Bug#905586: lxc: CVE-2018-6556: lxc-user-nic allows unprivileged users to open arbitrary files

2018-08-13 Thread Simon McVittie 
On Mon, 06 Aug 2018 at 19:08:37 +0200, Salvatore Bonaccorso wrote:
> Forwarded: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591

Patches from the upstream bug for the 2.0 branch:
https://launchpadlibrarian.net/381944814/0001-utils-add-LXC_PROC_PID_FD_LEN_stable-2.0.patch
https://launchpadlibrarian.net/380888109/stable-2.0-lxc-user-nic-verify-file-descriptor.patch
also attached.

smcv
>From f96f5f3c1341e73ee51c8b49bef4ba571c562d8c Mon Sep 17 00:00:00 2001
From: Christian Brauner 
Date: Fri, 4 May 2018 11:59:11 +0200
Subject: [PATCH] utils: add LXC_PROC_PID_FD_LEN

Signed-off-by: Christian Brauner 
---
 src/lxc/utils.h | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index a2bad89db..e4d8519db 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -99,6 +99,17 @@
 #define LXC_NUMSTRLEN64 21
 #define LXC_LINELEN 4096
 #define LXC_IDMAPLEN 4096
+/* /proc/   =6
+ *+
+ *  =   LXC_NUMSTRLEN64
+ *+
+ * /fd/ =4
+ *+
+ *   =   LXC_NUMSTRLEN64
+ *+
+ * \0   =1
+ */
+#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1)
 
 /* returns 1 on success, 0 if there were any failures */
 extern int lxc_rmdir_onedev(char *path, const char *exclude);
-- 
2.17.1

>From d183654ec1a2cd1149bdb92601ccb7246bddb14e Mon Sep 17 00:00:00 2001
From: Christian Brauner 
Date: Wed, 25 Jul 2018 19:56:54 +0200
Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic

Signed-off-by: Christian Brauner 
---
 src/lxc/lxc_user_nic.c | 35 ---
 src/lxc/utils.c| 12 
 src/lxc/utils.h|  5 +
 3 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index 2a5c3a43..b7c72abd 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -1129,12 +1129,41 @@ int main(int argc, char *argv[])
 			exit(EXIT_FAILURE);
 		}
 	} else if (request == LXC_USERNIC_DELETE) {
-		netns_fd = open(args.pid, O_RDONLY);
+		char opath[LXC_PROC_PID_FD_LEN];
+
+		/* Open the path with O_PATH which will not trigger an actual
+		 * open(). Don't report an errno to the caller to not leak
+		 * information whether the path exists or not.
+		 * When stracing setuid is stripped so this is not a concern
+		 * either.
+		 */
+		netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
 		if (netns_fd < 0) {
-			usernic_error("Could not open \"%s\": %s\n", args.pid,
-  strerror(errno));
+			usernic_error("Failed to open \"%s\"\n", args.pid);
 			exit(EXIT_FAILURE);
 		}
+
+		if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
+			usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
+			close(netns_fd);
+			exit(EXIT_FAILURE);
+		}
+
+		ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
+		if (ret < 0 || (size_t)ret >= sizeof(opath)) {
+			close(netns_fd);
+			exit(EXIT_FAILURE);
+		}
+
+		/* Now get an fd that we can use in setns() calls. */
+		ret = open(opath, O_RDONLY | O_CLOEXEC);
+		if (ret < 0) {
+			usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
+			close(netns_fd);
+			exit(EXIT_FAILURE);
+		}
+		close(netns_fd);
+		netns_fd = ret;
 	}
 
 	if (!create_db_dir(LXC_USERNIC_DB)) {
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 10e14b7f..eb0af822 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -2319,6 +2319,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
 	return has_type;
 }
 
+bool fhas_fs_type(int fd, fs_type_magic magic_val)
+{
+	int ret;
+	struct statfs sb;
+
+	ret = fstatfs(fd, );
+	if (ret < 0)
+		return false;
+
+	return is_fs_type(, magic_val);
+}
+
 bool lxc_nic_exists(char *nic)
 {
 #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index a2bad89d..b0c37c41 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -94,6 +94,10 @@
 #define CGROUP2_SUPER_MAGIC 0x63677270
 #endif
 
+#ifndef NSFS_MAGIC
+#define NSFS_MAGIC 0x6e736673
+#endif
+
 /* Useful macros */
 /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
 #define LXC_NUMSTRLEN64 21
@@ -544,6 +548,7 @@ extern void *must_realloc(void *orig, size_t sz);
 /* __typeof__ should be safe to use with all compilers. */
 typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
 extern bool has_fs_type(const char *path, fs_type_magic magic_val);
+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
 extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
 extern bool lxc_nic_exists(char *nic);
 extern int lxc_make_tmpfile(char *template, bool rm);
-- 
2.17.1

Bug#905586: lxc: CVE-2018-6556: lxc-user-nic allows unprivileged users to open arbitrary files

2018-08-06 Thread Salvatore Bonaccorso 
Source: lxc
Version: 1:2.0.9-1
Severity: grave
Tags: patch security upstream
Forwarded: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591

Hi,

The following vulnerability was published for lxc.

CVE-2018-6556[0]:
lxc-user-nic allows unprivileged users to open arbitrary files

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-6556
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6556
[1] https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1783591
[2] 
https://lists.linuxcontainers.org/pipermail/lxc-devel/2018-August/018336.html

Regards,
Salvatore