Bug#905586: lxc: diff for NMU version 1:2.0.9-6.1

Salvatore Bonaccorso Fri, 31 Aug 2018 05:45:21 -0700

Hi Antonio,

On Fri, Aug 31, 2018 at 08:14:57AM -0300, Antonio Terceiro wrote:
> On Thu, Aug 30, 2018 at 10:06:15PM +0200, Salvatore Bonaccorso wrote:
> > Control: tags 905586 + pending
> > 
> > 
> > Dear maintainer,
> > 
> > I've prepared an NMU for lxc (versioned as 1:2.0.9-6.1) and
> > uploaded it to DELAYED/5.
> 
> Thanks!
> 
> > Please feel free to tell me if I should delay it longer.
> 
> on the contrary: please feel free to make it an immediate upload. I will
> import your diff in the git repository


Thank you, I just have rescheduled it.

if you prefer to have the single commits they are attached to this
mail. I realize you probably would have prefered a proper merge
request, but I did not start working from the salsa repo but from a
gbp import-dsc git repo.

Regards,
Salvatore

>From d37ad7ef0f5d30b9dc94252726d338f1b44e746e Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <car...@debian.org>
Date: Wed, 29 Aug 2018 15:19:27 +0200
Subject: [PATCH 1/3] utils: add LXC_PROC_PID_FD_LEN

---
 debian/changelog                              |  6 ++++
 ...s-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch | 35 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 42 insertions(+)
 create mode 100644 debian/patches/0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch

diff --git a/debian/changelog b/debian/changelog
index e3a1393eabe6..ece65f3f2990 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+lxc (1:2.0.9-7) UNRELEASED; urgency=medium
+
+  * utils: add LXC_PROC_PID_FD_LEN
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Wed, 29 Aug 2018 15:19:41 +0200
+
 lxc (1:2.0.9-6) unstable; urgency=medium
 
   * 0004-debian-Use-iproute2-instead-of-iproute.patch: fix creation of
diff --git a/debian/patches/0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch b/debian/patches/0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch
new file mode 100644
index 000000000000..300264419c2e
--- /dev/null
+++ b/debian/patches/0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch
@@ -0,0 +1,35 @@
+From f96f5f3c1341e73ee51c8b49bef4ba571c562d8c Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brau...@ubuntu.com>
+Date: Fri, 4 May 2018 11:59:11 +0200
+Subject: [PATCH] utils: add LXC_PROC_PID_FD_LEN
+
+Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
+---
+ src/lxc/utils.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/src/lxc/utils.h b/src/lxc/utils.h
+index a2bad89db..e4d8519db 100644
+--- a/src/lxc/utils.h
++++ b/src/lxc/utils.h
+@@ -99,6 +99,17 @@
+ #define LXC_NUMSTRLEN64 21
+ #define LXC_LINELEN 4096
+ #define LXC_IDMAPLEN 4096
++/* /proc/       =    6
++ *                +
++ * <pid-as-str> =   LXC_NUMSTRLEN64
++ *                +
++ * /fd/         =    4
++ *                +
++ * <fd-as-str>  =   LXC_NUMSTRLEN64
++ *                +
++ * \0           =    1
++ */
++#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1)
+ 
+ /* returns 1 on success, 0 if there were any failures */
+ extern int lxc_rmdir_onedev(char *path, const char *exclude);
+-- 
+2.17.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 43c8fba2388b..5ebb5b167444 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 0002-lxc-debian-don-t-write-C.-locales-to-etc-locale.gen.patch
 0003-lxc-debian-don-t-hardcode-valid-releases.patch
 0004-debian-Use-iproute2-instead-of-iproute.patch
+0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch
-- 
2.18.0

>From 23be076be26591f506acc929586ce7fa37569400 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <car...@debian.org>
Date: Wed, 29 Aug 2018 15:20:25 +0200
Subject: [PATCH 2/3] CVE 2018-6556: verify netns fd in lxc-user-nic

Closes: #905586
---
 debian/changelog                              |   1 +
 ...-lxc-user-nic-verify-file-descriptor.patch | 101 ++++++++++++++++++
 debian/patches/series                         |   1 +
 3 files changed, 103 insertions(+)
 create mode 100644 debian/patches/0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch

diff --git a/debian/changelog b/debian/changelog
index ece65f3f2990..438982ff7e8d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
 lxc (1:2.0.9-7) UNRELEASED; urgency=medium
 
   * utils: add LXC_PROC_PID_FD_LEN
+  * CVE 2018-6556: verify netns fd in lxc-user-nic (Closes: #905586)
 
  -- Salvatore Bonaccorso <car...@debian.org>  Wed, 29 Aug 2018 15:19:41 +0200
 
diff --git a/debian/patches/0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch b/debian/patches/0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch
new file mode 100644
index 000000000000..c877483af596
--- /dev/null
+++ b/debian/patches/0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch
@@ -0,0 +1,101 @@
+From d183654ec1a2cd1149bdb92601ccb7246bddb14e Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brau...@ubuntu.com>
+Date: Wed, 25 Jul 2018 19:56:54 +0200
+Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
+
+Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
+---
+ src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
+ src/lxc/utils.c        | 12 ++++++++++++
+ src/lxc/utils.h        |  5 +++++
+ 3 files changed, 49 insertions(+), 3 deletions(-)
+
+--- a/src/lxc/lxc_user_nic.c
++++ b/src/lxc/lxc_user_nic.c
+@@ -1124,12 +1124,41 @@ int main(int argc, char *argv[])
+ 			exit(EXIT_FAILURE);
+ 		}
+ 	} else if (request == LXC_USERNIC_DELETE) {
+-		netns_fd = open(args.pid, O_RDONLY);
++		char opath[LXC_PROC_PID_FD_LEN];
++
++		/* Open the path with O_PATH which will not trigger an actual
++		 * open(). Don't report an errno to the caller to not leak
++		 * information whether the path exists or not.
++		 * When stracing setuid is stripped so this is not a concern
++		 * either.
++		 */
++		netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
+ 		if (netns_fd < 0) {
+-			usernic_error("Could not open \"%s\": %s\n", args.pid,
+-				      strerror(errno));
++			usernic_error("Failed to open \"%s\"\n", args.pid);
++			exit(EXIT_FAILURE);
++		}
++
++		if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
++			usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
++			close(netns_fd);
++			exit(EXIT_FAILURE);
++		}
++
++		ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
++		if (ret < 0 || (size_t)ret >= sizeof(opath)) {
++			close(netns_fd);
++			exit(EXIT_FAILURE);
++		}
++
++		/* Now get an fd that we can use in setns() calls. */
++		ret = open(opath, O_RDONLY | O_CLOEXEC);
++		if (ret < 0) {
++			usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
++			close(netns_fd);
+ 			exit(EXIT_FAILURE);
+ 		}
++		close(netns_fd);
++		netns_fd = ret;
+ 	}
+ 
+ 	if (!create_db_dir(LXC_USERNIC_DB)) {
+--- a/src/lxc/utils.c
++++ b/src/lxc/utils.c
+@@ -2377,6 +2377,18 @@ bool has_fs_type(const char *path, fs_ty
+ 	return has_type;
+ }
+ 
++bool fhas_fs_type(int fd, fs_type_magic magic_val)
++{
++	int ret;
++	struct statfs sb;
++
++	ret = fstatfs(fd, &sb);
++	if (ret < 0)
++		return false;
++
++	return is_fs_type(&sb, magic_val);
++}
++
+ bool lxc_nic_exists(char *nic)
+ {
+ #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
+--- a/src/lxc/utils.h
++++ b/src/lxc/utils.h
+@@ -46,6 +46,10 @@
+ #define __S_ISTYPE(mode, mask) (((mode)&S_IFMT) == (mask))
+ #endif
+ 
++#ifndef NSFS_MAGIC
++#define NSFS_MAGIC 0x6e736673
++#endif
++
+ /* Useful macros */
+ /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
+ #define LXC_NUMSTRLEN64 21
+@@ -403,6 +407,7 @@ void *must_realloc(void *orig, size_t sz
+ /* __typeof__ should be safe to use with all compilers. */
+ typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
+ extern bool has_fs_type(const char *path, fs_type_magic magic_val);
++extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
+ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
+ extern bool lxc_nic_exists(char *nic);
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 5ebb5b167444..b7406be95fcc 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
 0003-lxc-debian-don-t-hardcode-valid-releases.patch
 0004-debian-Use-iproute2-instead-of-iproute.patch
 0005-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch
+0006-stable-2.0-lxc-user-nic-verify-file-descriptor.patch
-- 
2.18.0

>From 7f62f830385172e8a0b7dcfd75299291bf5edbdb Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <car...@debian.org>
Date: Wed, 29 Aug 2018 15:22:53 +0200
Subject: [PATCH 3/3] Prepare changelog for release

Gbp-Dch: Ignore
---
 debian/changelog | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 438982ff7e8d..a8befad79481 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,10 @@
-lxc (1:2.0.9-7) UNRELEASED; urgency=medium
+lxc (1:2.0.9-6.1) unstable; urgency=medium
 
+  * Non-maintainer upload.
   * utils: add LXC_PROC_PID_FD_LEN
   * CVE 2018-6556: verify netns fd in lxc-user-nic (Closes: #905586)
 
- -- Salvatore Bonaccorso <car...@debian.org>  Wed, 29 Aug 2018 15:19:41 +0200
+ -- Salvatore Bonaccorso <car...@debian.org>  Wed, 29 Aug 2018 15:22:46 +0200
 
 lxc (1:2.0.9-6) unstable; urgency=medium
 
-- 
2.18.0

Bug#905586: lxc: diff for NMU version 1:2.0.9-6.1

Reply via email to