dmcrypt-get-device does not check the return values of setuid() or setgid()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
eject (Ubuntu) |
Fix Released
|
High
|
Tyler Hicks |
Bug Description
Ilja Van Sprundel discovered that dmcrypt-get-device does not properly handle errors returned from setuid()/setgid() despite being a setuid-root binary. Although it looks to be handling trustworthy input from the kernel after the setuid()/setgid() calls, the intent is to be parsing the data as a non-root user.
Here's the original report:
I noticed that dmcrypt-get-device is suid root. it's source code is apparently written at ubuntu (according to the comments)
The code for which I found at http://
which has the following comments:
* Opening /dev/mapper/control requires root privileges, therefore this
* program needs to be installed setuid root. Root privileges are dropped
* immediately after querying the information from the device mapper. The
* parsing is done with normal user privileges afterwards.
The priv dropping happens in dmcrypt-
/* Drop all privileges */
setgid(
setuid(
This unfortunately doesn't account for a failed call to setuid(), which would then perform the parsing as root.
You'll probably want to fix both the call to setgid() and setuid() with proper return value checks.
This has been assigned CVE-2017-6964