1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
|
Downloaded from upstream: https://www.sudo.ws/repos/sudo/raw-rev/b5460cbbb11b
# HG changeset patch
# User Todd C. Miller <Todd.Miller@courtesan.com>
# Date 1496089973 21600
# Node ID b5460cbbb11bbf9d92ffcc6798a686cf4125efd3
# Parent c303e6eecc7841e2f891d70613e80fcf27fa6e86
Fix for CVE-2017-1000367, parsing of /proc/pid/stat on Linux when
the process name contains spaces. Since the user has control over
the command name this could be used by a user with sudo access to
overwrite an arbitrary file.
Thanks to Qualys for investigating and reporting this bug.
Also stop performing a breadth-first traversal of /dev when looking
for the device. Only the directories specified in search_devs[]
are checked.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
diff -r c303e6eecc78 -r b5460cbbb11b src/ttyname.c
--- a/src/ttyname.c Tue May 23 13:26:54 2017 -0600
+++ b/src/ttyname.c Mon May 29 14:32:53 2017 -0600
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2016 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2012-2017 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -145,20 +145,22 @@
}
#elif defined(HAVE_STRUCT_PSINFO_PR_TTYDEV) || defined(HAVE_PSTAT_GETPROC) || defined(__linux__)
/*
- * Devices to search before doing a breadth-first scan.
+ * Device nodes and directories to search before searching all of /dev
*/
static char *search_devs[] = {
"/dev/console",
- "/dev/wscons",
- "/dev/pts/",
- "/dev/vt/",
- "/dev/term/",
- "/dev/zcons/",
+ "/dev/pts/", /* POSIX pty */
+ "/dev/vt/", /* Solaris virtual console */
+ "/dev/term/", /* Solaris serial ports */
+ "/dev/zcons/", /* Solaris zone console */
+ "/dev/pty/", /* HP-UX old-style pty */
NULL
};
+/*
+ * Device nodes to ignore when searching all of /dev
+ */
static char *ignore_devs[] = {
- "/dev/fd/",
"/dev/stdin",
"/dev/stdout",
"/dev/stderr",
@@ -166,16 +168,18 @@
};
/*
- * Do a breadth-first scan of dir looking for the specified device.
+ * Do a scan of a directory looking for the specified device.
+ * Does not descend into subdirectories.
* Returns name on success and NULL on failure, setting errno.
*/
static char *
-sudo_ttyname_scan(const char *dir, dev_t rdev, bool builtin, char *name, size_t namelen)
+sudo_ttyname_scan(const char *dir, dev_t rdev, char *name, size_t namelen)
{
- size_t sdlen, num_subdirs = 0, max_subdirs = 0;
- char pathbuf[PATH_MAX], **subdirs = NULL;
+ size_t sdlen;
+ char pathbuf[PATH_MAX];
char *ret = NULL;
struct dirent *dp;
+ struct stat sb;
unsigned int i;
DIR *d = NULL;
debug_decl(sudo_ttyname_scan, SUDO_DEBUG_UTIL)
@@ -187,6 +191,18 @@
if ((d = opendir(dir)) == NULL)
goto done;
+ if (fstat(dirfd(d), &sb) == -1) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "unable to fstat %s", dir);
+ goto done;
+ }
+ if ((sb.st_mode & S_IWOTH) != 0) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "ignoring world-writable directory %s", dir);
+ errno = ENOENT;
+ goto done;
+ }
+
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"scanning for dev %u in %s", (unsigned int)rdev, dir);
@@ -224,18 +240,6 @@
}
if (ignore_devs[i] != NULL)
continue;
- if (!builtin) {
- /* Skip entries in search_devs; we already checked them. */
- for (i = 0; search_devs[i] != NULL; i++) {
- len = strlen(search_devs[i]);
- if (search_devs[i][len - 1] == '/')
- len--;
- if (d_len == len && strncmp(pathbuf, search_devs[i], len) == 0)
- break;
- }
- if (search_devs[i] != NULL)
- continue;
- }
# if defined(HAVE_STRUCT_DIRENT_D_TYPE) && defined(DTTOIF)
/*
* Avoid excessive stat() calls by checking dp->d_type.
