[lxc-devel] [lxc/master] conf: realpath() uses null as second parameter to prevent buffer overflow

2xsec on Github lxc-bot at linuxcontainers.org
Fri Sep 21 02:15:50 UTC 2018 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 526 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180921/7f7c1a76/attachment.bin>
-------------- next part --------------
From 74e7b6621905110e46a4bbc6b5b898328363fced Mon Sep 17 00:00:00 2001
From: 2xsec <dh48.jeong at samsung.com>
Date: Fri, 21 Sep 2018 11:09:54 +0900
Subject: [PATCH] conf: realpath() uses null as second parameter to prevent
 buffer overflow

Signed-off-by: 2xsec <dh48.jeong at samsung.com>
---
 src/lxc/conf.c | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 488f3dd42..371256ef2 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -553,24 +553,31 @@ int run_script(const char *name, const char *section, const char *script, ...)
 int pin_rootfs(const char *rootfs)
 {
 	int fd, ret;
-	char absrootfs[MAXPATHLEN], absrootfspin[MAXPATHLEN];
+	char absrootfspin[MAXPATHLEN];
+	char *absrootfs;
 	struct stat s;
 	struct statfs sfs;
 
 	if (rootfs == NULL || strlen(rootfs) == 0)
 		return -2;
 
-	if (!realpath(rootfs, absrootfs))
+	absrootfs = realpath(rootfs, NULL);
+	if (!absrootfs)
 		return -2;
 
 	ret = stat(absrootfs, &s);
-	if (ret < 0)
+	if (ret < 0) {
+		free(absrootfs);
 		return -1;
+	}
 
-	if (!S_ISDIR(s.st_mode))
+	if (!S_ISDIR(s.st_mode)) {
+		free(absrootfs);
 		return -2;
+	}
 
 	ret = snprintf(absrootfspin, MAXPATHLEN, "%s/.lxc-keep", absrootfs);
+	free(absrootfs);
 	if (ret >= MAXPATHLEN)
 		return -1;
 
@@ -1368,18 +1375,22 @@ int lxc_chroot(const struct lxc_rootfs *rootfs)
 {
 	int i, ret;
 	char *p, *p2;
-	char buf[LXC_LINELEN], nroot[PATH_MAX];
+	char buf[LXC_LINELEN];
+	char *nroot;
 	FILE *f;
 	char *root = rootfs->mount;
 
-	if (!realpath(root, nroot)) {
+	nroot = realpath(root, NULL);
+	if (!nroot) {
 		SYSERROR("Failed to resolve \"%s\"", root);
 		return -1;
 	}
 
 	ret = chdir("/");
-	if (ret < 0)
+	if (ret < 0) {
+		free(nroot);
 		return -1;
+	}
 
 	/* We could use here MS_MOVE, but in userns this mount is locked and
 	 * can't be moved.
@@ -1387,8 +1398,10 @@ int lxc_chroot(const struct lxc_rootfs *rootfs)
 	ret = mount(nroot, "/", NULL, MS_REC | MS_BIND, NULL);
 	if (ret < 0) {
 		SYSERROR("Failed to mount \"%s\" onto \"/\" as MS_REC | MS_BIND", nroot);
+		free(nroot);
 		return -1;
 	}
+	free(nroot);
 
 	ret = mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL);
 	if (ret < 0) {

More information about the lxc-devel mailing list