main/lxc: fix CVE-2018-6556

author: Jakub Jirutka <jakub@jirutka.cz> 2018-08-06 18:19:20 +0000
committer: Jakub Jirutka <jakub@jirutka.cz> 2018-08-06 20:19:52 +0200
commit: 3b59bf1ceb65a93255af5cf0093680e635415adc (patch)
tree: 602430d7d1c8cec1e1a7c25e942a30f9ae926243
parent: 7b1f6c1d9f25e866cfd69aa58105fc54a38fe332 (diff)
download: alpine_aports-3b59bf1ceb65a93255af5cf0093680e635415adc.tar.bz2
alpine_aports-3b59bf1ceb65a93255af5cf0093680e635415adc.tar.xz
alpine_aports-3b59bf1ceb65a93255af5cf0093680e635415adc.zip
2 files changed, 140 insertions, 2 deletions
diff --git a/main/lxc/APKBUILD b/main/lxc/APKBUILD
index 280cecdd1d..4fa5b608ea 100644
--- a/main/lxc/APKBUILD
+++ b/main/lxc/APKBUILD
@@ -5,7 +5,7 @@
 pkgname=lxc
 pkgver=2.0.9
 _pkgver=${pkgver/_rc/.rc}
-pkgrel=0
+pkgrel=1
 pkgdesc="Userspace interface for the Linux kernel containment features"
 url="https://linuxcontainers.org/lxc/"
 arch="all"
@@ -24,9 +24,14 @@ source="https://github.com/lxc/lxc/archive/lxc-$_pkgver.tar.gz
        lxc.conf
        download-template-tmpfs.patch
+        CVE-2018-6556.patch
        "
 builddir="$srcdir/lxc-lxc-$_pkgver"
+# secfixes:
+#   2.0.9-r1:
+#     - CVE-2018-6556
 _tmpldir="usr/share/lxc/templates"
 prepare() {
@@ -149,4 +154,5 @@ sha512sums="c2eb65565efb54e31ba2de61e6768a03142d940bcfda3a85c7fd7cd51bfed206aa4e
 e2ffcbf55447291a8434a4f37255c3a6a119bc4116c75d205006aa2b070bf6be28535cf6107bead14bbf64bf9fa415346ab544bd1c15e1add7d1c6380e6b2def  version.patch
 1037e0b773553aa04b619cec7cfc8fa504af830e58c8211eda367da7e36aeb88f45fca1f955a08fc4fa3f9da660017d5fe7145a326a2064cf15e24d1772d9e27  lxc.initd
 5b83b0323e58bf00bd1e124c265729499cee97559b6fe18482962e3bed50d121b4c7a09f25cbce7b1e18d4234627bc4b4581ba2060e33cd022f105b4429cef01  lxc.conf
-d055df5f7cc1001829f6eaef4c31c50088eeb7965d57b756e17b05dddeb86cf5648470c6711471fd0092418b95214ad5dc15c33d8db284f242773dd432ea51e0  download-template-tmpfs.patch"
+d055df5f7cc1001829f6eaef4c31c50088eeb7965d57b756e17b05dddeb86cf5648470c6711471fd0092418b95214ad5dc15c33d8db284f242773dd432ea51e0  download-template-tmpfs.patch
+3409711430072a3d4b8e7496aac8f655fe75d5b2b299bb0def17d119361611f2659a746a3f9c6aff539a13c3fbd8486dcaaff23a27a2b9d533673da524f4f095  CVE-2018-6556.patch"
diff --git a/main/lxc/CVE-2018-6556.patch b/main/lxc/CVE-2018-6556.patch
new file mode 100644
index 0000000000..e2857ea715
--- /dev/null
+++ b/main/lxc/CVE-2018-6556.patch
@@ -0,0 +1,132 @@
+From 5eb45428b312e978fb9e294dde16efb14dd9fa4d Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Wed, 25 Jul 2018 19:56:54 +0200
+Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+Patch-Source: https://github.com/lxc/lxc/commit/5eb45428b312e978fb9e294dde16efb14dd9fa4d
+              https://github.com/lxc/lxc/commit/f96f5f3c1341e73ee51c8b49bef4ba571c562d8c
+---
+ src/lxc/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
+ src/lxc/utils.c        | 12 ++++++++++++
+ src/lxc/utils.h        |  5 +++++
+ 3 files changed, 49 insertions(+), 3 deletions(-)
+diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
+index 2a5c3a43a..b7c72abd7 100644
+--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
+@@ -1129,12 +1129,41 @@ int main(int argc, char *argv[])
+                        exit(EXIT_FAILURE);
+                }
+        } else if (request == LXC_USERNIC_DELETE) {
+-               netns_fd = open(args.pid, O_RDONLY);
+               char opath[LXC_PROC_PID_FD_LEN];
+
+               /* Open the path with O_PATH which will not trigger an actual
+                * open(). Don't report an errno to the caller to not leak
+                * information whether the path exists or not.