@@ -248,39 +252,14 @@
if (stat(pathbuf, &sb) == -1)
continue;
break;
- case DT_DIR:
- /* Directory, no need to stat() it. */
- sb.st_mode = DTTOIF(dp->d_type);
- sb.st_rdev = 0; /* quiet ccc-analyzer false positive */
- break;
default:
- /* Not a character device, link or directory, skip it. */
+ /* Not a character device or link, skip it. */
continue;
}
# else
if (stat(pathbuf, &sb) == -1)
continue;
# endif
- if (S_ISDIR(sb.st_mode)) {
- if (!builtin) {
- /* Add to list of subdirs to search. */
- if (num_subdirs + 1 > max_subdirs) {
- char **new_subdirs;
-
- new_subdirs = reallocarray(subdirs, max_subdirs + 64,
- sizeof(char *));
- if (new_subdirs == NULL)
- goto done;
- subdirs = new_subdirs;
- max_subdirs += 64;
- }
- subdirs[num_subdirs] = strdup(pathbuf);
- if (subdirs[num_subdirs] == NULL)
- goto done;
- num_subdirs++;
- }
- continue;
- }
if (S_ISCHR(sb.st_mode) && sb.st_rdev == rdev) {
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"resolved dev %u as %s", (unsigned int)rdev, pathbuf);
@@ -296,16 +275,9 @@
}
}
- /* Search subdirs if we didn't find it in the root level. */
- for (i = 0; ret == NULL && i < num_subdirs; i++)
- ret = sudo_ttyname_scan(subdirs[i], rdev, false, name, namelen);
-
done:
if (d != NULL)
closedir(d);
- for (i = 0; i < num_subdirs; i++)
- free(subdirs[i]);
- free(subdirs);
debug_return_str(ret);
}
@@ -324,7 +296,7 @@
debug_decl(sudo_ttyname_dev, SUDO_DEBUG_UTIL)
/*
- * First check search_devs for common tty devices.
+ * First check search_devs[] for common tty devices.
*/
for (sd = search_devs; (devname = *sd) != NULL; sd++) {
len = strlen(devname);
@@ -349,7 +321,7 @@
"comparing dev %u to %s: no", (unsigned int)rdev, buf);
} else {
/* Traverse directory */
- ret = sudo_ttyname_scan(devname, rdev, true, name, namelen);
+ ret = sudo_ttyname_scan(devname, rdev, name, namelen);
if (ret != NULL || errno == ENOMEM)
goto done;
}
@@ -367,9 +339,9 @@
}
/*
- * Not found? Do a breadth-first traversal of /dev/.
+ * Not found? Check all device nodes in /dev.
*/
- ret = sudo_ttyname_scan(_PATH_DEV, rdev, false, name, namelen);
+ ret = sudo_ttyname_scan(_PATH_DEV, rdev, name, namelen);
done:
debug_return_str(ret);
@@ -493,28 +465,35 @@
len = getline(&line, &linesize, fp);
fclose(fp);
if (len != -1) {
- /* Field 7 is the tty dev (0 if no tty) */
- char *cp = line;
- char *ep = line;
- const char *errstr;
- int field = 0;
- while (*++ep != '\0') {
- if (*ep == ' ') {
- *ep = '\0';
- if (++field == 7) {
- dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
- if (errstr) {
- sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
- "%s: tty device %s: %s", path, cp, errstr);
+ /*
+ * Field 7 is the tty dev (0 if no tty).
+ * Since the process name at field 2 "(comm)" may include spaces,
+ * start at the last ')' found.
+ */
+ char *cp = strrchr(line, ')');
+ if (cp != NULL) {
+ char *ep = cp;
+ const char *errstr;
+ int field = 1;
+
+ while (*++ep != '\0') {
+ if (*ep == ' ') {
+ *ep = '\0';
+ if (++field == 7) {
+ dev_t tdev = strtonum(cp, INT_MIN, INT_MAX, &errstr);
+ if (errstr) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
+ "%s: tty device %s: %s", path, cp, errstr);
+ }
+ if (tdev > 0) {
+ errno = serrno;
+ ret = sudo_ttyname_dev(tdev, name, namelen);
+ goto done;
+ }
+ break;
}
- if (tdev > 0) {
- errno = serrno;
- ret = sudo_ttyname_dev(tdev, name, namelen);
- goto done;
- }
- break;
+ cp = ep + 1;
}
- cp = ep + 1;
}
}
}
|
