Attachment 3325 Details for Bug 8615 – the fix

[patch] the fix

util-linux-2.21.1-CVE-2013-0157.diff (text/plain), 4.41 KB, created by Oden Eriksson on 2013-01-06 22:17:26 CET

(hide)

Description:

Filename:

MIME Type:

Creator: Oden Eriksson

Created: 2013-01-06 22:17:26 CET

Size: 4.41 KB

patch

obsolete

>diff -Naurp util-linux-2.21.1/include/canonicalize.h util-linux-2.21.1.oden/include/canonicalize.h
>--- util-linux-2.21.1/include/canonicalize.h	2011-12-18 21:28:28.236831903 +0100
>+++ util-linux-2.21.1.oden/include/canonicalize.h	2013-01-06 21:55:00.090213714 +0100
>@@ -4,6 +4,7 @@
> #include "c.h"	/* for PATH_MAX */
> 
> extern char *canonicalize_path(const char *path);
>+extern char *canonicalize_path_restricted(const char *path);
> extern char *canonicalize_dm_name(const char *ptname);
> 
> #endif /* CANONICALIZE_H */
>diff -Naurp util-linux-2.21.1/lib/canonicalize.c util-linux-2.21.1.oden/lib/canonicalize.c
>--- util-linux-2.21.1/lib/canonicalize.c	2012-03-26 10:13:26.575142777 +0200
>+++ util-linux-2.21.1.oden/lib/canonicalize.c	2013-01-06 22:01:36.539203861 +0100
>@@ -188,6 +188,48 @@ canonicalize_path(const char *path)
> 	return strdup(canonical);
> }
> 
>+char *
>+canonicalize_path_restricted(const char *path)
>+{
>+	char canonical[PATH_MAX+2];
>+	char *p = NULL;
>+	int errsv;
>+	uid_t euid;
>+	gid_t egid;
>+
>+	if (path == NULL)
>+		return NULL;
>+
>+	euid = geteuid();
>+	egid = getegid();
>+
>+	/* drop permissions */
>+	if (setegid(getgid()) < 0 || seteuid(getuid()) < 0)
>+		return NULL;
>+
>+	errsv = errno = 0;
>+
>+	if (myrealpath(path, canonical, PATH_MAX+1)) {
>+		p = strrchr(canonical, '/');
>+		if (p && strncmp(p, "/dm-", 4) == 0 && isdigit(*(p + 4)))
>+			p = canonicalize_dm_name(p+1);
>+		else
>+			p = NULL;
>+		if (!p)
>+			p = strdup(canonical);
>+	} else
>+		errsv = errno;
>+
>+	/* restore */
>+	if (setegid(egid) < 0 || seteuid(euid) < 0) {
>+		free(p);
>+		return NULL;
>+	}
>+
>+	errno = errsv;
>+	return p;
>+}
>+
> 
> #ifdef TEST_PROGRAM_CANONICALIZE
> int main(int argc, char **argv)
>diff -Naurp util-linux-2.21.1/sys-utils/mount.c util-linux-2.21.1.oden/sys-utils/mount.c
>--- util-linux-2.21.1/sys-utils/mount.c	2012-03-29 15:15:48.476598065 +0200
>+++ util-linux-2.21.1.oden/sys-utils/mount.c	2013-01-06 21:54:45.638214047 +0100
>@@ -39,6 +39,7 @@
> #include "xgetpass.h"
> #include "exitcodes.h"
> #include "xalloc.h"
>+#include "canonicalize.h"
> 
> /*** TODO: DOCS:
>  *
>@@ -590,6 +591,37 @@ static struct libmnt_table *append_fstab
> 	return fstab;
> }
> 
>+/*
>+ * Check source and target paths -- non-root user should not be able to
>+ * resolve paths which are unreadable for him.
>+ */
>+static void sanitize_paths(struct libmnt_context *cxt)
>+{
>+	const char *p;
>+	struct libmnt_fs *fs = mnt_context_get_fs(cxt);
>+
>+	if (!fs)
>+		return;
>+
>+	p = mnt_fs_get_target(fs);
>+	if (p) {
>+		char *np = canonicalize_path_restricted(p);
>+		if (!np)
>+			err(MOUNT_EX_USAGE, "%s", p);
>+		mnt_fs_set_target(fs, np);
>+		free(np);
>+	}
>+
>+	p = mnt_fs_get_srcpath(fs);
>+	if (p) {
>+		char *np = canonicalize_path_restricted(p);
>+		if (!np)
>+			err(MOUNT_EX_USAGE, "%s", p);
>+		mnt_fs_set_source(fs, np);
>+		free(np);
>+	}
>+}
>+
> static void __attribute__((__noreturn__)) usage(FILE *out)
> {
> 	fputs(USAGE_HEADER, out);
>@@ -902,6 +934,9 @@ int main(int argc, char **argv)
> 	} else
> 		usage(stderr);
> 
>+	if (mnt_context_is_restricted(cxt))
>+		sanitize_paths(cxt);
>+
> 	if (oper) {
> 		/* MS_PROPAGATION operations, let's set the mount flags */
> 		mnt_context_set_mflags(cxt, oper);
>diff -Naurp util-linux-2.21.1/sys-utils/umount.c util-linux-2.21.1.oden/sys-utils/umount.c
>--- util-linux-2.21.1/sys-utils/umount.c	2012-03-29 15:11:14.479615852 +0200
>+++ util-linux-2.21.1.oden/sys-utils/umount.c	2013-01-06 21:54:45.638214047 +0100
>@@ -34,6 +34,7 @@
> #include "env.h"
> #include "optutils.h"
> #include "exitcodes.h"
>+#include "canonicalize.h"
> 
> static int table_parser_errcb(struct libmnt_table *tb __attribute__((__unused__)),
> 			const char *filename, int line)
>@@ -277,6 +278,24 @@ static int umount_one(struct libmnt_cont
> 	return rc;
> }
> 
>+/*
>+ * Check path -- non-root user should not be able to resolve path which is
>+ * unreadable for him.
>+ */
>+static char *sanitize_path(const char *path)
>+{
>+	char *p;
>+
>+	if (!path)
>+		return NULL;
>+
>+	p = canonicalize_path_restricted(path);
>+	if (!p)
>+		err(MOUNT_EX_USAGE, "%s", path);
>+
>+	return p;
>+}
>+
> int main(int argc, char **argv)
> {
> 	int c, rc = 0, all = 0;
>@@ -388,10 +407,20 @@ int main(int argc, char **argv)
> 	} else if (argc < 1) {
> 		usage(stderr);
> 
>-	} else while (argc--)
>-		rc += umount_one(cxt, *argv++);
>+	} else {
>+		while (argc--) {
>+			char *path = *argv++;
>+
>+			if (mnt_context_is_restricted(cxt))
>+				path = sanitize_path(path);
>+
>+			rc += umount_one(cxt, path);
>+
>+			if (mnt_context_is_restricted(cxt))
>+				free(path);
>+		}
>+	}
> 
> 	mnt_free_context(cxt);
> 	return rc;
> }
>-

