114 lines
3.4 KiB
Diff
114 lines
3.4 KiB
Diff
|
From f50da74a71f2c33f869e6da15f131bf5c9174c12 Mon Sep 17 00:00:00 2001
|
||
|
From: Serge Hallyn <serge.hallyn@ubuntu.com>
|
||
|
Date: Fri, 3 Jul 2015 09:26:17 -0500
|
||
|
Subject: [PATCH 1/2] CVE-2015-1331: lxclock: use /run/lxc/lock rather than
|
||
|
/run/lock/lxc
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
This prevents an unprivileged user to use LXC to create arbitrary file
|
||
|
on the filesystem.
|
||
|
|
||
|
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
|
||
|
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
|
||
|
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
|
||
|
---
|
||
|
src/lxc/lxclock.c | 47 ++++++++++-------------------------------------
|
||
|
src/tests/locktests.c | 2 +-
|
||
|
2 files changed, 11 insertions(+), 38 deletions(-)
|
||
|
|
||
|
diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c
|
||
|
index fe13898..e9e95f7 100644
|
||
|
--- a/src/lxc/lxclock.c
|
||
|
+++ b/src/lxc/lxclock.c
|
||
|
@@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, const char *n)
|
||
|
char *rundir;
|
||
|
|
||
|
/* lockfile will be:
|
||
|
- * "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root
|
||
|
+ * "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root
|
||
|
* or
|
||
|
- * $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root
|
||
|
+ * $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root
|
||
|
*/
|
||
|
|
||
|
- /* length of "/lock/lxc/" + $lxcpath + "/" + "." + $lxcname + '\0' */
|
||
|
- len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 3;
|
||
|
+ /* length of "/lxc/lock/" + $lxcpath + "/" + "." + $lxcname + '\0' */
|
||
|
+ len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 3;
|
||
|
rundir = get_rundir();
|
||
|
if (!rundir)
|
||
|
return NULL;
|
||
|
@@ -120,7 +120,7 @@ static char *lxclock_name(const char *p, const char *n)
|
||
|
return NULL;
|
||
|
}
|
||
|
|
||
|
- ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p);
|
||
|
+ ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p);
|
||
|
if (ret < 0 || ret >= len) {
|
||
|
free(dest);
|
||
|
free(rundir);
|
||
|
@@ -128,40 +128,13 @@ static char *lxclock_name(const char *p, const char *n)
|
||
|
}
|
||
|
ret = mkdir_p(dest, 0755);
|
||
|
if (ret < 0) {
|
||
|
- /* fall back to "/tmp/" + $(id -u) + "/lxc" + $lxcpath + "/" + "." + $lxcname + '\0'
|
||
|
- * * maximum length of $(id -u) is 10 calculated by (log (2 ** (sizeof(uid_t) * 8) - 1) / log 10 + 1)
|
||
|
- * * lxcpath always starts with '/'
|
||
|
- */
|
||
|
- int l2 = 22 + strlen(n) + strlen(p);
|
||
|
- if (l2 > len) {
|
||
|
- char *d;
|
||
|
- d = realloc(dest, l2);
|
||
|
- if (!d) {
|
||
|
- free(dest);
|
||
|
- free(rundir);
|
||
|
- return NULL;
|
||
|
- }
|
||
|
- len = l2;
|
||
|
- dest = d;
|
||
|
- }
|
||
|
- ret = snprintf(dest, len, "/tmp/%d/lxc%s", geteuid(), p);
|
||
|
- if (ret < 0 || ret >= len) {
|
||
|
- free(dest);
|
||
|
- free(rundir);
|
||
|
- return NULL;
|
||
|
- }
|
||
|
- ret = mkdir_p(dest, 0755);
|
||
|
- if (ret < 0) {
|
||
|
- free(dest);
|
||
|
- free(rundir);
|
||
|
- return NULL;
|
||
|
- }
|
||
|
- ret = snprintf(dest, len, "/tmp/%d/lxc%s/.%s", geteuid(), p, n);
|
||
|
- } else
|
||
|
- ret = snprintf(dest, len, "%s/lock/lxc/%s/.%s", rundir, p, n);
|
||
|
+ free(dest);
|
||
|
+ free(rundir);
|
||
|
+ return NULL;
|
||
|
+ }
|
||
|
|
||
|
+ ret = snprintf(dest, len, "%s/lxc/lock/%s/.%s", rundir, p, n);
|
||
|
free(rundir);
|
||
|
-
|
||
|
if (ret < 0 || ret >= len) {
|
||
|
free(dest);
|
||
|
return NULL;
|
||
|
diff --git a/src/tests/locktests.c b/src/tests/locktests.c
|
||
|
index dd3393a..233ca12 100644
|
||
|
--- a/src/tests/locktests.c
|
||
|
+++ b/src/tests/locktests.c
|
||
|
@@ -122,7 +122,7 @@ int main(int argc, char *argv[])
|
||
|
exit(1);
|
||
|
}
|
||
|
struct stat sb;
|
||
|
- char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/";
|
||
|
+ char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/";
|
||
|
ret = stat(pathname, &sb);
|
||
|
if (ret != 0) {
|
||
|
fprintf(stderr, "%d: filename %s not created\n", __LINE__,
|
||
|
--
|
||
|
2.4.3
|
||
|
|