Security: fix a issue (similar to runc CVE-2016-3697) #348
Conversation
|
Can one of the admins verify this patch? |
|
LGTM |
|
Hello, Thanks for the fixing. Could you fix hyper_getpwnam() hyper_getgrnam() instead? Other info is needed from /etc/passwd even the id is numeric. |
|
I have improved it. thank you. |
|
I don't think there are any differents in the new code. How do you test it? |
src/util.c
Outdated
| @@ -162,20 +168,27 @@ struct passwd *hyper_getpwnam(const char *name) | |||
| struct passwd *pwd = fgetpwent(file); | |||
| if (!pwd) | |||
| break; | |||
| if (!strcmp(pwd->pw_name, name) || pwd->pw_uid == uid) { | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just
if ((INVALID_UGID == uid && !strcmp(pwd->pw_name, name)) || pwd->pw_uid == uid) {
is enough.
INVALID_UGID should be changed to a better name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The test case is above this pr, take hyper_getpwnam(1000) for example
/etc/passwd
1000:x:1001:0:*:/*:/bin/bash
|
V
hyper_getpwnam(1000) = struct passwd {pw_name: 1000, uid: 1001}
/etc/passwd
1000:x:1001:0:*:/*:/bin/bash
hello:x:1000:0:*:/*:/bin/bash
|
V
hyper_getpwnam(1000) = struct passwd {pw_name: hello, uid: 1000}
/etc/passwd
have no 1000 as name or uid
|
V
hyper_getpwnam(1000) = NULL
And what do you think we can use to replace INVALID_UGID ?
src/util.c
Outdated
| fclose(file); | ||
| return pwd; | ||
| } | ||
| if (!strcmp(pwd->pw_name, name)) { | ||
| user_pwd = pwd; | ||
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please covert the logic to
if ((INVALID_UGID == uid && !strcmp(pwd->pw_name, name)) || pwd->pw_uid == uid) {
so that "10" is always uid instead name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated , thanks.
Signed-off-by: y00316549 <yangshukui@huawei.com>
It's a issue that is similar to runc CVE-2016-3697.
Before this pr,
After this pr,
Signed-off-by: y00316549 yangshukui@huawei.com