krun: fix CVE-2025-24965

make sure the opened .krun_config.json is below the rootfs directory and we don't follow any symlink. Signed-off-by: Giuseppe Scrivano <[email protected]>
containers · Feb 4, 2025 · 0aec82c · 0aec82c · fossdd · Feb 5, 2025
1 parent 793188c
commit 0aec82c
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
@@ -43,6 +43,8 @@
 /* libkrun has a hard-limit of 8 vCPUs per microVM. */
 #define LIBKRUN_MAX_VCPUS 8
 
+#define KRUN_CONFIG_FILE ".krun_config.json"
+
 struct krun_config
 {
   void *handle;
@@ -208,7 +210,13 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
       if (UNLIKELY (ret < 0))
         return ret;
 
-      ret = write_file_at (rootfsfd, ".krun_config.json", config, config_size, err);
+      /* CVE-2025-24965: the content below rootfs cannot be trusted because it is controlled by the user.  We
+         must ensure the file is opened below the rootfs directory.  */
+      fd = safe_openat (rootfsfd, rootfs, KRUN_CONFIG_FILE, WRITE_FILE_DEFAULT_FLAGS | O_NOFOLLOW, 0700, err);
+      if (UNLIKELY (fd < 0))
+        return fd;
+
+      ret = safe_write (fd, KRUN_CONFIG_FILE, config, config_size, err);
       if (UNLIKELY (ret < 0))
         return ret;
     }