From b79b4ba532316faa0b4147bc4edb5e6f14f5f18d Mon Sep 17 00:00:00 2001
From: zhihang <zhihang161013@outlook.com>
Date: Fri, 7 Mar 2025 02:22:00 +0000
Subject: [PATCH] CVE-2025-24965

Signed-off-by: zhihang <zhihang161013@outlook.com>
---
 src/libcrun/handlers/krun.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
index 0342a33..2437967 100644
--- a/src/libcrun/handlers/krun.c
+++ b/src/libcrun/handlers/krun.c
@@ -43,6 +43,8 @@
 /* libkrun has a hard-limit of 8 vCPUs per microVM. */
 #define LIBKRUN_MAX_VCPUS 8
 
+#define KRUN_CONFIG_FILE ".krun_config.json"
+
 struct krun_config
 {
   void *handle;
@@ -207,7 +209,13 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
       if (UNLIKELY (ret < 0))
         return ret;
 
-      ret = write_file_at (rootfsfd, ".krun_config.json", config, config_size, err);
+      /* CVE-2025-24965: the content below rootfs cannot be trusted because it is controlled by the user.  We
+         must ensure the file is opened below the rootfs directory.  */
+      fd = safe_openat (rootfsfd, rootfs, KRUN_CONFIG_FILE, WRITE_FILE_DEFAULT_FLAGS | O_NOFOLLOW, 0700, err);
+      if (UNLIKELY (fd < 0))
+        return fd;
+
+      ret = safe_write (fd, KRUN_CONFIG_FILE, config, config_size, err);
       if (UNLIKELY (ret < 0))
         return ret;
     }
-- 
2.43.0