Bug#777649: cgmanager security update for jessie
On 2015-02-11 19:57, Serge Hallyn wrote:
> Quoting Niels Thykier (niels@thykier.net):
>> Control: tags -1 moreinfo
>>
>> On 2015-02-11 05:36, Serge Hallyn wrote:
>>> Package: release.debian.org
>>> Usertags: jessie-pu
>>>
>>> A security issue was found in cgmanager, allowing root-owned privileged
>>> containers to fully administer cgroups on the host. Two other issues
>>> were found which allow cgmanager to be crashed by unprivileged users.
>>> These have all been fixed in sid. The debdiff below, against the current
>>> jessie package, fixes them for jessie.
>>>
>>> debdiff:
>>>
>>> [...]
>>> +
>>> ++ // Make sure target cgroup is under proxy's
>>> ++ int plen = strlen(pcgpath);
>>> ++ if (strncmp(pcgpath, path, plen) != 0) {
>>> ++ nih_error("%s: target cgroup is not below r (%d)'s", __func__,
>>> ++ r.pid);
>>> ++ return -1;
>>> ++ }
>>> ++
>>> [...]
>>
>> Hi,
>>
>> Is this truly a sufficient test? The above only tests that pcgpath is a
>> prefix of path. I do not know exactly what these paths are, so I have
>> to ask.
>>
>> Consider:
>>
>> pcgpath = "root"
>> pcpgpath = "root-acually-not-really"
>> plen = strlen(pcgpath) (= 4)
>>
>> So if only the first plen characters match, they will be considered
>> equal. If you know, cases like this cannot happen, then it is fine. I
>> just wanted to double check.
>
> Thanks, I appreciate the extra set of eyes.
>
> The situation is that the task making the request (or proxying the request)
> is supposed to be locked under its current cgroup, say /a/b/c. It's making
> a request pertaining to some cgroup X. We want to make sure that X is
> under /a/b/c. Hence the path prefix test.
>
> thanks,
> -serge
>
Ok, are we guaranteed that pcgpath ends with the path separator? Consider:
"/foo/bar"
"/foo/bar2/somewhere-else"
Unless the path separator is included in the end (i.e. it always uses
"/foo/bar/" instead of "/foo/bar"), then it might still be possible to
by-pass the prefix test.
~Niels
Reply to: