Validate fds created by the user
write_mapping() will do the following: openat(proc_dir_fd, map_file, O_WRONLY); An attacker could create a directory containing a symlink named "uid_map" pointing to any file owned by root, and thus allow him to overwrite any root-owned file.
This commit is contained in:
Vinícius dos Santos Oliveira
Serge Hallyn
parent
7ff33fae6f
commit
05e2adf509
|
|
@ -41,6 +41,8 @@ int get_pidfd_from_fd(const char *pidfdstr)
|
||||||
{
|
{
|
||||||
long long int val;
|
long long int val;
|
||||||
char *endptr;
|
char *endptr;
|
||||||
|
struct stat st;
|
||||||
|
dev_t proc_st_dev, proc_st_rdev;
|
||||||
|
|
||||||
errno = 0;
|
errno = 0;
|
||||||
val = strtoll (pidfdstr, &endptr, 10);
|
val = strtoll (pidfdstr, &endptr, 10);
|
||||||
|
|
@ -51,6 +53,21 @@ int get_pidfd_from_fd(const char *pidfdstr)
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (stat("/proc/self/uid_map", &st) < 0) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
proc_st_dev = st.st_dev;
|
||||||
|
proc_st_rdev = st.st_rdev;
|
||||||
|
|
||||||
|
if (fstat(val, &st) < 0) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (st.st_dev != proc_st_dev || st.st_rdev != proc_st_rdev) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
return (int)val;
|
return (int)val;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue