Blob Blame Raw
From 806bb07571b698d90169c3b73cb65cd09c900284 Mon Sep 17 00:00:00 2001
From: Jakub Filak <jfilak@redhat.com>
Date: Fri, 17 Apr 2015 14:40:20 +0200
Subject: [ABRT PATCH] ccpp: do not use value of /proc/PID/cwd for chdir

Avoid symlink resolutions.

This issue was discovered by Florian Weimer of Red Hat Product Security.

Signed-off-by: Jakub Filak <jfilak@redhat.com>
---
 src/hooks/abrt-hook-ccpp.c | 85 +++++++++++++++++++++++-----------------------
 1 file changed, 42 insertions(+), 43 deletions(-)

diff --git a/src/hooks/abrt-hook-ccpp.c b/src/hooks/abrt-hook-ccpp.c
index 82ff555..d600bb7 100644
--- a/src/hooks/abrt-hook-ccpp.c
+++ b/src/hooks/abrt-hook-ccpp.c
@@ -144,6 +144,7 @@ static off_t copyfd_sparse(int src_fd, int dst_fd1, int dst_fd2, off_t size2)
 /* Global data */
 
 static char *user_pwd;
+static DIR *proc_cwd;
 static char *proc_pid_status;
 static struct dump_dir *dd;
 static int user_core_fd = -1;
@@ -163,13 +164,6 @@ static int user_core_fd = -1;
  */
 static const char percent_specifiers[] = "%scpugteh";
 static char *core_basename = (char*) "core";
-/*
- * Used for error messages only.
- * It is either the same as core_basename if it is absolute,
- * or $PWD/core_basename.
- */
-static char *full_core_basename;
-
 
 static char* get_executable(pid_t pid, int *fd_p)
 {
@@ -198,6 +192,18 @@ static char* get_executable(pid_t pid, int *fd_p)
     return executable;
 }
 
+static DIR *open_cwd(pid_t pid)
+{
+    char buf[sizeof("/proc/%lu/cwd") + sizeof(long)*3];
+    sprintf(buf, "/proc/%lu/cwd", (long)pid);
+
+    DIR *cwd = opendir(buf);
+    if (cwd == NULL)
+        perror_msg("Can't open process's CWD for CompatCore");
+
+    return cwd;
+}
+
 static char* get_cwd(pid_t pid)
 {
     char buf[sizeof("/proc/%lu/cwd") + sizeof(long)*3];
@@ -268,13 +274,9 @@ static int dump_suid_policy()
 
 static int open_user_core(uid_t uid, uid_t fsuid, pid_t pid, char **percent_values)
 {
-    errno = 0;
-    if (user_pwd == NULL
-     || chdir(user_pwd) != 0
-    ) {
-        perror_msg("Can't cd to '%s'", user_pwd);
+    proc_cwd = open_cwd(pid);
+    if (proc_cwd == NULL)
         return -1;
-    }
 
     struct passwd* pw = getpwuid(uid);
     gid_t gid = pw ? pw->pw_gid : uid;
@@ -337,15 +339,10 @@ static int open_user_core(uid_t uid, uid_t fsuid, pid_t pid, char **percent_valu
         }
     }
 
-    full_core_basename = core_basename;
-    if (core_basename[0] != '/')
+    if (g_need_nonrelative && core_basename[0] != '/')
     {
-        if (g_need_nonrelative)
-        {
-            error_msg("Current suid_dumpable policy prevents from saving core dumps according to relative core_pattern");
-            return -1;
-        }
-        core_basename = concat_path_file(user_pwd, core_basename);
+        error_msg("Current suid_dumpable policy prevents from saving core dumps according to relative core_pattern");
+        return -1;
     }
 
