libcap: Fix TOCTOU race condition in cap_set_file() [RHEL-169304]
Backport upstream fix for CVE-2026-4878. Upstream: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596 Resolves: RHEL-169304 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
This commit is contained in:
Anderson Toshiyuki Sasaki
parent
c0695f455d
commit
d44675328d
162
libcap-cve-2026-4878.patch
Normal file
162
libcap-cve-2026-4878.patch
Normal file
@ -0,0 +1,162 @@
|
||||
From 774ee26f969f3fadd4d3bb47ae218367a2bae0b9 Mon Sep 17 00:00:00 2001
|
||||
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
Date: Tue, 21 Apr 2026 14:01:42 +0200
|
||||
Subject: [PATCH] Address a potential TOCTOU race condition in cap_set_file().
|
||||
|
||||
Backport of upstream commit 286ace1259992bd0c5d9016715833f2e148ac596
|
||||
from https://git.kernel.org/pub/scm/libs/libcap/libcap.git
|
||||
|
||||
This issue was researched and reported by Ali Raza (@locus-x64). It
|
||||
has been assigned CVE-2026-4878.
|
||||
|
||||
The finding is that while cap_set_file() checks if a file is a regular
|
||||
file before applying or removing a capability attribute, a small
|
||||
window existed after that check when the filepath could be overwritten
|
||||
either with new content or a symlink to some other file. To do this
|
||||
would imply that the caller of cap_set_file() was directing it to a
|
||||
directory over which a local attacker has write access, and performed
|
||||
the operation frequently enough that an attacker had a non-negligible
|
||||
chance of exploiting the race condition. The code now locks onto the
|
||||
intended file, eliminating the race condition.
|
||||
|
||||
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
|
||||
---
|
||||
libcap/cap_file.c | 69 +++++++++++++++++++++++++++++++++++++++-------
|
||||
progs/quicktest.sh | 14 +++++++++-
|
||||
2 files changed, 72 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/libcap/cap_file.c b/libcap/cap_file.c
|
||||
index 84ae3e1..911a21d 100644
|
||||
--- a/libcap/cap_file.c
|
||||
+++ b/libcap/cap_file.c
|
||||
@@ -8,8 +8,13 @@
|
||||
#define _DEFAULT_SOURCE
|
||||
#endif
|
||||
|
||||
+#ifndef _GNU_SOURCE
|
||||
+#define _GNU_SOURCE
|
||||
+#endif
|
||||
+
|
||||
#include <sys/types.h>
|
||||
#include <byteswap.h>
|
||||
+#include <fcntl.h>
|
||||
#include <sys/stat.h>
|
||||
#include <unistd.h>
|
||||
#include <linux/xattr.h>
|
||||
@@ -314,26 +319,70 @@ int cap_set_file(const char *filename, cap_t cap_d)
|
||||
struct vfs_ns_cap_data rawvfscap;
|
||||
int sizeofcaps;
|
||||
struct stat buf;
|
||||
+ char fdpath[64];
|
||||
+ int fd, ret;
|
||||
+
|
||||
+ _cap_debug("setting filename capabilities");
|
||||
+ fd = open(filename, O_RDONLY|O_NOFOLLOW);
|
||||
+ if (fd >= 0) {
|
||||
+ ret = cap_set_fd(fd, cap_d);
|
||||
+ close(fd);
|
||||
+ return ret;
|
||||
+ }
|
||||
|
||||
- if (lstat(filename, &buf) != 0) {
|
||||
- _cap_debug("unable to stat file [%s]", filename);
|
||||
+ /*
|
||||
+ * Attempting to set a file capability on a file the process can't
|
||||
+ * read the content of. This is considered a non-standard use case
|
||||
+ * and the following (slower) code is complicated because it is
|
||||
+ * trying to avoid a TOCTOU race condition.
|
||||
+ */
|
||||
+
|
||||
+ fd = open(filename, O_PATH|O_NOFOLLOW);
|
||||
+ if (fd < 0) {
|
||||
+ _cap_debug("cannot find file at path [%s]", filename);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (fstat(fd, &buf) != 0) {
|
||||
+ _cap_debug("unable to stat file [%s] descriptor %d",
|
||||
+ filename, fd);
|
||||
+ close(fd);
|
||||
return -1;
|
||||
}
|
||||
if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) {
|
||||
- _cap_debug("file [%s] is not a regular file", filename);
|
||||
+ _cap_debug("file [%s] descriptor %d for non-regular file",
|
||||
+ filename, fd);
|
||||
+ close(fd);
|
||||
errno = EINVAL;
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if (cap_d == NULL) {
|
||||
- _cap_debug("removing filename capabilities");
|
||||
- return removexattr(filename, XATTR_NAME_CAPS);
|
||||
+ /*
|
||||
+ * While the fd remains open, this named file is locked to the
|
||||
+ * origin regular file. The size of the fdpath variable is
|
||||
+ * sufficient to support a 160+ bit number.
