|
| 1 | +From 65ad1591ec32acd42d0296c0fe13dc85dc0f6c8d Mon Sep 17 00:00:00 2001 |
| 2 | +From: "Andrew G. Morgan" <morgan@kernel.org> |
| 3 | +Date: Thu, 12 Mar 2026 07:38:05 -0700 |
| 4 | +Subject: [PATCH] Address a potential TOCTOU race condition in cap_set_file(). |
| 5 | + |
| 6 | +This issue was researched and reported by Ali Raza (@locus-x64). It |
| 7 | +has been assigned CVE-2026-4878. |
| 8 | + |
| 9 | +The finding is that while cap_set_file() checks if a file is a regular |
| 10 | +file before applying or removing a capability attribute, a small |
| 11 | +window existed after that check when the filepath could be overwritten |
| 12 | +either with new content or a symlink to some other file. To do this |
| 13 | +would imply that the caller of cap_set_file() was directing it to a |
| 14 | +directory over which a local attacker has write access, and performed |
| 15 | +the operation frequently enough that an attacker had a non-negligible |
| 16 | +chance of exploiting the race condition. The code now locks onto the |
| 17 | +intended file, eliminating the race condition. |
| 18 | + |
| 19 | +Signed-off-by: Andrew G. Morgan <morgan@kernel.org> |
| 20 | +Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> |
| 21 | +Upstream-reference: https://git.kernel.org/pub/scm/libs/libcap/libcap.git/patch/?id=286ace1259992bd0c5d9016715833f2e148ac596 |
| 22 | +--- |
| 23 | + libcap/cap_file.c | 69 +++++++++++++++++++++++++++++++++++++++------- |
| 24 | + progs/quicktest.sh | 14 +++++++++- |
| 25 | + 2 files changed, 72 insertions(+), 11 deletions(-) |
| 26 | + |
| 27 | +diff --git a/libcap/cap_file.c b/libcap/cap_file.c |
| 28 | +index 0bc07f7..f02bf9f 100644 |
| 29 | +--- a/libcap/cap_file.c |
| 30 | ++++ b/libcap/cap_file.c |
| 31 | +@@ -8,8 +8,13 @@ |
| 32 | + #define _DEFAULT_SOURCE |
| 33 | + #endif |
| 34 | + |
| 35 | ++#ifndef _GNU_SOURCE |
| 36 | ++#define _GNU_SOURCE |
| 37 | ++#endif |
| 38 | ++ |
| 39 | + #include <sys/types.h> |
| 40 | + #include <byteswap.h> |
| 41 | ++#include <fcntl.h> |
| 42 | + #include <sys/stat.h> |
| 43 | + #include <unistd.h> |
| 44 | + |
| 45 | +@@ -322,26 +327,70 @@ int cap_set_file(const char *filename, cap_t cap_d) |
| 46 | + struct vfs_ns_cap_data rawvfscap; |
| 47 | + int sizeofcaps; |
| 48 | + struct stat buf; |
| 49 | ++ char fdpath[64]; |
| 50 | ++ int fd, ret; |
| 51 | ++ |
| 52 | ++ _cap_debug("setting filename capabilities"); |
| 53 | ++ fd = open(filename, O_RDONLY|O_NOFOLLOW); |
| 54 | ++ if (fd >= 0) { |
| 55 | ++ ret = cap_set_fd(fd, cap_d); |
| 56 | ++ close(fd); |
| 57 | ++ return ret; |
| 58 | ++ } |
| 59 | + |
| 60 | +- if (lstat(filename, &buf) != 0) { |
| 61 | +- _cap_debug("unable to stat file [%s]", filename); |
| 62 | ++ /* |
| 63 | ++ * Attempting to set a file capability on a file the process can't |
| 64 | ++ * read the content of. This is considered a non-standard use case |
| 65 | ++ * and the following (slower) code is complicated because it is |
| 66 | ++ * trying to avoid a TOCTOU race condition. |
| 67 | ++ */ |
| 68 | ++ |
| 69 | ++ fd = open(filename, O_PATH|O_NOFOLLOW); |
| 70 | ++ if (fd < 0) { |
| 71 | ++ _cap_debug("cannot find file at path [%s]", filename); |
| 72 | ++ return -1; |
| 73 | ++ } |
| 74 | ++ if (fstat(fd, &buf) != 0) { |
| 75 | ++ _cap_debug("unable to stat file [%s] descriptor %d", |
