From 806bb07571b698d90169c3b73cb65cd09c900284 Mon Sep 17 00:00:00 2001

From: Jakub Filak <jfilak@redhat.com>

Date: Fri, 17 Apr 2015 14:40:20 +0200

Subject: [ABRT PATCH] ccpp: do not use value of /proc/PID/cwd for chdir

Avoid symlink resolutions.

This issue was discovered by Florian Weimer of Red Hat Product Security.

Signed-off-by: Jakub Filak <jfilak@redhat.com>

---

 src/hooks/abrt-hook-ccpp.c | 85 +++++++++++++++++++++++-----------------------

 1 file changed, 42 insertions(+), 43 deletions(-)

diff --git a/src/hooks/abrt-hook-ccpp.c b/src/hooks/abrt-hook-ccpp.c

index 82ff555..d600bb7 100644

--- a/src/hooks/abrt-hook-ccpp.c

+++ b/src/hooks/abrt-hook-ccpp.c

@@ -144,6 +144,7 @@ static off_t copyfd_sparse(int src_fd, int dst_fd1, int dst_fd2, off_t size2)

 /* Global data */

 static char *user_pwd;

+static DIR *proc_cwd;

 static char *proc_pid_status;

 static struct dump_dir *dd;

 static int user_core_fd = -1;

@@ -163,13 +164,6 @@ static int user_core_fd = -1;

  */

 static const char percent_specifiers[] = "%scpugteh";

 static char *core_basename = (char*) "core";

-/*

- * Used for error messages only.

- * It is either the same as core_basename if it is absolute,

- * or $PWD/core_basename.

- */

-static char *full_core_basename;

-

 static char* get_executable(pid_t pid, int *fd_p)

 {

@@ -198,6 +192,18 @@ static char* get_executable(pid_t pid, int *fd_p)

     return executable;

 }

+static DIR *open_cwd(pid_t pid)

+{

+    char buf[sizeof("/proc/%lu/cwd") + sizeof(long)*3];

+    sprintf(buf, "/proc/%lu/cwd", (long)pid);

+

+    DIR *cwd = opendir(buf);

+    if (cwd == NULL)

+        perror_msg("Can't open process's CWD for CompatCore");

+

+    return cwd;

+}

+

 static char* get_cwd(pid_t pid)

 {

     char buf[sizeof("/proc/%lu/cwd") + sizeof(long)*3];

@@ -268,13 +274,9 @@ static int dump_suid_policy()

 static int open_user_core(uid_t uid, uid_t fsuid, pid_t pid, char **percent_values)

 {

-    errno = 0;

-    if (user_pwd == NULL

-     || chdir(user_pwd) != 0

-    ) {

-        perror_msg("Can't cd to '%s'", user_pwd);

+    proc_cwd = open_cwd(pid);

+    if (proc_cwd == NULL)

         return -1;

-    }

     struct passwd* pw = getpwuid(uid);

     gid_t gid = pw ? pw->pw_gid : uid;

@@ -337,15 +339,10 @@ static int open_user_core(uid_t uid, uid_t fsuid, pid_t pid, char **percent_valu

         }

     }

-    full_core_basename = core_basename;

-    if (core_basename[0] != '/')

+    if (g_need_nonrelative && core_basename[0] != '/')

     {

-        if (g_need_nonrelative)

-        {

-            error_msg("Current suid_dumpable policy prevents from saving core dumps according to relative core_pattern");

-            return -1;

-        }

-        core_basename = concat_path_file(user_pwd, core_basename);

+        error_msg("Current suid_dumpable policy prevents from saving core dumps according to relative core_pattern");

+        return -1;

     }

     /* Open (create) compat core file.

@@ -381,7 +378,7 @@ static int open_user_core(uid_t uid, uid_t fsuid, pid_t pid, char **percent_valu

     struct stat sb;

     errno = 0;

     /* Do not O_TRUNC: if later checks fail, we do not want to have file already modified here */

-    int user_core_fd = open(core_basename, O_WRONLY | O_CREAT | O_NOFOLLOW | g_user_core_flags, 0600); /* kernel makes 0600 too */

+    int user_core_fd = openat(dirfd(proc_cwd), core_basename, O_WRONLY | O_CREAT | O_NOFOLLOW | g_user_core_flags, 0600); /* kernel makes 0600 too */

     xsetegid(0);

     xseteuid(0);

     if (user_core_fd < 0

@@ -391,15 +388,15 @@ static int open_user_core(uid_t uid, uid_t fsuid, pid_t pid, char **percent_valu

      || sb.st_uid != fsuid

     ) {

         if (user_core_fd < 0)

