diff options
author | Sam Hartman <hartmans@debian.org> | 2024-02-02 11:38:09 -0700 |
---|---|---|
committer | Sam Hartman <hartmans@debian.org> | 2024-02-27 21:30:52 -0700 |
commit | 8ba7b6f873029f800bf7be02bbd490d0b0d6d6b9 (patch) | |
tree | 09b7c7f3e448df2b11421923183089c6d3d33b5c | |
parent | 34f9f87f75cd75f61a72bf2de1d9e537882803ba (diff) |
From: Matthias Gerstner <matthias.gerstner@suse.de> Date: Wed, 27 Dec 2023 14:01:59 +0100 Subject: pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations Origin: https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb Bug-Debian: https://bugs.debian.org/1061097 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-22365
Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
being placed in user controlled directories, causing the PAM module to
block indefinitely during `openat()`.
Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
refer to a directory.
With this the check whether the final path element is a directory
becomes unnecessary, drop it.
Gbp-Pq: Name pam_namespace_o_directory
-rw-r--r-- | modules/pam_namespace/pam_namespace.c | 18 |
1 files changed, 1 insertions, 17 deletions
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index f34ce934..ef856443 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -1194,7 +1194,7 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, int dfd = AT_FDCWD; int dfd_next; int save_errno; - int flags = O_RDONLY; + int flags = O_RDONLY | O_DIRECTORY; int rv = -1; struct stat st; @@ -1248,22 +1248,6 @@ static int protect_dir(const char *path, mode_t mode, int do_mkdir, rv = openat(dfd, dir, flags); } - if (rv != -1) { - if (fstat(rv, &st) != 0) { - save_errno = errno; - close(rv); - rv = -1; - errno = save_errno; - goto error; - } - if (!S_ISDIR(st.st_mode)) { - close(rv); - errno = ENOTDIR; - rv = -1; - goto error; - } - } - if (flags & O_NOFOLLOW) { /* we are inside user-owned dir - protect */ if (protect_mount(rv, p, idata) == -1) { |