+                * When stracing setuid is stripped so this is not a concern
+                * either.
+                */
+               netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
+                if (netns_fd < 0) {
+-                       usernic_error("Could not open \"%s\": %s\n", args.pid,
+-                                     strerror(errno));
+                       usernic_error("Failed to open \"%s\"\n", args.pid);
+                        exit(EXIT_FAILURE);
+                }
+
+               if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
+                       usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
+                       close(netns_fd);
+                       exit(EXIT_FAILURE);
+               }
+
+               ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
+               if (ret < 0 || (size_t)ret >= sizeof(opath)) {
+                       close(netns_fd);
+                       exit(EXIT_FAILURE);
+               }
+
+               /* Now get an fd that we can use in setns() calls. */
+               ret = open(opath, O_RDONLY | O_CLOEXEC);
+               if (ret < 0) {
+                       usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
+                       close(netns_fd);
+                       exit(EXIT_FAILURE);
+               }
+               close(netns_fd);
+               netns_fd = ret;
+        }
+ 
+        if (!create_db_dir(LXC_USERNIC_DB)) {
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index 10e14b7f3..eb0af8222 100644
+--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
+@@ -2319,6 +2319,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
+        return has_type;
+ }
+ 
+bool fhas_fs_type(int fd, fs_type_magic magic_val)
+{
+       int ret;
+       struct statfs sb;
+
+       ret = fstatfs(fd, &sb);
+       if (ret < 0)
+               return false;
+
+       return is_fs_type(&sb, magic_val);
+}
+
+ bool lxc_nic_exists(char *nic)
+ {
+ #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
+diff --git a/src/lxc/utils.h b/src/lxc/utils.h
+index a2bad89db..e4d8519db 100644
+--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
+@@ -99,6 +99,17 @@
+ #define LXC_NUMSTRLEN64 21
+ #define LXC_LINELEN 4096
+ #define LXC_IDMAPLEN 4096
+/* /proc/       =    6
+ *                +
+ * <pid-as-str> =   LXC_NUMSTRLEN64
+ *                +
+ * /fd/         =    4
+ *                +
+ * <fd-as-str>  =   LXC_NUMSTRLEN64
+ *                +
+ * \0           =    1
+ */
+#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1)
+ 
+ /* returns 1 on success, 0 if there were any failures */
+ extern int lxc_rmdir_onedev(char *path, const char *exclude);
+diff --git a/src/lxc/utils.h b/src/lxc/utils.h
+index e4d8519db..56fed0a42 100644
+--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
+@@ -94,6 +94,10 @@
+ #define CGROUP2_SUPER_MAGIC 0x63677270
+ #endif
+ 
+#ifndef NSFS_MAGIC
+#define NSFS_MAGIC 0x6e736673
+#endif
+
+ /* Useful macros */
+ /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
+ #define LXC_NUMSTRLEN64 21
+@@ -555,6 +559,7 @@ extern void *must_realloc(void *orig, size_t sz);
+ /* __typeof__ should be safe to use with all compilers. */
+ typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
+ extern bool has_fs_type(const char *path, fs_type_magic magic_val);
+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
+ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
+ extern bool lxc_nic_exists(char *nic);
+ extern int lxc_make_tmpfile(char *template, bool rm);
author	Jakub Jirutka <jakub@jirutka.cz>	2018-08-06 18:19:20 +0000
committer	Jakub Jirutka <jakub@jirutka.cz>	2018-08-06 20:19:52 +0200
commit	3b59bf1ceb65a93255af5cf0093680e635415adc (patch)
tree	602430d7d1c8cec1e1a7c25e942a30f9ae926243
parent	7b1f6c1d9f25e866cfd69aa58105fc54a38fe332 (diff)
download	alpine_aports-3b59bf1ceb65a93255af5cf0093680e635415adc.tar.bz2 alpine_aports-3b59bf1ceb65a93255af5cf0093680e635415adc.tar.xz alpine_aports-3b59bf1ceb65a93255af5cf0093680e635415adc.zip

