Skip to content

Commit 72cf81f

Browse files
hallynstgraber
authored andcommitted
CVE-2015-1331: lxclock: use /run/lxc/lock rather than /run/lock/lxc
This prevents an unprivileged user to use LXC to create arbitrary file on the filesystem. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
1 parent f52c0d2 commit 72cf81f

File tree

2 files changed

+11
-38
lines changed

2 files changed

+11
-38
lines changed

Diff for: src/lxc/lxclock.c

+10-37
Original file line numberDiff line numberDiff line change
@@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, const char *n)
103103
char *rundir;
104104

105105
/* lockfile will be:
106-
* "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root
106+
* "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root
107107
* or
108-
* $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root
108+
* $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root
109109
*/
110110

111-
/* length of "/lock/lxc/" + $lxcpath + "/" + "." + $lxcname + '\0' */
112-
len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 3;
111+
/* length of "/lxc/lock/" + $lxcpath + "/" + "." + $lxcname + '\0' */
112+
len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 3;
113113
rundir = get_rundir();
114114
if (!rundir)
115115
return NULL;
@@ -120,48 +120,21 @@ static char *lxclock_name(const char *p, const char *n)
120120
return NULL;
121121
}
122122

123-
ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p);
123+
ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p);
124124
if (ret < 0 || ret >= len) {
125125
free(dest);
126126
free(rundir);
127127
return NULL;
128128
}
129129
ret = mkdir_p(dest, 0755);
130130
if (ret < 0) {
131-
/* fall back to "/tmp/" + $(id -u) + "/lxc" + $lxcpath + "/" + "." + $lxcname + '\0'
132-
* * maximum length of $(id -u) is 10 calculated by (log (2 ** (sizeof(uid_t) * 8) - 1) / log 10 + 1)
133-
* * lxcpath always starts with '/'
134-
*/
135-
int l2 = 22 + strlen(n) + strlen(p);
136-
if (l2 > len) {
137-
char *d;
138-
d = realloc(dest, l2);
139-
if (!d) {
140-
free(dest);
141-
free(rundir);
142-
return NULL;
143-
}
144-
len = l2;
145-
dest = d;
146-
}
147-
ret = snprintf(dest, len, "/tmp/%d/lxc%s", geteuid(), p);
148-
if (ret < 0 || ret >= len) {
149-
free(dest);
150-
free(rundir);
151-
return NULL;
152-
}
153-
ret = mkdir_p(dest, 0755);
154-
if (ret < 0) {
155-
free(dest);
156-
free(rundir);
157-
return NULL;
158-
}
159-
ret = snprintf(dest, len, "/tmp/%d/lxc%s/.%s", geteuid(), p, n);
160-
} else
161-
ret = snprintf(dest, len, "%s/lock/lxc/%s/.%s", rundir, p, n);
131+
free(dest);
132+
free(rundir);
133+
return NULL;
134+
}
162135

136+
ret = snprintf(dest, len, "%s/lxc/lock/%s/.%s", rundir, p, n);
163137
free(rundir);
164-
165138
if (ret < 0 || ret >= len) {
166139
free(dest);
167140
return NULL;

Diff for: src/tests/locktests.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -122,7 +122,7 @@ int main(int argc, char *argv[])
122122
exit(1);
123123
}
124124
struct stat sb;
125-
char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/";
125+
char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/";
126126
ret = stat(pathname, &sb);
127127
if (ret != 0) {
128128
fprintf(stderr, "%d: filename %s not created\n", __LINE__,

0 commit comments

Comments
 (0)