     /* Open (create) compat core file.
@@ -381,7 +378,7 @@ static int open_user_core(uid_t uid, uid_t fsuid, pid_t pid, char **percent_valu
     struct stat sb;
     errno = 0;
     /* Do not O_TRUNC: if later checks fail, we do not want to have file already modified here */
-    int user_core_fd = open(core_basename, O_WRONLY | O_CREAT | O_NOFOLLOW | g_user_core_flags, 0600); /* kernel makes 0600 too */
+    int user_core_fd = openat(dirfd(proc_cwd), core_basename, O_WRONLY | O_CREAT | O_NOFOLLOW | g_user_core_flags, 0600); /* kernel makes 0600 too */
     xsetegid(0);
     xseteuid(0);
     if (user_core_fd < 0
@@ -391,15 +388,15 @@ static int open_user_core(uid_t uid, uid_t fsuid, pid_t pid, char **percent_valu
      || sb.st_uid != fsuid
     ) {
         if (user_core_fd < 0)
-            perror_msg("Can't open '%s'", full_core_basename);
+            perror_msg("Can't open '%s' at '%s'", core_basename, user_pwd);
         else
-            perror_msg("'%s' is not a regular file with link count 1 owned by UID(%d)", full_core_basename, fsuid);
+            perror_msg("'%s' at '%s' is not a regular file with link count 1 owned by UID(%d)", core_basename, user_pwd, fsuid);
         return -1;
     }
     if (ftruncate(user_core_fd, 0) != 0) {
         /* perror first, otherwise unlink may trash errno */
-        perror_msg("Can't truncate '%s' to size 0", full_core_basename);
-        unlink(core_basename);
+        perror_msg("Can't truncate '%s' at '%s' to size 0", core_basename, user_pwd);
+        unlinkat(dirfd(proc_cwd), core_basename, /*unlink file*/0);
         return -1;
     }
 
@@ -466,10 +463,8 @@ static int create_or_die(const char *filename)
     if (dd)
         dd_delete(dd);
     if (user_core_fd >= 0)
-    {
-        xchdir(user_pwd);
-        unlink(core_basename);
-    }
+        unlinkat(dirfd(proc_cwd), core_basename, /*unlink file*/0);
+
     errno = sv_errno;
     perror_msg_and_die("Can't open '%s'", filename);
 }
@@ -573,7 +568,7 @@ int main(int argc, char** argv)
                         (long)pid, executable);
     }
 
-    user_pwd = get_cwd(pid); /* may be NULL on error */
+    user_pwd = get_cwd(pid);
     log_notice("user_pwd:'%s'", user_pwd);
 
     sprintf(path, "/proc/%lu/status", (long)pid);
@@ -672,6 +667,8 @@ int main(int argc, char** argv)
             error_msg_and_die("Error saving '%s'", path);
         }
         log("Saved core dump of pid %lu (%s) to %s (%llu bytes)", (long)pid, executable, path, (long long)core_size);
+        if (proc_cwd != NULL)
+            closedir(proc_cwd);
         return 0;
     }
 
@@ -791,10 +788,7 @@ int main(int argc, char** argv)
             unlink(path);
             dd_delete(dd);
             if (user_core_fd >= 0)
-            {
-                xchdir(user_pwd);
-                unlink(core_basename);
-            }
+                unlinkat(dirfd(proc_cwd), core_basename, /*unlink file*/0);
             /* copyfd_sparse logs the error including errno string,
              * but it does not log file name */
             error_msg_and_die("Error writing '%s'", path);
@@ -807,8 +801,7 @@ int main(int argc, char** argv)
             )
         ) {
             /* nuke it (silently) */
-            xchdir(user_pwd);
-            unlink(core_basename);
+            unlinkat(dirfd(proc_cwd), core_basename, /*unlink file*/0);
         }
 
 /* Because of #1211835 and #1126850 */
@@ -879,6 +872,8 @@ int main(int argc, char** argv)
         }
 
         free(rootdir);
+        if (proc_cwd != NULL)
+            closedir(proc_cwd);
         return 0;
     }
 
@@ -890,19 +885,23 @@ int main(int argc, char** argv)
         if (fsync(user_core_fd) != 0 || close(user_core_fd) != 0 || core_size < 0)
         {
             /* perror first, otherwise unlink may trash errno */
-            perror_msg("Error writing '%s'", full_core_basename);
-            xchdir(user_pwd);
-            unlink(core_basename);
+            perror_msg("Error writing '%s' at '%s'", core_basename, user_pwd);
+            unlinkat(dirfd(proc_cwd), core_basename, /*unlink file*/0);
+            if (proc_cwd != NULL)
+                closedir(proc_cwd);
             return 1;
         }
         if (ulimit_c == 0 || core_size > ulimit_c)
         {
-            xchdir(user_pwd);
-            unlink(core_basename);
+            unlinkat(dirfd(proc_cwd), core_basename, /*unlink file*/0);
+            if (proc_cwd != NULL)
+                closedir(proc_cwd);
             return 1;
         }
-        log("Saved core dump of pid %lu to %s (%llu bytes)", (long)pid, full_core_basename, (long long)core_size);
+        log("Saved core dump of pid %lu to %s at %s (%llu bytes)", (long)pid, core_basename, user_pwd, (long long)core_size);
     }
 
+    if (proc_cwd != NULL)
+        closedir(proc_cwd);
     return 0;
 }
-- 
1.8.3.1