|
||||
+ */
|
||||
+ if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", fd)
|
||||
+ >= sizeof(fdpath)) {
|
||||
+ _cap_debug("file descriptor too large %d", fd);
|
||||
+ errno = EINVAL;
|
||||
+ ret = -1;
|
||||
+
|
||||
+ } else if (cap_d == NULL) {
|
||||
+ _cap_debug("dropping file caps on [%s] via [%s]",
|
||||
+ filename, fdpath);
|
||||
+ ret = removexattr(fdpath, XATTR_NAME_CAPS);
|
||||
+
|
||||
} else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) {
|
||||
- return -1;
|
||||
- }
|
||||
+ _cap_debug("problem converting cap_d to vfscap format");
|
||||
+ ret = -1;
|
||||
|
||||
- _cap_debug("setting filename capabilities");
|
||||
- return setxattr(filename, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0);
|
||||
+ } else {
|
||||
+ _cap_debug("setting filename capabilities");
|
||||
+ ret = setxattr(fdpath, XATTR_NAME_CAPS, &rawvfscap,
|
||||
+ sizeofcaps, 0);
|
||||
+ }
|
||||
+ close(fd);
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
diff --git a/progs/quicktest.sh b/progs/quicktest.sh
|
||||
index 6aa2598..334e9f6 100755
|
||||
--- a/progs/quicktest.sh
|
||||
+++ b/progs/quicktest.sh
|
||||
@@ -132,7 +132,19 @@ pass_capsh --secbits=0x2f --print -- -c "./privileged --uid=$nouid"
|
||||
fail_capsh --drop=cap_setuid --secbits=0x2f --print -- -c "./privileged --uid=$nouid"
|
||||
|
||||
# change the way the capability is obtained (make it inheritable)
|
||||
+chmod 0000 ./privileged
|
||||
./setcap cap_setuid,cap_setgid=ei ./privileged
|
||||
+if [ $? -ne 0 ]; then
|
||||
+ echo "FAILED to set file capability"
|
||||
+ exit 1
|
||||
+fi
|
||||
+chmod 0755 ./privileged
|
||||
+ln -s privileged unprivileged
|
||||
+./setcap -r ./unprivileged
|
||||
+if [ $? -eq 0 ]; then
|
||||
+ echo "FAILED by removing a capability from a symlinked file"
|
||||
+ exit 1
|
||||
+fi
|
||||
|
||||
# Note, the bounding set (edited with --drop) only limits p
|
||||
# capabilities, not i's.
|
||||
@@ -216,7 +228,7 @@ EOF
|
||||
pass_capsh --iab='!%cap_chown,^cap_setpcap,cap_sys_admin'
|
||||
fail_capsh --mode=PURE1E --iab='!%cap_chown,^cap_sys_admin'
|
||||
fi
|
||||
-/bin/rm -f ./privileged
|
||||
+/bin/rm -f ./privileged ./unprivileged
|
||||
|
||||
echo "testing namespaced file caps"
|
||||
|
||||
--
|
||||
2.53.0
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: libcap
|
||||
Version: 2.48
|
||||
Release: 6%{?dist}
|
||||
Release: 6%{?dist}.1
|
||||
Summary: Library for getting and setting POSIX.1e capabilities
|
||||
URL: https://sites.google.com/site/fullycapable/
|
||||
License: BSD or GPLv2
|
||||
@ -15,6 +15,9 @@ Patch4: %{name}-fix-prctl-usage.patch
|
||||
Patch5: %{name}-check-allocation.patch
|
||||
Patch6: %{name}-cve-2023-2603.patch
|
||||
Patch7: %{name}-cve-2023-2602.patch
|
||||
# RHEL-169304 - CVE-2026-4878: TOCTOU race condition in cap_set_file()
|
||||
# Backport https://git.kernel.org/pub/scm/libs/libcap/libcap.git/commit/?id=286ace1259992bd0c5d9016715833f2e148ac596
|
||||
Patch8: libcap-cve-2026-4878.patch
|
||||
|
||||
BuildRequires: libattr-devel pam-devel perl-interpreter
|
||||
BuildRequires: make
|
||||
@ -93,6 +96,10 @@ chmod +x %{buildroot}/%{_libdir}/*.so.*
|
||||
%{_libdir}/pkgconfig/libpsx.pc
|
||||
|
||||
%changelog
|
||||
* Tue Apr 21 2026 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 2.48-6.1
|
||||
- Fix TOCTOU race condition in cap_set_file() (CVE-2026-4878)
|
||||
Resolves: RHEL-169304
|
||||
|
||||
* Wed Dec 13 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 2.48-6
|
||||
- Bump release version to restore upgrade path
|
||||
Resolves: RHEL-19359
|
||||
|
||||
Loading…
Reference in New Issue
Block a user