-            perror_msg("Can't open '%s'", full_core_basename);

+            perror_msg("Can't open '%s' at '%s'", core_basename, user_pwd);

         else

-            perror_msg("'%s' is not a regular file with link count 1 owned by UID(%d)", full_core_basename, fsuid);

+            perror_msg("'%s' at '%s' is not a regular file with link count 1 owned by UID(%d)", core_basename, user_pwd, fsuid);

         return -1;

     }

     if (ftruncate(user_core_fd, 0) != 0) {

         /* perror first, otherwise unlink may trash errno */

-        perror_msg("Can't truncate '%s' to size 0", full_core_basename);

-        unlink(core_basename);

+        perror_msg("Can't truncate '%s' at '%s' to size 0", core_basename, user_pwd);

+        unlinkat(dirfd(proc_cwd), core_basename, /*unlink file*/0);

         return -1;

     }

@@ -466,10 +463,8 @@ static int create_or_die(const char *filename)

     if (dd)

         dd_delete(dd);

     if (user_core_fd >= 0)

-    {

-        xchdir(user_pwd);

-        unlink(core_basename);

-    }

+        unlinkat(dirfd(proc_cwd), core_basename, /*unlink file*/0);

+

     errno = sv_errno;

     perror_msg_and_die("Can't open '%s'", filename);

 }

@@ -573,7 +568,7 @@ int main(int argc, char** argv)

                         (long)pid, executable);

     }

-    user_pwd = get_cwd(pid); /* may be NULL on error */

+    user_pwd = get_cwd(pid);

     log_notice("user_pwd:'%s'", user_pwd);

     sprintf(path, "/proc/%lu/status", (long)pid);

@@ -672,6 +667,8 @@ int main(int argc, char** argv)

             error_msg_and_die("Error saving '%s'", path);

         }

         log("Saved core dump of pid %lu (%s) to %s (%llu bytes)", (long)pid, executable, path, (long long)core_size);

+        if (proc_cwd != NULL)

+            closedir(proc_cwd);

         return 0;

     }

@@ -791,10 +788,7 @@ int main(int argc, char** argv)

             unlink(path);

             dd_delete(dd);

             if (user_core_fd >= 0)

-            {

-                xchdir(user_pwd);

-                unlink(core_basename);

-            }

+                unlinkat(dirfd(proc_cwd), core_basename, /*unlink file*/0);

             /* copyfd_sparse logs the error including errno string,

              * but it does not log file name */

             error_msg_and_die("Error writing '%s'", path);

@@ -807,8 +801,7 @@ int main(int argc, char** argv)

             )

         ) {

             /* nuke it (silently) */

-            xchdir(user_pwd);

-            unlink(core_basename);

+            unlinkat(dirfd(proc_cwd), core_basename, /*unlink file*/0);

         }

 /* Because of #1211835 and #1126850 */

@@ -879,6 +872,8 @@ int main(int argc, char** argv)

         }

         free(rootdir);

+        if (proc_cwd != NULL)

+            closedir(proc_cwd);

         return 0;

     }

@@ -890,19 +885,23 @@ int main(int argc, char** argv)

         if (fsync(user_core_fd) != 0 || close(user_core_fd) != 0 || core_size < 0)

         {

             /* perror first, otherwise unlink may trash errno */

-            perror_msg("Error writing '%s'", full_core_basename);

-            xchdir(user_pwd);

-            unlink(core_basename);

+            perror_msg("Error writing '%s' at '%s'", core_basename, user_pwd);

+            unlinkat(dirfd(proc_cwd), core_basename, /*unlink file*/0);

+            if (proc_cwd != NULL)

+                closedir(proc_cwd);

             return 1;

         }

         if (ulimit_c == 0 || core_size > ulimit_c)

         {

-            xchdir(user_pwd);

-            unlink(core_basename);

+            unlinkat(dirfd(proc_cwd), core_basename, /*unlink file*/0);

+            if (proc_cwd != NULL)

+                closedir(proc_cwd);

             return 1;

         }

-        log("Saved core dump of pid %lu to %s (%llu bytes)", (long)pid, full_core_basename, (long long)core_size);

+        log("Saved core dump of pid %lu to %s at %s (%llu bytes)", (long)pid, core_basename, user_pwd, (long long)core_size);

     }

+    if (proc_cwd != NULL)

+        closedir(proc_cwd);

     return 0;

 }

-- 

1.8.3.1