diff --git a/main/lxc/APKBUILD b/main/lxc/APKBUILD index 280cecdd1d..4fa5b608ea 100644 --- a/main/lxc/APKBUILD +++ b/main/lxc/APKBUILD
@@ -5,7 +5,7 @@
5	pkgname=lxc	5	pkgname=lxc
6	pkgver=2.0.9	6	pkgver=2.0.9
7	_pkgver=${pkgver/_rc/.rc}	7	_pkgver=${pkgver/_rc/.rc}
8	pkgrel=0	8	pkgrel=1
9	pkgdesc="Userspace interface for the Linux kernel containment features"	9	pkgdesc="Userspace interface for the Linux kernel containment features"
10	url="https://linuxcontainers.org/lxc/"	10	url="https://linuxcontainers.org/lxc/"
11	arch="all"	11	arch="all"
@@ -24,9 +24,14 @@ source="https://github.com/lxc/lxc/archive/lxc-$_pkgver.tar.gz
24	lxc.conf	24	lxc.conf
25		25
26	download-template-tmpfs.patch	26	download-template-tmpfs.patch
		27	CVE-2018-6556.patch
27	"	28	"
28	builddir="$srcdir/lxc-lxc-$_pkgver"	29	builddir="$srcdir/lxc-lxc-$_pkgver"
29		30
		31	# secfixes:
		32	# 2.0.9-r1:
		33	# - CVE-2018-6556
		34
30	_tmpldir="usr/share/lxc/templates"	35	_tmpldir="usr/share/lxc/templates"
31		36
32	prepare() {	37	prepare() {
@@ -149,4 +154,5 @@ sha512sums="c2eb65565efb54e31ba2de61e6768a03142d940bcfda3a85c7fd7cd51bfed206aa4e
149	e2ffcbf55447291a8434a4f37255c3a6a119bc4116c75d205006aa2b070bf6be28535cf6107bead14bbf64bf9fa415346ab544bd1c15e1add7d1c6380e6b2def version.patch	154	e2ffcbf55447291a8434a4f37255c3a6a119bc4116c75d205006aa2b070bf6be28535cf6107bead14bbf64bf9fa415346ab544bd1c15e1add7d1c6380e6b2def version.patch
150	1037e0b773553aa04b619cec7cfc8fa504af830e58c8211eda367da7e36aeb88f45fca1f955a08fc4fa3f9da660017d5fe7145a326a2064cf15e24d1772d9e27 lxc.initd	155	1037e0b773553aa04b619cec7cfc8fa504af830e58c8211eda367da7e36aeb88f45fca1f955a08fc4fa3f9da660017d5fe7145a326a2064cf15e24d1772d9e27 lxc.initd
151	5b83b0323e58bf00bd1e124c265729499cee97559b6fe18482962e3bed50d121b4c7a09f25cbce7b1e18d4234627bc4b4581ba2060e33cd022f105b4429cef01 lxc.conf	156	5b83b0323e58bf00bd1e124c265729499cee97559b6fe18482962e3bed50d121b4c7a09f25cbce7b1e18d4234627bc4b4581ba2060e33cd022f105b4429cef01 lxc.conf
152	d055df5f7cc1001829f6eaef4c31c50088eeb7965d57b756e17b05dddeb86cf5648470c6711471fd0092418b95214ad5dc15c33d8db284f242773dd432ea51e0 download-template-tmpfs.patch"	157	d055df5f7cc1001829f6eaef4c31c50088eeb7965d57b756e17b05dddeb86cf5648470c6711471fd0092418b95214ad5dc15c33d8db284f242773dd432ea51e0 download-template-tmpfs.patch
		158	3409711430072a3d4b8e7496aac8f655fe75d5b2b299bb0def17d119361611f2659a746a3f9c6aff539a13c3fbd8486dcaaff23a27a2b9d533673da524f4f095 CVE-2018-6556.patch"


diff --git a/main/lxc/CVE-2018-6556.patch b/main/lxc/CVE-2018-6556.patch new file mode 100644 index 0000000000..e2857ea715 --- /dev/null +++ b/main/lxc/CVE-2018-6556.patch
@@ -0,0 +1,132 @@
		1	From 5eb45428b312e978fb9e294dde16efb14dd9fa4d Mon Sep 17 00:00:00 2001
		2	From: Christian Brauner <christian.brauner@ubuntu.com>
		3	Date: Wed, 25 Jul 2018 19:56:54 +0200
		4	Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
		5
		6	Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
		7
		8	Patch-Source: https://github.com/lxc/lxc/commit/5eb45428b312e978fb9e294dde16efb14dd9fa4d
		9	https://github.com/lxc/lxc/commit/f96f5f3c1341e73ee51c8b49bef4ba571c562d8c
		10	---
		11	src/lxc/lxc_user_nic.c \| 35 ++++++++++++++++++++++++++++++++---
		12	src/lxc/utils.c \| 12 ++++++++++++
		13	src/lxc/utils.h \| 5 +++++
		14	3 files changed, 49 insertions(+), 3 deletions(-)
		15
		16	diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
		17	index 2a5c3a43a..b7c72abd7 100644
		18	--- a/src/lxc/lxc_user_nic.c
		19	+++ b/src/lxc/lxc_user_nic.c
		20	@@ -1129,12 +1129,41 @@ int main(int argc, char *argv[])
		21	exit(EXIT_FAILURE);
		22	}
		23	} else if (request == LXC_USERNIC_DELETE) {
		24	- netns_fd = open(args.pid, O_RDONLY);
		25	+ char opath[LXC_PROC_PID_FD_LEN];
		26	+
		27	+ /* Open the path with O_PATH which will not trigger an actual
		28	+ * open(). Don't report an errno to the caller to not leak
		29	+ * information whether the path exists or not.
		30	+ * When stracing setuid is stripped so this is not a concern
		31	+ * either.
		32	+ */
		33	+ netns_fd = open(args.pid, O_PATH \| O_CLOEXEC);
		34	if (netns_fd < 0) {
		35	- usernic_error("Could not open \"%s\": %s\n", args.pid,
		36	- strerror(errno));
		37	+ usernic_error("Failed to open \"%s\"\n", args.pid);
		38	exit(EXIT_FAILURE);
		39	}
		40	+
		41	+ if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
		42	+ usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
		43	+ close(netns_fd);
		44	+ exit(EXIT_FAILURE);
		45	+ }
		46	+
		47	+ ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
		48	+ if (ret < 0 \|\| (size_t)ret >= sizeof(opath)) {
		49	+ close(netns_fd);
		50	+ exit(EXIT_FAILURE);
		51	+ }
		52	+
		53	+ /* Now get an fd that we can use in setns() calls. */
		54	+ ret = open(opath, O_RDONLY \| O_CLOEXEC);
		55	+ if (ret < 0) {
		56	+ usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
		57	+ close(netns_fd);
		58	+ exit(EXIT_FAILURE);
		59	+ }
		60	+ close(netns_fd);
		61	+ netns_fd = ret;
		62	}
		63
		64	if (!create_db_dir(LXC_USERNIC_DB)) {
		65	diff --git a/src/lxc/utils.c b/src/lxc/utils.c
		66	index 10e14b7f3..eb0af8222 100644
		67	--- a/src/lxc/utils.c
		68	+++ b/src/lxc/utils.c
		69	@@ -2319,6 +2319,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
		70	return has_type;
		71	}
		72
		73	+bool fhas_fs_type(int fd, fs_type_magic magic_val)
		74	+{
		75	+ int ret;
		76	+ struct statfs sb;
		77	+
		78	+ ret = fstatfs(fd, &sb);
		79	+ if (ret < 0)
		80	+ return false;
		81	+
		82	+ return is_fs_type(&sb, magic_val);
		83	+}
		84	+
		85	bool lxc_nic_exists(char *nic)
		86	{
		87	#define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
		88	diff --git a/src/lxc/utils.h b/src/lxc/utils.h
		89	index a2bad89db..e4d8519db 100644
		90	--- a/src/lxc/utils.h
		91	+++ b/src/lxc/utils.h
		92	@@ -99,6 +99,17 @@
		93	#define LXC_NUMSTRLEN64 21
		94	#define LXC_LINELEN 4096
		95	#define LXC_IDMAPLEN 4096
		96	+/* /proc/ = 6
		97	+ * +
		98	+ * <pid-as-str> = LXC_NUMSTRLEN64
		99	+ * +
		100	+ * /fd/ = 4
		101	+ * +
		102	+ * <fd-as-str> = LXC_NUMSTRLEN64
		103	+ * +
		104	+ * \0 = 1
		105	+ */
		106	+#define LXC_PROC_PID_FD_LEN (6 + LXC_NUMSTRLEN64 + 4 + LXC_NUMSTRLEN64 + 1)
		107
		108	/* returns 1 on success, 0 if there were any failures */
		109	extern int lxc_rmdir_onedev(char path, const char exclude);
		110	diff --git a/src/lxc/utils.h b/src/lxc/utils.h
		111	index e4d8519db..56fed0a42 100644
		112	--- a/src/lxc/utils.h
		113	+++ b/src/lxc/utils.h
		114	@@ -94,6 +94,10 @@
		115	#define CGROUP2_SUPER_MAGIC 0x63677270
		116	#endif
		117
		118	+#ifndef NSFS_MAGIC
		119	+#define NSFS_MAGIC 0x6e736673
		120	+#endif
		121	+
		122	/* Useful macros */
		123	/* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
		124	#define LXC_NUMSTRLEN64 21
		125	@@ -555,6 +559,7 @@ extern void must_realloc(void orig, size_t sz);
		126	/* __typeof__ should be safe to use with all compilers. */
		127	typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
		128	extern bool has_fs_type(const char *path, fs_type_magic magic_val);
		129	+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
		130	extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
		131	extern bool lxc_nic_exists(char *nic);
		132	extern int lxc_make_tmpfile(char *template, bool rm);