032 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Wed, 25 Jul 2018 19:56:54 +0200 Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic Signed-off-by: Christian Brauner --- src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++--- src/lxc/utils.c | 12 ++++++++++++ src/lxc/utils.h | 5 +++++ 3 files changed, 49 insertions(+), 3 deletions(-) diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c index ec9cd97e0..c5beb6c8d 100644 --- a/src/lxc/cmd/lxc_user_nic.c +++ b/src/lxc/cmd/lxc_user_nic.c @@ -1179,12 +1179,41 @@ int main(int argc, char *argv[]) exit(EXIT_FAILURE); } } else if (request == LXC_USERNIC_DELETE) { - netns_fd = open(args.pid, O_RDONLY); + char opath[LXC_PROC_PID_FD_LEN]; + + /* Open the path with O_PATH which will not trigger an actual + * open(). Don't report an errno to the caller to not leak + * information whether the path exists or not. + * When stracing setuid is stripped so this is not a concern + * either. + */ + netns_fd = open(args.pid, O_PATH | O_CLOEXEC); if (netns_fd < 0) { - usernic_error("Could not open \"%s\": %s\n", args.pid, - strerror(errno)); + usernic_error("Failed to open \"%s\"\n", args.pid); + exit(EXIT_FAILURE); + } + + if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { + usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); + close(netns_fd); + exit(EXIT_FAILURE); + } + + ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd); + if (re
|| (size_t)ret >= sizeof(opath)) {
+			close(netns_fd);
+			exit(EXIT_FAILURE);
+		}
+
+		/* Now get an fd that we can use in setns() calls. */
+		ret = open(opath, O_RDONLY | O_CLOEXEC);
+		if (ret < 0) {
+			usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
+			close(netns_fd);
 			exit(EXIT_FAILURE);
 		}
+		close(netns_fd);
+		netns_fd = ret;
 	}
 
 	if (!create_db_dir(LXC_USERNIC_DB)) {
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 530b1f81a..3b854e35b 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -2544,6 +2544,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
 	return has_type;
 }
 
+bool fhas_fs_type(int fd, fs_type_magic magic_val)
+{
+	int ret;
+	struct statfs sb;
+
+	ret = fstatfs(fd, &sb);
+	if (ret < 0)
+		return false;
+
+	return is_fs_type(&sb, magic_val);
+}
+
 bool lxc_nic_exists(char *nic)
 {
 #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index 6a0bebded..0805f5d0d 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -95,6 +95,10 @@
 #define CGROUP2_SUPER_MAGIC 0x63677270
 #endif
 
+#ifndef NSFS_MAGIC
+#define NSFS_MAGIC 0x6e736673
+#endif
+
 /* Useful macros */
 /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
 #define LXC_NUMSTRLEN64 21
@@ -580,6 +584,7 @@ extern void *must_realloc(void *orig, size_t sz);
 /* __typeof__ should be safe to use with all compilers. */
 typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
 extern bool has_fs_type(const char *path, fs_type_magic magic_val);
+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
 extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
 extern bool lxc_nic_exists(char *nic);
 extern int lxc_make_tmpfile(char *template, bool rm);