layer: don't permit / type to be changed on extraction

cyphar · cyphar · commit d9efc31daf22 · 2021-04-05T21:57:26.000+10:00
If users can change the type of / to a symlink, they can cause umoci to overwrite host files. This is obviously bad, and is not caught by the rest of our directory escape detection code because the root itself has been changed to a different directory. Fixes: CVE-2021-29136 Reported-by: Robin Peraglie <robin@cure53.de> Tested-by: Daniel Dao <dqminh89@gmail.com> Reviewed-by: Tycho Andersen <tycho@tycho.pizza> Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go
@@ -404,6 +404,11 @@ func (te *TarExtractor) UnpackEntry(root string, hdr *tar.Header, r io.Reader) (
 	if filepath.Join("/", hdr.Name) == "/" {
 		// If we got an entry for the root, then unsafeDir is the full path.
 		unsafeDir, file = hdr.Name, "."
+		// If we're being asked to change the root type, bail because they may
+		// change it to a symlink which we could inadvertently follow.
+		if hdr.Typeflag != tar.TypeDir {
+			return errors.New("malicious tar entry -- refusing to change type of root directory")
+		}
 	}
 	dir, err := securejoin.SecureJoinVFS(root, unsafeDir, te.fsEval)
 	if err != nil {
