From: Vinícius dos Santos Oliveira <vini.ipsmaker@gmail.com>
Date: Fri, 24 Feb 2023 21:06:02 +0000 (-0300)
Subject: Validate fds created by the user
X-Git-Tag: 4.14.0-rc1~150
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05e2adf509ba0e3779dae66a276b86927a8e1e0e;p=thirdparty%2Fshadow.git

Validate fds created by the user

write_mapping() will do the following:

openat(proc_dir_fd, map_file, O_WRONLY);

An attacker could create a directory containing a symlink named
"uid_map" pointing to any file owned by root, and thus allow him to
overwrite any root-owned file.
---

diff --git a/lib/get_pid.c b/lib/get_pid.c
index 5b6d9da40..8e5e6014b 100644
--- a/lib/get_pid.c
+++ b/lib/get_pid.c
@@ -41,6 +41,8 @@ int get_pidfd_from_fd(const char *pidfdstr)
 {
 	long long int val;
 	char *endptr;
+	struct stat st;
+	dev_t proc_st_dev, proc_st_rdev;
 
 	errno = 0;
 	val = strtoll (pidfdstr, &endptr, 10);
@@ -51,6 +53,21 @@ int get_pidfd_from_fd(const char *pidfdstr)
 		return -1;
 	}
 
+	if (stat("/proc/self/uid_map", &st) < 0) {
+		return -1;
+	}
+
+	proc_st_dev = st.st_dev;
+	proc_st_rdev = st.st_rdev;
+
+	if (fstat(val, &st) < 0) {
+		return -1;
+	}
+
+	if (st.st_dev != proc_st_dev || st.st_rdev != proc_st_rdev) {
+		return -1;
+	}
+
 	return (int)val;
 }