CVE 2018-6556: verify netns fd in lxc-user-nic

src/lxc/cmd/lxc_user_nic.c

@@ -1179,12 +1179,41 @@ int main(int argc, char *argv[])
 			exit(EXIT_FAILURE);
 		}
 	} else if (request == LXC_USERNIC_DELETE) {
-		netns_fd = open(args.pid, O_RDONLY);
+		char opath[LXC_PROC_PID_FD_LEN];
+
+		/* Open the path with O_PATH which will not trigger an actual
+		 * open(). Don't report an errno to the caller to not leak
+		 * information whether the path exists or not.
+		 * When stracing setuid is stripped so this is not a concern
+		 * either.
+		 */
+		netns_fd = open(args.pid, O_PATH | O_CLOEXEC);
 		if (netns_fd < 0) {
-			usernic_error("Could not open \"%s\": %s\n", args.pid,
-				      strerror(errno));
+			usernic_error("Failed to open \"%s\"\n", args.pid);
+			exit(EXIT_FAILURE);
+		}
+
+		if (!fhas_fs_type(netns_fd, NSFS_MAGIC)) {
+			usernic_error("Path \"%s\" does not refer to a network namespace path\n", args.pid);
+			close(netns_fd);
+			exit(EXIT_FAILURE);
+		}
+
+		ret = snprintf(opath, sizeof(opath), "/proc/self/fd/%d", netns_fd);
+		if (ret < 0 || (size_t)ret >= sizeof(opath)) {
+			close(netns_fd);
+			exit(EXIT_FAILURE);
+		}
+
+		/* Now get an fd that we can use in setns() calls. */
+		ret = open(opath, O_RDONLY | O_CLOEXEC);
+		if (ret < 0) {
+			usernic_error("Failed to open \"%s\": %s\n", args.pid, strerror(errno));
+			close(netns_fd);
 			exit(EXIT_FAILURE);
 		}
+		close(netns_fd);
+		netns_fd = ret;
 	}
 
 	if (!create_db_dir(LXC_USERNIC_DB)) {

src/lxc/macro.h

@@ -69,6 +69,10 @@
 #define CGROUP2_SUPER_MAGIC 0x63677270
 #endif
 
+#ifndef NSFS_MAGIC
+#define NSFS_MAGIC 0x6e736673
+#endif
+
 /* Useful macros */
 /* Maximum number for 64 bit integer is a string with 21 digits: 2^64 - 1 = 21 */
 #define LXC_NUMSTRLEN64 21

src/lxc/utils.c

@@ -2551,6 +2551,18 @@ bool has_fs_type(const char *path, fs_type_magic magic_val)
 	return has_type;
 }
 
+bool fhas_fs_type(int fd, fs_type_magic magic_val)
+{
+	int ret;
+	struct statfs sb;
+
+	ret = fstatfs(fd, &sb);
+	if (ret < 0)
+		return false;
+
+	return is_fs_type(&sb, magic_val);
+}
+
 bool lxc_nic_exists(char *nic)
 {
 #define __LXC_SYS_CLASS_NET_LEN 15 + IFNAMSIZ + 1

src/lxc/utils.h

@@ -471,6 +471,7 @@ extern void *must_realloc(void *orig, size_t sz);
 /* __typeof__ should be safe to use with all compilers. */
 typedef __typeof__(((struct statfs *)NULL)->f_type) fs_type_magic;
 extern bool has_fs_type(const char *path, fs_type_magic magic_val);
+extern bool fhas_fs_type(int fd, fs_type_magic magic_val);
 extern bool is_fs_type(const struct statfs *fs, fs_type_magic magic_val);
 extern bool lxc_nic_exists(char *nic);
 extern int lxc_make_tmpfile(char *template, bool rm);