diff -Naurp util-linux-2.21.1/include/canonicalize.h util-linux-2.21.1.oden/include/canonicalize.h
--- util-linux-2.21.1/include/canonicalize.h	2011-12-18 21:28:28.236831903 +0100
+++ util-linux-2.21.1.oden/include/canonicalize.h	2013-01-06 21:55:00.090213714 +0100
@@ -4,6 +4,7 @@
 #include "c.h"	/* for PATH_MAX */
 
 extern char *canonicalize_path(const char *path);
+extern char *canonicalize_path_restricted(const char *path);
 extern char *canonicalize_dm_name(const char *ptname);
 
 #endif /* CANONICALIZE_H */
diff -Naurp util-linux-2.21.1/lib/canonicalize.c util-linux-2.21.1.oden/lib/canonicalize.c
--- util-linux-2.21.1/lib/canonicalize.c	2012-03-26 10:13:26.575142777 +0200
+++ util-linux-2.21.1.oden/lib/canonicalize.c	2013-01-06 22:01:36.539203861 +0100
@@ -188,6 +188,48 @@ canonicalize_path(const char *path)
 	return strdup(canonical);
 }
 
+char *
+canonicalize_path_restricted(const char *path)
+{
+	char canonical[PATH_MAX+2];
+	char *p = NULL;
+	int errsv;
+	uid_t euid;
+	gid_t egid;
+
+	if (path == NULL)
+		return NULL;
+
+	euid = geteuid();
+	egid = getegid();
+
+	/* drop permissions */
+	if (setegid(getgid()) < 0 || seteuid(getuid()) < 0)
+		return NULL;
+
+	errsv = errno = 0;
+
+	if (myrealpath(path, canonical, PATH_MAX+1)) {
+		p = strrchr(canonical, '/');
+		if (p && strncmp(p, "/dm-", 4) == 0 && isdigit(*(p + 4)))
+			p = canonicalize_dm_name(p+1);
+		else
+			p = NULL;
+		if (!p)
+			p = strdup(canonical);
+	} else
+		errsv = errno;
+
+	/* restore */
+	if (setegid(egid) < 0 || seteuid(euid) < 0) {
+		free(p);
+		return NULL;
+	}
+
+	errno = errsv;
+	return p;
+}
+
 
