From b5b610af5d6e5bd72381f79f526fa38d411686e0 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Wed, 8 Aug 2018 11:50:00 -0400
Subject: gnu: lxc: Fix CVE-2018-6556.

* gnu/packages/patches/lxc-CVE-2018-6556.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/virtualization.scm (lxc)[source]: Use it.
---
 gnu/local.mk                                 |   1 +
 gnu/packages/patches/lxc-CVE-2018-6556.patch | 116 +++++++++++++++++++++++++++
 gnu/packages/virtualization.scm              |   1 +
 3 files changed, 118 insertions(+)
 create mode 100644 gnu/packages/patches/lxc-CVE-2018-6556.patch

(limited to 'gnu')

diff --git a/gnu/local.mk b/gnu/local.mk
index ef28cf032c..c54a297209 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -924,6 +924,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/luit-posix.patch				\
   %D%/packages/patches/luminance-hdr-qt-printer.patch		\
   %D%/packages/patches/lvm2-static-link.patch			\
+  %D%/packages/patches/lxc-CVE-2018-6556.patch         		\
   %D%/packages/patches/lxsession-use-gapplication.patch         \
   %D%/packages/patches/lyx-2.2.3-fix-test.patch			\
   %D%/packages/patches/mailutils-uninitialized-memory.patch	\
diff --git a/gnu/packages/patches/lxc-CVE-2018-6556.patch b/gnu/packages/patches/lxc-CVE-2018-6556.patch
new file mode 100644
index 0000000000..7eab7101f1
--- /dev/null
+++ b/gnu/packages/patches/lxc-CVE-2018-6556.patch
@@ -0,0 +1,116 @@
+Fix CVE-2018-6556:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6556
+https://bugzilla.suse.com/show_bug.cgi?id=988348#c8
+
+Patch copied from upstream source repository:
+
+https://github.com/lxc/lxc/commit/c1cf54ebf251fdbad1e971679614e81649f1c032
+
+From c1cf54ebf251fdbad1e971679614e81649f1c032 Mon Sep 17 00:00:00 2001
+From: Christian Brauner <christian.brauner@ubuntu.com>
+Date: Wed, 25 Jul 2018 19:56:54 +0200
+Subject: [PATCH] CVE 2018-6556: verify netns fd in lxc-user-nic
+
+Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
+---
+ src/lxc/cmd/lxc_user_nic.c | 35 ++++++++++++++++++++++++++++++++---
+ src/lxc/utils.c            | 12 ++++++++++++
+ src/lxc/utils.h            |  5 +++++
+ 3 files changed, 49 insertions(+), 3 deletions(-)
+
+diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c
+index ec9cd97e0..c5beb6c8d 100644
+--- a/src/lxc/cmd/lxc_user_nic.c
++++ b/src/lxc/cmd/lxc_user_nic.c
+@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[])
+ 			exit(EXIT_FAILURE);
+ 		}
+ 	} else if (request == LXC_USERNIC_DELETE) {
+-		netns_fd = open(args.pid, O_RDONLY);
++		char opath[LXC_PROC_PID_FD_LEN];
++
++		/* Open the path with O_PATH which will not trigger an actual
++		 * open(). Don't report an errno to the caller to not leak
++		 * information whether the path exists or not.
++		 * When stracing setuid is stripped so this is not a concern
++		 * either.
++		 */
++		netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
+ 		if (netns_fd < 0) {
+-			usernic_error("Could not open \"%s\": %s\n", args.pid,
+-				      strerror(errno));
++			usernic_error("Failed to open \"%s\"\n", args.pid);
++			exit(EXIT_FAILURE);
++		}
++
++		if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
++			usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
++			close(netns_fd);
++			exit(EXIT_FAILURE);
++		}
++
++		ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
++		if (ret < 0 || (size_t)ret >= sizeof(opath)) {
++			close(netns_fd);
++			exit(EXIT_FAILURE);
++		}
++
++		/* Now get an fd that we can use in setns() calls. */
++		ret = open(opath, O_RDONLY | O_CLOEXEC);
++		if (ret < 0) {
++			usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
++			close(netns_fd);
+ 			exit(EXIT_FAILURE);
+ 		}
++		close(netns_fd);
++		netns_fd = ret;
+ 	}
+ 
+ 	if (!create_db_dir(LXC_USERNIC_DB)) {
+diff --git a/src/lxc/utils.c b/src/lxc/utils.c
+index 530b1f81a..3b854e35b 100644
+--- a/src/lxc/utils.c
++++ b/src/lxc/utils.c
+@@ -2544,6 +2544,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
+ 	return has_type;
+ }
+ 
++bool fhas_fs_type(int fd, fs_type_magic magic_val)
++{
++	int ret;
++	struct statfs sb;
++
++	ret = fstatfs(fd, &sb);
++	if (ret < 0)
++		return false;
++
++	return is_fs_type(&sb, magic_val);
++}
++
+ bool lxc_nic_exists(char *nic)
+ {
+ #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1
+diff --git a/src/lxc/utils.h b/src/lxc/utils.h
+index 6a0bebded..0805f5d0d 100644
+--- a/src/lxc/utils.h
++++ b/src/lxc/utils.h
+@@ -95,6 +95,10 @@
+ #define CGROUP2_SUPER_MAGIC 0x63677270
+ #endif
+ 
++#ifndef NSFS_MAGIC
++#define NSFS_MAGIC 0x6e736673
++#endif
++
+ /* Useful macros */
+ /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
+ #define LXC_NUMSTRLEN64 21
+@@ -580,6 +584,7 @@ extern void *must_realloc(void *orig, size_t sz);
+ /* __typeof__ should be safe to use with all compilers. */
+ typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
+ extern bool has_fs_type(const char *path, fs_type_magic magic_val);
++extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
+ extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
+ extern bool lxc_nic_exists(char *nic);
+ extern int lxc_make_tmpfile(char *template, bool rm);
diff --git a/gnu/packages/virtualization.scm b/gnu/packages/virtualization.scm
index e4120de38f..192d599a3d 100644
--- a/gnu/packages/virtualization.scm
+++ b/gnu/packages/virtualization.scm
@@ -347,6 +347,7 @@ (define-public lxc
               (uri (string-append
                     "https://linuxcontainers.org/downloads/lxc/lxc-"
                     version ".tar.gz"))
+              (patches (search-patches "lxc-CVE-2018-6556.patch"))
               (sha256
                (base32
                 "1nyml98k28sc5sda0260cmby4irkpnhpwgmx4yhqy10wpr4nr625"))))
-- 
cgit v1.2.3