42 lines
1.4 KiB
Diff
42 lines
1.4 KiB
Diff
From b79b4ba532316faa0b4147bc4edb5e6f14f5f18d Mon Sep 17 00:00:00 2001
|
|
From: zhihang <zhihang161013@outlook.com>
|
|
Date: Fri, 7 Mar 2025 02:22:00 +0000
|
|
Subject: [PATCH] CVE-2025-24965
|
|
|
|
Signed-off-by: zhihang <zhihang161013@outlook.com>
|
|
---
|
|
src/libcrun/handlers/krun.c | 10 +++++++++-
|
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
|
|
index 0342a33..2437967 100644
|
|
--- a/src/libcrun/handlers/krun.c
|
|
+++ b/src/libcrun/handlers/krun.c
|
|
@@ -43,6 +43,8 @@
|
|
/* libkrun has a hard-limit of 8 vCPUs per microVM. */
|
|
#define LIBKRUN_MAX_VCPUS 8
|
|
|
|
+#define KRUN_CONFIG_FILE ".krun_config.json"
|
|
+
|
|
struct krun_config
|
|
{
|
|
void *handle;
|
|
@@ -207,7 +209,13 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
|
|
if (UNLIKELY (ret < 0))
|
|
return ret;
|
|
|
|
- ret = write_file_at (rootfsfd, ".krun_config.json", config, config_size, err);
|
|
+ /* CVE-2025-24965: the content below rootfs cannot be trusted because it is controlled by the user. We
|
|
+ must ensure the file is opened below the rootfs directory. */
|
|
+ fd = safe_openat (rootfsfd, rootfs, KRUN_CONFIG_FILE, WRITE_FILE_DEFAULT_FLAGS | O_NOFOLLOW, 0700, err);
|
|
+ if (UNLIKELY (fd < 0))
|
|
+ return fd;
|
|
+
|
|
+ ret = safe_write (fd, KRUN_CONFIG_FILE, config, config_size, err);
|
|
if (UNLIKELY (ret < 0))
|
|
return ret;
|
|
}
|
|
--
|
|
2.43.0
|
|
|