 #ifdef TEST_PROGRAM_CANONICALIZE
 int main(int argc, char **argv)
diff -Naurp util-linux-2.21.1/sys-utils/mount.c util-linux-2.21.1.oden/sys-utils/mount.c
--- util-linux-2.21.1/sys-utils/mount.c	2012-03-29 15:15:48.476598065 +0200
+++ util-linux-2.21.1.oden/sys-utils/mount.c	2013-01-06 21:54:45.638214047 +0100
@@ -39,6 +39,7 @@
 #include "xgetpass.h"
 #include "exitcodes.h"
 #include "xalloc.h"
+#include "canonicalize.h"
 
 /*** TODO: DOCS:
  *
@@ -590,6 +591,37 @@ static struct libmnt_table *append_fstab
 	return fstab;
 }
 
+/*
+ * Check source and target paths -- non-root user should not be able to
+ * resolve paths which are unreadable for him.
+ */
+static void sanitize_paths(struct libmnt_context *cxt)
+{
+	const char *p;
+	struct libmnt_fs *fs = mnt_context_get_fs(cxt);
+
+	if (!fs)
+		return;
+
+	p = mnt_fs_get_target(fs);
+	if (p) {
+		char *np = canonicalize_path_restricted(p);
+		if (!np)
+			err(MOUNT_EX_USAGE, "%s", p);
+		mnt_fs_set_target(fs, np);
+		free(np);
+	}
+
+	p = mnt_fs_get_srcpath(fs);
+	if (p) {
+		char *np = canonicalize_path_restricted(p);
+		if (!np)
+			err(MOUNT_EX_USAGE, "%s", p);
+		mnt_fs_set_source(fs, np);
+		free(np);
+	}
+}
+
 static void __attribute__((__noreturn__)) usage(FILE *out)
 {
 	fputs(USAGE_HEADER, out);
@@ -902,6 +934,9 @@ int main(int argc, char **argv)
 	} else
 		usage(stderr);
 
+	if (mnt_context_is_restricted(cxt))
+		sanitize_paths(cxt);
+
 	if (oper) {
 		/* MS_PROPAGATION operations, let's set the mount flags */
 		mnt_context_set_mflags(cxt, oper);
diff -Naurp util-linux-2.21.1/sys-utils/umount.c util-linux-2.21.1.oden/sys-utils/umount.c
--- util-linux-2.21.1/sys-utils/umount.c	2012-03-29 15:11:14.479615852 +0200
+++ util-linux-2.21.1.oden/sys-utils/umount.c	2013-01-06 21:54:45.638214047 +0100
@@ -34,6 +34,7 @@
 #include "env.h"
 #include "optutils.h"
 #include "exitcodes.h"
+#include "canonicalize.h"
 
 static int table_parser_errcb(struct libmnt_table *tb __attribute__((__unused__)),
 			const char *filename, int line)
@@ -277,6 +278,24 @@ static int umount_one(struct libmnt_cont
 	return rc;
 }
 
+/*
+ * Check path -- non-root user should not be able to resolve path which is
+ * unreadable for him.
+ */
+static char *sanitize_path(const char *path)
+{
+	char *p;
+
+	if (!path)
+		return NULL;
+
+	p = canonicalize_path_restricted(path);
+	if (!p)
+		err(MOUNT_EX_USAGE, "%s", path);
+
+	return p;
+}
+
 int main(int argc, char **argv)
 {
 	int c, rc = 0, all = 0;
@@ -388,10 +407,20 @@ int main(int argc, char **argv)
 	} else if (argc < 1) {
 		usage(stderr);
 
-	} else while (argc--)
-		rc += umount_one(cxt, *argv++);
+	} else {
+		while (argc--) {
+			char *path = *argv++;
+
+			if (mnt_context_is_restricted(cxt))
+				path = sanitize_path(path);
+
+			rc += umount_one(cxt, path);
+
+			if (mnt_context_is_restricted(cxt))
+				free(path);
+		}
+	}
 
 	mnt_free_context(cxt);
 	return rc;
 }
-

Actions: View | Diff

Attachments on bug 8615: 3325