[PATCH v2] net/ark: fix unsafe env variable in extension loading

[Denis Sergeev]

The ARK_EXT_PATH environment variable is passed to dlopen without
verifying process privileges. In a setuid/setgid scenario, this
could allow loading an arbitrary shared library with elevated
privileges.

Add a check that effective user/group IDs match real IDs before
trusting the environment variable, consistent with the same
protection already present in the mlx5 driver.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 727b3fe292bc ("net/ark: integrate PMD")
Cc: stable at dpdk.org

Signed-off-by: Denis Sergeev <denserg.edu at gmail.com>
---
v2:
  * Fix Fixes: tag to use 12-char sha1 (checkpatch BAD_FIXES_TAG)

 drivers/net/ark/ark_ethdev.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ark/ark_ethdev.c b/drivers/net/ark/ark_ethdev.c
index 8b25ed948f..e25478103b 100644
--- a/drivers/net/ark/ark_ethdev.c
+++ b/drivers/net/ark/ark_ethdev.c
@@ -211,9 +211,19 @@ static int
 check_for_ext(struct ark_adapter *ark)
 {
 	int found = 0;
+	const char *dllpath;
+
+	/*
+	 * A basic security check is necessary before trusting
+	 * ARK_EXT_PATH environment variable.
+	 */
+	if (geteuid() != getuid() || getegid() != getgid()) {
+		ARK_PMD_LOG(DEBUG, "EXT ignoring ARK_EXT_PATH under setuid/setgid\n");
+		return 0;
+	}
 
 	/* Get the env */
-	const char *dllpath = getenv("ARK_EXT_PATH");
+	dllpath = getenv("ARK_EXT_PATH");
 
 	if (dllpath == NULL) {
 		ARK_PMD_LOG(DEBUG, "EXT NO dll path specified\n");
-- 
2.50.1