mirror of
git://sourceware.org/git/glibc.git
synced 2025-01-12 12:07:12 +08:00
e4608715e6
The helper binary pt_chown tricked into granting access to another user's pseudo-terminal. Pre-conditions for the attack: * Attacker with local user account * Kernel with FUSE support * "user_allow_other" in /etc/fuse.conf * Victim with allocated slave in /dev/pts Using the setuid installed pt_chown and a weak check on whether a file descriptor is a tty, an attacker could fake a pty check using FUSE and trick pt_chown to grant ownership of a pty descriptor that the current user does not own. It cannot access /dev/pts/ptmx however. In most modern distributions pt_chown is not needed because devpts is enabled by default. The fix for this CVE is to disable building and using pt_chown by default. We still provide a configure option to enable hte use of pt_chown but distributions do so at their own risk.
45 lines
1.0 KiB
C
45 lines
1.0 KiB
C
#include <assert.h>
|
|
#include <ctype.h>
|
|
#include <dirent.h>
|
|
#include <errno.h>
|
|
#include <fcntl.h>
|
|
#include <paths.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
|
|
#include <not-cancel.h>
|
|
|
|
#include "pty-private.h"
|
|
|
|
#if HAVE_PT_CHOWN
|
|
/* Close all file descriptors except the one specified. */
|
|
static void
|
|
close_all_fds (void)
|
|
{
|
|
DIR *dir = __opendir ("/proc/self/fd");
|
|
if (dir != NULL)
|
|
{
|
|
struct dirent64 *d;
|
|
while ((d = __readdir64 (dir)) != NULL)
|
|
if (isdigit (d->d_name[0]))
|
|
{
|
|
char *endp;
|
|
long int fd = strtol (d->d_name, &endp, 10);
|
|
if (*endp == '\0' && fd != PTY_FILENO && fd != dirfd (dir))
|
|
close_not_cancel_no_status (fd);
|
|
}
|
|
|
|
__closedir (dir);
|
|
|
|
int nullfd = open_not_cancel_2 (_PATH_DEVNULL, O_RDONLY);
|
|
assert (nullfd == STDIN_FILENO);
|
|
nullfd = open_not_cancel_2 (_PATH_DEVNULL, O_WRONLY);
|
|
assert (nullfd == STDOUT_FILENO);
|
|
__dup2 (STDOUT_FILENO, STDERR_FILENO);
|
|
}
|
|
}
|
|
# define CLOSE_ALL_FDS() close_all_fds()
|
|
#endif
|
|
|
|
#include <sysdeps/unix/grantpt.c>
|