oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2019-5736: runc container breakout (all versions)

From: Aleksa Sarai <asarai () suse de>
Date: Wed, 13 Feb 2019 20:03:20 +1100
On 2019-02-12, Solar Designer <solar () openwall com> wrote:

 static int proc_exe_link(struct dentry *dentry, struct path *exe_path)
 {
        struct task_struct *task;
@@ -1628,10 +1780,15 @@ static int proc_exe_link(struct dentry *dentry,
struct path *exe_path)
        exe_file = get_task_exe_file(task);
        put_task_struct(task);
        if (exe_file) {
-               *exe_path = exe_file->f_path;
-               path_get(&exe_file->f_path);
+               int result;
+
+               result = path_in_ve(&exe_file->f_path);
+               if (result == 0) {
+                       *exe_path = exe_file->f_path;
+                       path_get(&exe_file->f_path);
+               }
                fput(exe_file);
-               return 0;
+               return result;
        } else
                return -ENOENT;
 }
---

This uses Virtuozzo/OpenVZ specific APIs, so won't be directly usable
elsewhere, but maybe a similar approach could be used upstream?


I have just sent v5 of my AT_THIS_ROOT patchset to LKML[1] -- which
allows userspace processes to block resolution of magic links. While
blocking access through /proc/self/exe helps block this issues, being
able to block (from userspace) resolution of all magic links would
massively help avoid problems like this.

[1]: https://marc.info/?l=linux-api&m=155002737629350&w=2

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

Attachment: signature.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: