rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity
77ab2b463d
sssd/SOURCES/0010-SSS_CLIENT-check-if-mem-cache-fd-was-hijacked.patch
eabdullin 77ab2b463d - Apply 0008-DP-reduce-log-level-in-case-a-responder-asks.patch 
- Apply 0009-SSS_CLIENT-MC-in-case-mem-cache-file-validation-fails.patch
- Apply 0010-SSS_CLIENT-check-if-mem-cache-fd-was-hijacked.patch
- Apply 0011-SSS_CLIENT-check-if-reponder-socket-was-hijacked.patch
- Apply 0012-LDAP-make-groups_by_user_send-recv-public.patch
- Apply 0013-ad-gpo-evalute-host-groups.patch
- Apply 0014-sysdb-remove-sysdb_computer.ch.patch
- Apply 0015-sdap-add-set_non_posix-parameter.patch
- Apply 0016-ipa-Add-BUILD_PASSKEY-conditional-for-passkey-codepath.patch
- Apply 0017-pam-Conditionalize-passkey-code.patch
- Apply 0018-Makefile-Respect-BUILD_PASSKEY-conditional.patch
2024-01-25 14:49:15 +03:00

83 lines
2.8 KiB
Diff
Raw Blame History

From 0344c41aca0d6fcaa33e081ed77297607e48ced4 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Fri, 15 Dec 2023 14:52:51 +0100
Subject: [PATCH] SSS_CLIENT: check if mem-cache fd was hijacked
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Real life example would be:
https://github.com/TigerVNC/tigervnc/blob/effd854bfd19654fa67ff3d39514a91a246b8ae6/unix/xserver/hw/vnc/xvnc.c#L369
- TigerVNC unconditionally overwrites fd=3
Resolves: https://github.com/SSSD/sssd/issues/6986
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
---
src/sss_client/nss_mc.h | 6 ++++--
src/sss_client/nss_mc_common.c | 10 ++++++++++
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/nss_mc.h b/src/sss_client/nss_mc.h
index 9ab2736fa6..646861ba52 100644
--- a/src/sss_client/nss_mc.h
+++ b/src/sss_client/nss_mc.h
@@ -53,6 +53,8 @@ struct sss_cli_mc_ctx {
pthread_mutex_t *mutex;
#endif
int fd;
+ ino_t fd_inode;
+ dev_t fd_device;
uint32_t seed; /* seed from the tables header */
@@ -69,9 +71,9 @@ struct sss_cli_mc_ctx {
};
#if HAVE_PTHREAD
-#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
+#define SSS_CLI_MC_CTX_INITIALIZER(mtx) {UNINITIALIZED, (mtx), -1, 0, 0, 0, NULL, 0, NULL, 0, NULL, 0, 0}
#else
-#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, -1, 0, NULL, 0, NULL, 0, NULL, 0, 0}
+#define SSS_CLI_MC_CTX_INITIALIZER {UNINITIALIZED, -1, 0, 0, 0, NULL, 0, NULL, 0, NULL, 0, 0}
#endif
errno_t sss_nss_mc_get_ctx(const char *name, struct sss_cli_mc_ctx *ctx);
diff --git a/src/sss_client/nss_mc_common.c b/src/sss_client/nss_mc_common.c
index 37119fa8d3..17683ac0e5 100644
--- a/src/sss_client/nss_mc_common.c
+++ b/src/sss_client/nss_mc_common.c
@@ -87,6 +87,12 @@ static errno_t sss_nss_mc_validate(struct sss_cli_mc_ctx *ctx)
return EINVAL;
}
+ /* FD was hijacked */
+ if ((fdstat.st_dev != ctx->fd_device) || (fdstat.st_ino != ctx->fd_inode)) {
+ ctx->fd = -1; /* don't ruin app even if it's misbehaving */
+ return EINVAL;
+ }
+
/* Invalid size. */
if (fdstat.st_size != ctx->mmap_size) {
return EINVAL;
@@ -161,6 +167,8 @@ static void sss_nss_mc_destroy_ctx(struct sss_cli_mc_ctx *ctx)
close(ctx->fd);
}
ctx->fd = -1;
+ ctx->fd_inode = 0;
+ ctx->fd_device = 0;
ctx->seed = 0;
ctx->data_table = NULL;
@@ -202,6 +210,8 @@ static errno_t sss_nss_mc_init_ctx(const char *name,
ret = EIO;
goto done;
}
+ ctx->fd_inode = fdstat.st_ino;
+ ctx->fd_device = fdstat.st_dev;
if (fdstat.st_size < MC_HEADER_SIZE) {
ret = ENOMEM;
Reference in New Issue View Git Blame Copy Permalink