capability: let's protect against the kernel eventually doing more than 64 caps

poettering · poettering · commit 5211445eaea6 · 2019-03-15T15:33:09.000+01:00
Everyone will be in trouble then (as quite widely caps are store in
64bit fields). But let's protect ourselves at least to the point that we
ignore all higher caps for now.
diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
@@ -47,6 +47,13 @@ unsigned long cap_last_cap(void) {
         if (r >= 0) {
                 r = safe_atolu(content, &p);
                 if (r >= 0) {
+
+                        if (p > 63) /* Safety for the future: if one day the kernel learns more than 64 caps,
+                                     * then we are in trouble (since we, as much userspace and kernel space
+                                     * store capability masks in uint64_t types. Let's hence protect
+                                     * ourselves against that and always cap at 63 for now. */
+                                p = 63;
+
                         saved = p;
                         valid = true;
                         return p;
@@ -58,17 +65,15 @@ unsigned long cap_last_cap(void) {
 
         if (prctl(PR_CAPBSET_READ, p) < 0) {
 
-                /* Hmm, look downwards, until we find one that
-                 * works */
+                /* Hmm, look downwards, until we find one that works */
                 for (p--; p > 0; p --)
                         if (prctl(PR_CAPBSET_READ, p) >= 0)
                                 break;
 
         } else {
 
-                /* Hmm, look upwards, until we find one that doesn't
-                 * work */
-                for (;; p++)
+                /* Hmm, look upwards, until we find one that doesn't work */
+                for (; p < 63; p++)
                         if (prctl(PR_CAPBSET_READ, p+1) < 0)
                                 break;
         }
