From 2b4d27ef9b5d9f38654277f021fabdda2d5f8e36 Mon Sep 17 00:00:00 2001 From: isuladci Date: Thu, 12 Jan 2023 19:20:43 -0800 Subject: [PATCH] fix cve CVE-2022-47952: log leaks root information Signed-off-by: isuladci --- src/lxc/cmd/lxc_user_nic.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/src/lxc/cmd/lxc_user_nic.c b/src/lxc/cmd/lxc_user_nic.c index 4160565..5b848da 100644 --- a/src/lxc/cmd/lxc_user_nic.c +++ b/src/lxc/cmd/lxc_user_nic.c @@ -1087,20 +1087,16 @@ int main(int argc, char *argv[]) } else if (request == LXC_USERNIC_DELETE) { char opath[LXC_PROC_PID_FD_LEN]; - /* Open the path with O_PATH which will not trigger an actual - * open(). Don't report an errno to the caller to not leak - * information whether the path exists or not. - * When stracing setuid is stripped so this is not a concern - * either. - */ + // Keep in mind CVE-2022-47952: It's crucial not to leak any + // information whether open() succeeded or failed. netns_fd = open(args.pid, O_PATH | O_CLOEXEC); if (netns_fd < 0) { - usernic_error("Failed to open \"%s\"\n", args.pid); + usernic_error("Failed while opening netns file for \"%s\"\n", args.pid); _exit(EXIT_FAILURE); } if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) { - usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid); + usernic_error("Failed while opening netns file for \"%s\"\n", args.pid); close(netns_fd); _exit(EXIT_FAILURE); } @@ -1114,7 +1110,7 @@ int main(int argc, char *argv[]) /* Now get an fd that we can use in setns() calls. */ ret = open(opath, O_RDONLY | O_CLOEXEC); if (ret < 0) { - CMD_SYSERROR("Failed to open \"%s\"\n", args.pid); + CMD_SYSERROR("Failed while opening netns file for \"%s\"\n", args.pid); close(netns_fd); _exit(EXIT_FAILURE); } -- 2.25.1