libmount: fix UID check for FUSE umount [CVE-2021-3995]

Improper UID check allows an unprivileged user to unmount FUSE
filesystems of users with similar UID.

Signed-off-by: Karel Zak <kzak@redhat.com>

diff --git a/libmount/src/context_umount.c b/libmount/src/context_umount.c
index 25a409e2272caec7eb0c8b1608cb6f7d3e6d8b01..9c6d190e1383091e9979cc97d081ab7bdc1d2494 100644 (file)
--- a/libmount/src/context_umount.c
+++ b/libmount/src/context_umount.c
@@ -452,10 +452,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
        struct libmnt_ns *ns_old;
        const char *type = mnt_fs_get_fstype(cxt->fs);
        const char *optstr;
-       char *user_id = NULL;
-       size_t sz;
-       uid_t uid;
-       char uidstr[sizeof(stringify_value(ULONG_MAX))];
+       uid_t uid, entry_uid;
 
        *errsv = 0;
 
@@ -472,11 +469,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
        optstr = mnt_fs_get_fs_options(cxt->fs);
        if (!optstr)
                return 0;
-
-       if (mnt_optstr_get_option(optstr, "user_id", &user_id, &sz) != 0)
-               return 0;
-
-       if (sz == 0 || user_id == NULL)
+       if (mnt_optstr_get_uid(optstr, "user_id", &entry_uid) != 0)
                return 0;
 
        /* get current user */
@@ -493,8 +486,7 @@ static int is_fuse_usermount(struct libmnt_context *cxt, int *errsv)
                return 0;
        }
 
-       snprintf(uidstr, sizeof(uidstr), "%lu", (unsigned long) uid);
-       return strncmp(user_id, uidstr, sz) == 0;
+       return uid == entry_uid;
 }
 
 /*

diff --git a/libmount/src/mountP.h b/libmount/src/mountP.h
index b47640daac54e9ff1cfd60d913cd27b9623815e0..0919dedb60447e92b1177437f83b2546bc2abfe7 100644 (file)
--- a/libmount/src/mountP.h
+++ b/libmount/src/mountP.h
@@ -399,6 +399,7 @@ extern const struct libmnt_optmap *mnt_optmap_get_entry(
                             const struct libmnt_optmap **mapent);
 
 /* optstr.c */
+extern int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid);
 extern int mnt_optstr_remove_option_at(char **optstr, char *begin, char *end);
 extern int mnt_optstr_fix_gid(char **optstr, char *value, size_t valsz, char **next);
 extern int mnt_optstr_fix_uid(char **optstr, char *value, size_t valsz, char **next);

diff --git a/libmount/src/optstr.c b/libmount/src/optstr.c
index 5adfd4dae61353ed6d1486a9e73449aec19bb7fb..224293f65c302db35d788f961f7662fb7164b8ae 100644 (file)
--- a/libmount/src/optstr.c
+++ b/libmount/src/optstr.c
@@ -1083,6 +1083,48 @@ int mnt_optstr_fix_user(char **optstr)
        return rc;
 }
 
+/*
+ * Converts value from @optstr addressed by @name to uid.
+ *
+ * Returns: 0 on success, 1 if not found, <0 on error
+ */
+int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid)
+{
+       char *value = NULL;
+       size_t valsz = 0;
+       char buf[sizeof(stringify_value(UINT64_MAX))];
+       int rc;
+       uint64_t num;
+
+       assert(optstr);
+       assert(name);
+       assert(uid);
+
+       rc = mnt_optstr_get_option(optstr, name, &value, &valsz);
+       if (rc != 0)
+               goto fail;
+
+       if (valsz > sizeof(buf) - 1) {
+               rc = -ERANGE;
+               goto fail;
+       }
+       mem2strcpy(buf, value, valsz, sizeof(buf));
+
+       rc = ul_strtou64(buf, &num, 10);
+       if (rc != 0)
+               goto fail;
+       if (num > ULONG_MAX || (uid_t) num != num) {
+               rc = -ERANGE;
+               goto fail;
+       }
+       *uid = (uid_t) num;
+
+       return 0;
+fail:
+       DBG(UTILS, ul_debug("failed to convert '%s'= to number [rc=%d]", name, rc));
+       return rc;
+}
+
 /**
  * mnt_match_options:
  * @optstr: options string