Validate fds created by the user

write_mapping() will do the following:

openat(proc_dir_fd, map_file, O_WRONLY);

An attacker could create a directory containing a symlink named
"uid_map" pointing to any file owned by root, and thus allow him to
overwrite any root-owned file.

diff --git a/lib/get_pid.c b/lib/get_pid.c
index 5b6d9da40b52a6e63aaebb9395c30d428a563422..8e5e6014b05b8718a609a4124e3ff83213ebb10c 100644 (file)
--- a/lib/get_pid.c
+++ b/lib/get_pid.c
@@ -41,6 +41,8 @@ int get_pidfd_from_fd(const char *pidfdstr)
 {
        long long int val;
        char *endptr;
+       struct stat st;
+       dev_t proc_st_dev, proc_st_rdev;
 
        errno = 0;
        val = strtoll (pidfdstr, &endptr, 10);
@@ -51,6 +53,21 @@ int get_pidfd_from_fd(const char *pidfdstr)
                return -1;
        }
 
+       if (stat("/proc/self/uid_map", &st) < 0) {
+               return -1;
+       }
+
+       proc_st_dev = st.st_dev;
+       proc_st_rdev = st.st_rdev;
+
+       if (fstat(val, &st) < 0) {
+               return -1;
+       }
+
+       if (st.st_dev != proc_st_dev || st.st_rdev != proc_st_rdev) {
+               return -1;
+       }
+
        return (int)val;
 }