Validate fds created by the user
write_mapping() will do the following: openat(proc_dir_fd, map_file, O_WRONLY); An attacker could create a directory containing a symlink named "uid_map" pointing to any file owned by root, and thus allow him to overwrite any root-owned file.
This commit is contained in:
parent
7ff33fae6f
commit
05e2adf509
@ -41,6 +41,8 @@ int get_pidfd_from_fd(const char *pidfdstr)
|
||||
{
|
||||
long long int val;
|
||||
char *endptr;
|
||||
struct stat st;
|
||||
dev_t proc_st_dev, proc_st_rdev;
|
||||
|
||||
errno = 0;
|
||||
val = strtoll (pidfdstr, &endptr, 10);
|
||||
@ -51,6 +53,21 @@ int get_pidfd_from_fd(const char *pidfdstr)
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (stat("/proc/self/uid_map", &st) < 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
proc_st_dev = st.st_dev;
|
||||
proc_st_rdev = st.st_rdev;
|
||||
|
||||
if (fstat(val, &st) < 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (st.st_dev != proc_st_dev || st.st_rdev != proc_st_rdev) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
return (int)val;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user