diff options
| author | Miklos Szeredi <mszeredi@suse.cz> | 2015-05-22 10:58:43 +0200 |
|---|---|---|
| committer | Dan Pasanen <dan.pasanen@gmail.com> | 2015-10-28 21:00:21 -0500 |
| commit | 076682cd20c3c9418a990dadb4397d27cc3b390f (patch) | |
| tree | 1ecb173f981e3ff8737c88873400eef26d5c7015 | |
| parent | 5ebf4c9631d8df268b4b8bf646a1557d8bc64c8a (diff) | |
| download | android_external_fuse-076682cd20c3c9418a990dadb4397d27cc3b390f.tar.gz android_external_fuse-076682cd20c3c9418a990dadb4397d27cc3b390f.tar.bz2 android_external_fuse-076682cd20c3c9418a990dadb4397d27cc3b390f.zip | |
libfuse: fix exec environment for mount and umount
Found by Tavis Ormandy (CVE-2015-3202).
Change-Id: Ic6f5ecb8db1629481ffeec60e64d209ab248a7f5
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | lib/mount_util.c | 23 |
2 files changed, 22 insertions, 6 deletions
@@ -1,3 +1,8 @@ +2015-05-22 Miklos Szeredi <miklos@szeredi.hu> + + * libfuse: fix exec environment for mount and umount. Found by + Tavis Ormandy (CVE-2015-3202). + 2015-02-26 Miklos Szeredi <miklos@szeredi.hu> * libfuse: fix fuse_remove_signal_handlers() to properly restore diff --git a/lib/mount_util.c b/lib/mount_util.c index ad23d43..020b223 100644 --- a/lib/mount_util.c +++ b/lib/mount_util.c @@ -101,10 +101,12 @@ static int add_mount(const char *progname, const char *fsname, goto out_restore; } if (res == 0) { + char *env = NULL; + sigprocmask(SIG_SETMASK, &oldmask, NULL); setuid(geteuid()); - execl("/bin/mount", "/bin/mount", "--no-canonicalize", "-i", - "-f", "-t", type, "-o", opts, fsname, mnt, NULL); + execle("/bin/mount", "/bin/mount", "--no-canonicalize", "-i", + "-f", "-t", type, "-o", opts, fsname, mnt, NULL, &env); fprintf(stderr, "%s: failed to execute /bin/mount: %s\n", progname, strerror(errno)); exit(1); @@ -152,10 +154,17 @@ static int exec_umount(const char *progname, const char *rel_mnt, int lazy) goto out_restore; } if (res == 0) { + char *env = NULL; + sigprocmask(SIG_SETMASK, &oldmask, NULL); setuid(geteuid()); - execl("/bin/umount", "/bin/umount", "-i", rel_mnt, - lazy ? "-l" : NULL, NULL); + if (lazy) { + execle("/bin/umount", "/bin/umount", "-i", rel_mnt, + "-l", NULL, &env); + } else { + execle("/bin/umount", "/bin/umount", "-i", rel_mnt, + NULL, &env); + } fprintf(stderr, "%s: failed to execute /bin/umount: %s\n", progname, strerror(errno)); exit(1); @@ -211,10 +220,12 @@ static int remove_mount(const char *progname, const char *mnt) goto out_restore; } if (res == 0) { + char *env = NULL; + sigprocmask(SIG_SETMASK, &oldmask, NULL); setuid(geteuid()); - execl("/bin/umount", "/bin/umount", "--no-canonicalize", "-i", - "--fake", mnt, NULL); + execle("/bin/umount", "/bin/umount", "--no-canonicalize", "-i", + "--fake", mnt, NULL, &env); fprintf(stderr, "%s: failed to execute /bin/umount: %s\n", progname, strerror(errno)); exit(1); |