File validate-mount-destination-fs-type.patch of Package ecryptfs-utils.1844

From 8fcdb9ef8406cd05c45acef6210a3bfa0831e857 Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks@canonical.com>
Date: Thu, 7 Jan 2016 19:39:14 -0600
Subject: [PATCH] mount.ecryptfs_private: Validate mount destination fs type

Refuse to mount over non-standard filesystems. Mounting over
certain types filesystems is a red flag that the user is doing
something devious, such as mounting over the /proc/self symlink
target with malicious content in order to confuse programs that may
attempt to parse those files. (LP: #1530566)

https://launchpad.net/bugs/1530566
---
 debian/changelog                   |  8 +++++
 src/utils/mount.ecryptfs_private.c | 61 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)

Index: ecryptfs-utils-103/src/utils/mount.ecryptfs_private.c
===================================================================
--- ecryptfs-utils-103.orig/src/utils/mount.ecryptfs_private.c
+++ ecryptfs-utils-103/src/utils/mount.ecryptfs_private.c
@@ -32,6 +32,7 @@
 #include <sys/param.h>
 #include <sys/stat.h>
 #include <sys/types.h>
+#include <sys/vfs.h>
 #include <errno.h>
 #include <keyutils.h>
 #include <mntent.h>
@@ -216,6 +217,62 @@ err:
 	return NULL;
 }
 
+static int check_cwd_f_type()
+{
+	/**
+	 * This is *not* a list of compatible lower filesystems list for
+	 * eCryptfs. This is a list of filesystems that we reasonably expect to
+	 * see mount.ecryptfs_private users mounting on top of. In other words,
+	 * the filesystem type of the 'target' parameter of mount(2).
+	 *
+	 * This whitelist is to prevent malicious mount.ecryptfs_private users
+	 * from mounting over filesystem types such as PROC_SUPER_MAGIC to
+	 * deceive other programs with a crafted /proc/self/*. See
+	 * https://launchpad.net/bugs/1530566 for more details.
+	 */
+	__SWORD_TYPE f_type_whitelist[] = {
+		0x61756673 /* AUFS_SUPER_MAGIC */,
+		0x9123683E /* BTRFS_SUPER_MAGIC */,
+		0x00C36400 /* CEPH_SUPER_MAGIC */,
+		0xFF534D42 /* CIFS_MAGIC_NUMBER */,
+		0x0000F15F /* ECRYPTFS_SUPER_MAGIC */,
+		0x0000EF53 /* EXT[234]_SUPER_MAGIC */,
+		0xF2F52010 /* F2FS_SUPER_MAGIC */,
+		0x65735546 /* FUSE_SUPER_MAGIC */,
+		0x01161970 /* GFS2_MAGIC */,
+		0x3153464A /* JFS_SUPER_MAGIC */,
+		0x0000564C /* NCP_SUPER_MAGIC */,
+		0x00006969 /* NFS_SUPER_MAGIC */,
+		0x00003434 /* NILFS_SUPER_MAGIC */,
+		0x5346544E /* NTFS_SB_MAGIC */,
+		0x794C7630 /* OVERLAYFS_SUPER_MAGIC */,
+		0x52654973 /* REISERFS_SUPER_MAGIC */,
+		0x73717368 /* SQUASHFS_MAGIC */,
+		0x01021994 /* TMPFS_MAGIC */,
+		0x58465342 /* XFS_SB_MAGIC */,
+		0x2FC12FC1 /* ZFS_SUPER_MAGIC */,
+	};
+	struct statfs buf;
+	size_t i, whitelist_len;
+
+	if (statfs(".", &buf) != 0) {
+		fprintf(stderr, "Failed to check filesystem type: %m\n");
+		return 1;
+	}
+
+	whitelist_len = sizeof(f_type_whitelist) / sizeof(*f_type_whitelist);
+	for (i = 0; i < whitelist_len; i++) {
+		if (buf.f_type == f_type_whitelist[i]) {
+			return 0;
+		}
+	}
+
+	fprintf(stderr,
+		"Refusing to mount over an unapproved filesystem type: %#lx\n",
+		buf.f_type);
+	return 1;
+}
+
 int check_ownership_mnt(int uid, char **mnt) {
 /* Check ownership of mount point, chdir into it, and
  * canonicalize the path for use in mtab updating.
@@ -621,6 +678,10 @@ int main(int argc, char *argv[]) {
  		goto fail;
  	}
 
+	if (check_cwd_f_type() != 0) {
+		goto fail;
+	}
+
 	if (mounting == 1) {
 		/* Increment mount counter, errors non-fatal */
 		if (increment(fh_counter) < 0) {
openSUSE Build Service is sponsored by