| 76 | ++ filename, fd); |
| 77 | ++ close(fd); |
| 78 | + return -1; |
| 79 | + } |
| 80 | + if (S_ISLNK(buf.st_mode) || !S_ISREG(buf.st_mode)) { |
| 81 | +- _cap_debug("file [%s] is not a regular file", filename); |
| 82 | ++ _cap_debug("file [%s] descriptor %d for non-regular file", |
| 83 | ++ filename, fd); |
| 84 | ++ close(fd); |
| 85 | + errno = EINVAL; |
| 86 | + return -1; |
| 87 | + } |
| 88 | + |
| 89 | +- if (cap_d == NULL) { |
| 90 | +- _cap_debug("removing filename capabilities"); |
| 91 | +- return removexattr(filename, XATTR_NAME_CAPS); |
| 92 | ++ /* |
| 93 | ++ * While the fd remains open, this named file is locked to the |
| 94 | ++ * origin regular file. The size of the fdpath variable is |
| 95 | ++ * sufficient to support a 160+ bit number. |
| 96 | ++ */ |
| 97 | ++ if (snprintf(fdpath, sizeof(fdpath), "/proc/self/fd/%d", fd) |
| 98 | ++ >= sizeof(fdpath)) { |
| 99 | ++ _cap_debug("file descriptor too large %d", fd); |
| 100 | ++ errno = EINVAL; |
| 101 | ++ ret = -1; |
| 102 | ++ |
| 103 | ++ } else if (cap_d == NULL) { |
| 104 | ++ _cap_debug("dropping file caps on [%s] via [%s]", |
| 105 | ++ filename, fdpath); |
| 106 | ++ ret = removexattr(fdpath, XATTR_NAME_CAPS); |
| 107 | ++ |
| 108 | + } else if (_fcaps_save(&rawvfscap, cap_d, &sizeofcaps) != 0) { |
| 109 | +- return -1; |
| 110 | +- } |
| 111 | ++ _cap_debug("problem converting cap_d to vfscap format"); |
| 112 | ++ ret = -1; |
| 113 | + |
| 114 | +- _cap_debug("setting filename capabilities"); |
| 115 | +- return setxattr(filename, XATTR_NAME_CAPS, &rawvfscap, sizeofcaps, 0); |
| 116 | ++ } else { |
| 117 | ++ _cap_debug("setting filename capabilities"); |
| 118 | ++ ret = setxattr(fdpath, XATTR_NAME_CAPS, &rawvfscap, |
| 119 | ++ sizeofcaps, 0); |
| 120 | ++ } |
| 121 | ++ close(fd); |
| 122 | ++ return ret; |
| 123 | + } |
| 124 | + |
| 125 | + /* |
| 126 | +diff --git a/progs/quicktest.sh b/progs/quicktest.sh |
| 127 | +index 59e16b0..bb49d53 100755 |
| 128 | +--- a/progs/quicktest.sh |
| 129 | ++++ b/progs/quicktest.sh |
| 130 | +@@ -148,7 +148,19 @@ pass_capsh --caps="cap_setpcap=p" --inh=cap_chown --current |
| 131 | + pass_capsh --strict --caps="cap_chown=p" --inh=cap_chown --current |
| 132 | + |
| 133 | + # change the way the capability is obtained (make it inheritable) |
| 134 | ++chmod 0000 ./privileged |
| 135 | + ./setcap cap_setuid,cap_setgid=ei ./privileged |
| 136 | ++if [ $? -ne 0 ]; then |
| 137 | ++ echo "FAILED to set file capability" |
| 138 | ++ exit 1 |
| 139 | ++fi |
| 140 | ++chmod 0755 ./privileged |
| 141 | ++ln -s privileged unprivileged |
| 142 | ++./setcap -r ./unprivileged |
| 143 | ++if [ $? -eq 0 ]; then |
| 144 | ++ echo "FAILED by removing a capability from a symlinked file" |
| 145 | ++ exit 1 |
| 146 | ++fi |
| 147 | + |
| 148 | + # Note, the bounding set (edited with --drop) only limits p |
| 149 | + # capabilities, not i's. |
| 150 | +@@ -246,7 +258,7 @@ EOF |
| 151 | + pass_capsh --iab='!%cap_chown,^cap_setpcap,cap_setuid' |
| 152 | + fail_capsh --mode=PURE1E --iab='!%cap_chown,^cap_setuid' |
| 153 | + fi |
| 154 | +-/bin/rm -f ./privileged |
| 155 | ++/bin/rm -f ./privileged ./unprivileged |
| 156 | + |
| 157 | + echo "testing namespaced file caps" |
| 158 | + |
| 159 | +-- |
| 160 | +2.45.4 |
| 161 | + |
0 commit comments