Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(sandbox): only create tempfiles with O_CREAT flag #866

Merged
merged 1 commit into from
Jan 20, 2025
Merged

fix(sandbox): only create tempfiles with O_CREAT flag #866

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 15 additions & 8 deletions src/hypercall.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,22 +110,29 @@ pub fn open(mem: &MmapMemory, sysopen: &mut OpenParams, file_map: &mut UhyveFile
}

if let Some(host_path) = file_map.get_host_path(guest_path) {
debug!("{:#?} found in file map.", guest_path);
// We can safely unwrap here, as host_path.as_bytes will never contain internal \0 bytes
// As host_path_c_string is a valid CString, this implementation is presumed to be safe.
let host_path_c_string = CString::new(host_path.as_bytes()).unwrap();

sysopen.ret =
unsafe { libc::open(host_path_c_string.as_c_str().as_ptr(), flags, sysopen.mode) };
} else {
debug!("Attempting to open a temp file for {:#?}...", guest_path);
// Existing files that already exist should be in the file map, not here.
// If a supposed attacker can predict where we open a file and its filename,
// this contigency, together with O_CREAT, will cause the write to fail.
flags |= O_EXCL;
debug!("{:#?} not found in file map.", guest_path);
if (flags & O_CREAT) == O_CREAT {
debug!("Attempting to open a temp file for {:#?}...", guest_path);
// Existing files that already exist should be in the file map, not here.
// If a supposed attacker can predict where we open a file and its filename,
// this contigency, together with O_CREAT, will cause the write to fail.
flags |= O_EXCL;

let host_path_c_string = file_map.create_temporary_file(guest_path);
let new_host_path = host_path_c_string.as_c_str().as_ptr();
sysopen.ret = unsafe { libc::open(new_host_path, flags, sysopen.mode) };
let host_path_c_string = file_map.create_temporary_file(guest_path);
let new_host_path = host_path_c_string.as_c_str().as_ptr();
sysopen.ret = unsafe { libc::open(new_host_path, flags, sysopen.mode) };
} else {
debug!("Returning -ENOENT for {:#?}", guest_path);
sysopen.ret = -ENOENT;
}
}
} else {
error!("The kernel requested to open() a path that is not valid UTF-8. Rejecting...");
Expand Down
Loading