Skip to content

Commit

Permalink
CVE-2015-1331: lxclock: use /run/lxc/lock rather than /run/lock/lxc
Browse files Browse the repository at this point in the history
This prevents an unprivileged user to use LXC to create arbitrary file
on the filesystem.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
  • Loading branch information
hallyn authored and stgraber committed Jul 22, 2015
1 parent f52c0d2 commit 72cf81f
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 38 deletions.
47 changes: 10 additions & 37 deletions src/lxc/lxclock.c
Original file line number Diff line number Diff line change
Expand Up @@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, const char *n)
char *rundir;

/* lockfile will be:
* "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root
* "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root
* or
* $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root
* $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root
*/

/* length of "/lock/lxc/" + $lxcpath + "/" + "." + $lxcname + '\0' */
len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 3;
/* length of "/lxc/lock/" + $lxcpath + "/" + "." + $lxcname + '\0' */
len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 3;
rundir = get_rundir();
if (!rundir)
return NULL;
Expand All @@ -120,48 +120,21 @@ static char *lxclock_name(const char *p, const char *n)
return NULL;
}

ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p);
ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p);
if (ret < 0 || ret >= len) {
free(dest);
free(rundir);
return NULL;
}
ret = mkdir_p(dest, 0755);
if (ret < 0) {
/* fall back to "/tmp/" + $(id -u) + "/lxc" + $lxcpath + "/" + "." + $lxcname + '\0'
* * maximum length of $(id -u) is 10 calculated by (log (2 ** (sizeof(uid_t) * 8) - 1) / log 10 + 1)
* * lxcpath always starts with '/'
*/
int l2 = 22 + strlen(n) + strlen(p);
if (l2 > len) {
char *d;
d = realloc(dest, l2);
if (!d) {
free(dest);
free(rundir);
return NULL;
}
len = l2;
dest = d;
}
ret = snprintf(dest, len, "/tmp/%d/lxc%s", geteuid(), p);
if (ret < 0 || ret >= len) {
free(dest);
free(rundir);
return NULL;
}
ret = mkdir_p(dest, 0755);
if (ret < 0) {
free(dest);
free(rundir);
return NULL;
}
ret = snprintf(dest, len, "/tmp/%d/lxc%s/.%s", geteuid(), p, n);
} else
ret = snprintf(dest, len, "%s/lock/lxc/%s/.%s", rundir, p, n);
free(dest);
free(rundir);
return NULL;
}

ret = snprintf(dest, len, "%s/lxc/lock/%s/.%s", rundir, p, n);
free(rundir);

if (ret < 0 || ret >= len) {
free(dest);
return NULL;
Expand Down
2 changes: 1 addition & 1 deletion src/tests/locktests.c
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ int main(int argc, char *argv[])
exit(1);
}
struct stat sb;
char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/";
char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/";
ret = stat(pathname, &sb);
if (ret != 0) {
fprintf(stderr, "%d: filename %s not created\n", __LINE__,
Expand Down

0 comments on commit 72cf81f

Please sign in to comment.