From 05e2adf509ba0e3779dae66a276b86927a8e1e0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vin=C3=ADcius=20dos=20Santos=20Oliveira?=
 <vini.ipsmaker@gmail.com>
Date: Fri, 24 Feb 2023 18:06:02 -0300
Subject: [PATCH] Validate fds created by the user

write_mapping() will do the following:

openat(proc_dir_fd, map_file, O_WRONLY);

An attacker could create a directory containing a symlink named
"uid_map" pointing to any file owned by root, and thus allow him to
overwrite any root-owned file.
---
 lib/get_pid.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/lib/get_pid.c b/lib/get_pid.c
index 5b6d9da4..8e5e6014 100644
--- a/lib/get_pid.c
+++ b/lib/get_pid.c
@@ -41,6 +41,8 @@ int get_pidfd_from_fd(const char *pidfdstr)
 {
 	long long int val;
 	char *endptr;
+	struct stat st;
+	dev_t proc_st_dev, proc_st_rdev;
 
 	errno = 0;
 	val = strtoll (pidfdstr, &endptr, 10);
@@ -51,6 +53,21 @@ int get_pidfd_from_fd(const char *pidfdstr)
 		return -1;
 	}
 
+	if (stat("/proc/self/uid_map", &st) < 0) {
+		return -1;
+	}
+
+	proc_st_dev = st.st_dev;
+	proc_st_rdev = st.st_rdev;
+
+	if (fstat(val, &st) < 0) {
+		return -1;
+	}
+
+	if (st.st_dev != proc_st_dev || st.st_rdev != proc_st_rdev) {
+		return -1;
+	}
+
 	return (int)val;
 }