答复: [chrony-users] about CVE-2020-14367

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]


Thank you for your job

-----邮件原件-----
发件人: Miroslav Lichvar [mailto:mlichvar@xxxxxxxxxx] 
发送时间: 2022年6月6日 17:43
收件人: chrony-users@xxxxxxxxxxxxxxxxxxxx
主题: Re: [chrony-users] about CVE-2020-14367

On Mon, Jun 06, 2022 at 09:04:46AM +0000, chengyechun wrote:
> All,
> 
> I'm using chrony version 4.1 on an embedded Linux system and I found something about CVE-2020-14367:if some user with privileged to change the chronyd.pid file, like echo another pid > chronyd.pid, and then we cann’t use the command “chronyd” to start chronyd service; This is because the checkpid function checks whether a valid pid exists in the pid file. However, if the pid value in the chrony.pid file is not that of the chronyd service, the denial of service will occur.

Only root (or equivalent) and the chrony user should be able to create or modify the pidfile. Those users can do whatever they like with chronyd, e.g. modify the memory of the process, or control it with chronyc over the Unix domain socket. Being able to prevent its start is not different.

I understand that modifying the chronyd.pid file requires the root permission, whereas in CVE-2020-14367, only creating smylinks does not require a higher permission.

> Check whether the PID in the chronyd.pid file is the PID of the chronyd service instead of rejecting the file?

Is there a portable way to do that? How would it work if there were two versions of chronyd installed under different names? The purpose of the pidfile is to prevent two chronyd instances running at the same time.


If the above is not true, there is no need to check the contents of the pid file, but the simple way is to use the "ps" command. The pseudocode is as follows:
int  check_run(char *proname)
{
        FILE            *fp = NULL;
        char            command[150];
        char            buf[300];
        int             count = 3;

        snprintf(command, sizeof(command), "ps -ef | grep -w %s | wc -l ", proname);
    
        fp=popen(command, "r");
        if( !fp )
        {       
                printf("pepen errno\n");
                return -1;
        }
    
        if((fgets(buf, sizeof(buf), fp)) != NULL)
        {
                count = atoi(buf);
                printf("%d\n", count);
        }
    
        /*snprintf(command, sizeof(command), "ps -ef | grep -w %s ", proname);
        fp=popen(command, "r");
        while( count != 7)
        {
                fgets(buf, sizeof(buf), fp);
                printf("%s",buf);
                count++;
        }*/
    
        pclose(fp);
        fp = NULL;
    
        if((count -3) == 0)
        {
                return 0;
        }
        else
        {
                return 1;
        }

}
int   main(int argc, char **argv)
{
        int    rv;
        char   *progname=NULL;
        progname=basename(argv[0]);
        printf("%s\n", progname);
        rv = check_run(progname);
        printf("%d\n", rv);
        while(1)
        {};
}

--
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

N������y隊W!���������n���\��"������z)�.n7��Z+��f����|�������'��}���*+�����)�.n7��:蹹^f��X��f����'��}���*+


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/