File 0001-CVE-2020-25653-Avoids-user-session-hijacki... of Package spice-vdagent

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-CVE-2020-25653-Avoids-user-session-hijacking.patch of Package spice-vdagent

Subject: Avoids user session hijacking
From: Frediano Ziglio freddy77@gmail.com Sun Sep 20 08:06:16 2020 +0100
Date: Thu Oct 29 14:59:18 2020 +0000:
Git: 51c415df82a52e9ec033225783c77df95f387891

Avoids user hijacking sessions by reusing PID.
In theory an attacker could:
- open a connection to the daemon;
- fork and exit the process but keep the file descriptor open
  (inheriting or duplicating it in forked process);
- force OS to recycle the initial PID, by creating many short lived
  processes.
Daemon would detect the old PID as having the new session.
Check the user to avoid such replacements.

This issue was reported by SUSE security team.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>

Index: spice-vdagent-0.17.0/src/vdagentd.c
===================================================================
--- spice-vdagent-0.17.0.orig/src/vdagentd.c
+++ spice-vdagent-0.17.0/src/vdagentd.c
@@ -838,6 +838,19 @@ static gboolean remove_active_xfers(gpoi
         return 0;
 }
 
+/* Check a given process has a given UID */
+static gboolean check_uid_of_pid(pid_t pid, uid_t uid)
+{
+    char fn[128];
+    struct stat st;
+
+    snprintf(fn, sizeof(fn), "/proc/%u/status", (unsigned) pid);
+    if (stat(fn, &st) != 0 || st.st_uid != uid) {
+        return FALSE;
+    }
+    return TRUE;
+}
+
 static void agent_connect(struct udscs_connection *conn)
 {
     struct agent_data *agent_data;
@@ -851,7 +864,18 @@ static void agent_connect(struct udscs_c
 
     if (session_info) {
         uint32_t pid = udscs_get_peer_cred(conn).pid;
+        uint32_t uid = udscs_get_peer_cred(conn).uid;
         agent_data->session = session_info_session_for_pid(session_info, pid);
+
+        /* Check that the UID of the PID did not change, this should be done after
+         * computing the session to avoid race conditions.
+         * This can happen as vdagent_connection_get_peer_pid_uid get information
+         * from the time of creating the socket, but the process in the meantime
+         * have been replaced */
+        if (!check_uid_of_pid(pid, uid)) {
+            udscs_destroy_connection(&conn);
+            return;
+        }
     }
 
     udscs_set_user_data(conn, (void *)agent_data);

Places

File 0001-CVE-2020-25653-Avoids-user-session-hijacking.patch of Package spice-vdagent

Places