Validate fds created by the user

write_mapping() will do the following:

openat(proc_dir_fd, map_file, O_WRONLY);

An attacker could create a directory containing a symlink named
"uid_map" pointing to any file owned by root, and thus allow him to
overwrite any root-owned file.
This commit is contained in:
Vinícius dos Santos Oliveira 2023-02-24 18:06:02 -03:00 committed by Serge Hallyn
parent 7ff33fae6f
commit 05e2adf509

View File

@ -41,6 +41,8 @@ int get_pidfd_from_fd(const char *pidfdstr)
{ {
long long int val; long long int val;
char *endptr; char *endptr;
struct stat st;
dev_t proc_st_dev, proc_st_rdev;
errno = 0; errno = 0;
val = strtoll (pidfdstr, &endptr, 10); val = strtoll (pidfdstr, &endptr, 10);
@ -51,6 +53,21 @@ int get_pidfd_from_fd(const char *pidfdstr)
return -1; return -1;
} }
if (stat("/proc/self/uid_map", &st) < 0) {
return -1;
}
proc_st_dev = st.st_dev;
proc_st_rdev = st.st_rdev;
if (fstat(val, &st) < 0) {
return -1;
}
if (st.st_dev != proc_st_dev || st.st_rdev != proc_st_rdev) {
return -1;
}
return (int)val; return (int)val;
} }