lxc/lxc-1.1.2-fix-CVE-2015-1331.patch

114 lines
3.4 KiB
Diff
Raw Normal View History

From f50da74a71f2c33f869e6da15f131bf5c9174c12 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Fri, 3 Jul 2015 09:26:17 -0500
Subject: [PATCH 1/2] CVE-2015-1331: lxclock: use /run/lxc/lock rather than
/run/lock/lxc
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This prevents an unprivileged user to use LXC to create arbitrary file
on the filesystem.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---
src/lxc/lxclock.c | 47 ++++++++++-------------------------------------
src/tests/locktests.c | 2 +-
2 files changed, 11 insertions(+), 38 deletions(-)
diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c
index fe13898..e9e95f7 100644
--- a/src/lxc/lxclock.c
+++ b/src/lxc/lxclock.c
@@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, const char *n)
char *rundir;
/* lockfile will be:
- * "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root
+ * "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root
* or
- * $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root
+ * $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root
*/
- /* length of "/lock/lxc/" + $lxcpath + "/" + "." + $lxcname + '\0' */
- len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 3;
+ /* length of "/lxc/lock/" + $lxcpath + "/" + "." + $lxcname + '\0' */
+ len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 3;
rundir = get_rundir();
if (!rundir)
return NULL;
@@ -120,7 +120,7 @@ static char *lxclock_name(const char *p, const char *n)
return NULL;
}
- ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p);
+ ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p);
if (ret < 0 || ret >= len) {
free(dest);
free(rundir);
@@ -128,40 +128,13 @@ static char *lxclock_name(const char *p, const char *n)
}
ret = mkdir_p(dest, 0755);
if (ret < 0) {
- /* fall back to "/tmp/" + $(id -u) + "/lxc" + $lxcpath + "/" + "." + $lxcname + '\0'
- * * maximum length of $(id -u) is 10 calculated by (log (2 ** (sizeof(uid_t) * 8) - 1) / log 10 + 1)
- * * lxcpath always starts with '/'
- */
- int l2 = 22 + strlen(n) + strlen(p);
- if (l2 > len) {
- char *d;
- d = realloc(dest, l2);
- if (!d) {
- free(dest);
- free(rundir);
- return NULL;
- }
- len = l2;
- dest = d;
- }
- ret = snprintf(dest, len, "/tmp/%d/lxc%s", geteuid(), p);
- if (ret < 0 || ret >= len) {
- free(dest);
- free(rundir);
- return NULL;
- }
- ret = mkdir_p(dest, 0755);
- if (ret < 0) {
- free(dest);
- free(rundir);
- return NULL;
- }
- ret = snprintf(dest, len, "/tmp/%d/lxc%s/.%s", geteuid(), p, n);
- } else
- ret = snprintf(dest, len, "%s/lock/lxc/%s/.%s", rundir, p, n);
+ free(dest);
+ free(rundir);
+ return NULL;
+ }
+ ret = snprintf(dest, len, "%s/lxc/lock/%s/.%s", rundir, p, n);
free(rundir);
-
if (ret < 0 || ret >= len) {
free(dest);
return NULL;
diff --git a/src/tests/locktests.c b/src/tests/locktests.c
index dd3393a..233ca12 100644
--- a/src/tests/locktests.c
+++ b/src/tests/locktests.c
@@ -122,7 +122,7 @@ int main(int argc, char *argv[])
exit(1);
}
struct stat sb;
- char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/";
+ char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/";
ret = stat(pathname, &sb);
if (ret != 0) {
fprintf(stderr, "%d: filename %s not created\n", __LINE__,
--
2.4.3