CVE-2015-1331: lxclock: use /run/lxc/lock rather than /run/lock/lxc

This prevents an unprivileged user to use LXC to create arbitrary file on the filesystem. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

CVE-2015-1331: lxclock: use /run/lxc/lock rather than /run/lock/lxc
f547349e · Serge Hallyn · Stéphane Graber · 4056340a · f547349e · f547349e
Commit f547349e authored Jul 03, 2015 by Serge Hallyn Committed by Stéphane Graber Jul 22, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 29 deletions

lxclock.c src/lxc/lxclock.c +10 -28

locktests.c src/tests/locktests.c +1 -1

No files found.
--- a/src/lxc/lxclock.c
+++ b/src/lxc/lxclock.c
@@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, const char *n)
 	char *rundir;
 	/* lockfile will be:
-	 * "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root
+	 * "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root
 	 * or
-	 * $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root
+	 * $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root
 	 */
-	/* length of "/lock/lxc/" + $lxcpath + "/" + $lxcname + '\0' */
+	/* length of "/lxc/lock/" + $lxcpath + "/" + $lxcname + '\0' */
-	len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 2;
+	len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 2;
 	rundir = get_rundir();
 	if (!rundir)
 		return NULL;
@@ -120,7 +120,7 @@ static char *lxclock_name(const char *p, const char *n)
 		return NULL;
 	}
-	ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p);
+	ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p);
 	if (ret < 0 || ret >= len) {
 		free(dest);
 		free(rundir);
@@ -128,31 +128,13 @@ static char *lxclock_name(const char *p, const char *n)
 	}
 	ret = mkdir_p(dest, 0755);
 	if (ret < 0) {
-		/* fall back to "/tmp/" $(id -u) "/lxc/" $lxcpath / $lxcname + '\0' */
+		free(dest);
-		int l2 = 33 + strlen(n) + strlen(p);
+		free(rundir);
-		if (l2 > len) {
+		return NULL;
-			char *d;
+	}
-			d = realloc(dest, l2);
-			if (!d) {
-				free(dest);
-				free(rundir);
-				return NULL;
-			}
-			len = l2;
-			dest = d;
-		}
-		ret = snprintf(dest, len, "/tmp/%d/lxc/%s", geteuid(), p);
-		if (ret < 0 || ret >= len) {
-			free(dest);
-			free(rundir);
-			return NULL;
-		}
-		ret = snprintf(dest, len, "/tmp/%d/lxc/%s/%s", geteuid(), p, n);
-	} else
-		ret = snprintf(dest, len, "%s/lock/lxc/%s/%s", rundir, p, n);
+	ret = snprintf(dest, len, "%s/lxc/lock/%s/%s", rundir, p, n);
 	free(rundir);
 	if (ret < 0 || ret >= len) {
 		free(dest);
 		return NULL;

--- a/src/tests/locktests.c
+++ b/src/tests/locktests.c
@@ -122,7 +122,7 @@ int main(int argc, char *argv[])
 		exit(1);
 	}
 	struct stat sb;
-	char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/";
+	char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/";
 	ret = stat(pathname, &sb);
 	if (ret != 0) {
 		fprintf(stderr, "%d: filename %s not created\n", __LINE__,