CVE-2015-1331: lxclock: use /run/lxc/lock rather than /run/lock/lxc

This prevents an unprivileged user to use LXC to create arbitrary file
on the filesystem.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c
index fe13898df98fbeda84e8a53afbeeca7dd3e7a18b..e9e95f7a01d924f824c9a127cd624802c6ed5265 100644 (file)
--- a/src/lxc/lxclock.c
+++ b/src/lxc/lxclock.c
@@ -103,13 +103,13 @@ static char *lxclock_name(const char *p, const char *n)
        char *rundir;
 
        /* lockfile will be:
-        * "/run" + "/lock/lxc/$lxcpath/$lxcname + '\0' if root
+        * "/run" + "/lxc/lock/$lxcpath/$lxcname + '\0' if root
         * or
-        * $XDG_RUNTIME_DIR + "/lock/lxc/$lxcpath/$lxcname + '\0' if non-root
+        * $XDG_RUNTIME_DIR + "/lxc/lock/$lxcpath/$lxcname + '\0' if non-root
         */
 
-       /* length of "/lock/lxc/" + $lxcpath + "/" + "." + $lxcname + '\0' */
-       len = strlen("/lock/lxc/") + strlen(n) + strlen(p) + 3;
+       /* length of "/lxc/lock/" + $lxcpath + "/" + "." + $lxcname + '\0' */
+       len = strlen("/lxc/lock/") + strlen(n) + strlen(p) + 3;
        rundir = get_rundir();
        if (!rundir)
                return NULL;
@@ -120,7 +120,7 @@ static char *lxclock_name(const char *p, const char *n)
                return NULL;
        }
 
-       ret = snprintf(dest, len, "%s/lock/lxc/%s", rundir, p);
+       ret = snprintf(dest, len, "%s/lxc/lock/%s", rundir, p);
        if (ret < 0 || ret >= len) {
                free(dest);
                free(rundir);
@@ -128,40 +128,13 @@ static char *lxclock_name(const char *p, const char *n)
        }
        ret = mkdir_p(dest, 0755);
        if (ret < 0) {
-               /* fall back to "/tmp/" + $(id -u) + "/lxc" + $lxcpath + "/" + "." + $lxcname + '\0'
-                * * maximum length of $(id -u) is 10 calculated by (log (2 ** (sizeof(uid_t) * 8) - 1) / log 10 + 1)
-                * * lxcpath always starts with '/'
-                */
-               int l2 = 22 + strlen(n) + strlen(p);
-               if (l2 > len) {
-                       char *d;
-                       d = realloc(dest, l2);
-                       if (!d) {
-                               free(dest);
-                               free(rundir);
-                               return NULL;
-                       }
-                       len = l2;
-                       dest = d;
-               }
-               ret = snprintf(dest, len, "/tmp/%d/lxc%s", geteuid(), p);
-               if (ret < 0 || ret >= len) {
-                       free(dest);
-                       free(rundir);
-                       return NULL;
-               }
-               ret = mkdir_p(dest, 0755);
-               if (ret < 0) {
-                       free(dest);
-                       free(rundir);
-                       return NULL;
-               }
-               ret = snprintf(dest, len, "/tmp/%d/lxc%s/.%s", geteuid(), p, n);
-       } else
-               ret = snprintf(dest, len, "%s/lock/lxc/%s/.%s", rundir, p, n);
+               free(dest);
+               free(rundir);
+               return NULL;
+       }
 
+       ret = snprintf(dest, len, "%s/lxc/lock/%s/.%s", rundir, p, n);
        free(rundir);
-
        if (ret < 0 || ret >= len) {
                free(dest);
                return NULL;

diff --git a/src/tests/locktests.c b/src/tests/locktests.c
index dd3393a89334dc077513b4bef2a58b028e294255..233ca127c6dec567e775abbbb0ef9ce0ed417e43 100644 (file)
--- a/src/tests/locktests.c
+++ b/src/tests/locktests.c
@@ -122,7 +122,7 @@ int main(int argc, char *argv[])
                exit(1);
        }
        struct stat sb;
-       char *pathname = RUNTIME_PATH "/lock/lxc/var/lib/lxc/";
+       char *pathname = RUNTIME_PATH "/lxc/lock/var/lib/lxc/";
        ret = stat(pathname, &sb);
        if (ret != 0) {
                fprintf(stderr, "%d: filename %s not created\n", __LINE__,