From owner-freebsd-security@FreeBSD.ORG Tue May 26 20:32:45 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8362810656D9; Tue, 26 May 2009 20:32:45 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 44A638FC1A; Tue, 26 May 2009 20:32:45 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (cm-84.215.252.34.getinternet.no [84.215.252.34]) by smtp.des.no (Postfix) with ESMTP id 9C5706D41E; Tue, 26 May 2009 22:13:21 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 87F43844DE; Tue, 26 May 2009 22:13:21 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Jakub Lach References: <23727599.post@talk.nabble.com> Date: Tue, 26 May 2009 22:13:21 +0200 In-Reply-To: <23727599.post@talk.nabble.com> (Jakub Lach's message of "Tue, 26 May 2009 10:18:50 -0700 (PDT)") Message-ID: <86prdvipwe.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.92 (berkeley-unix) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Mailman-Approved-At: Tue, 26 May 2009 21:02:18 +0000 Cc: freebsd-hackers@freebsd.org Subject: Re: FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file symlink) vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 May 2009 20:32:46 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable [moving from security@ to hackers@] Jakub Lach writes: > http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dkern/21768 Like bde@ pointed out, the patch is incorrect. It moves the test for v_type !=3D VDIR up to a point where, in the case of a symlink, v_type is always (by definition) VLNK. The reason why the current code does not work is that, in the symlink case, the v_type !=3D VDIR test is never reached: we will have jumped to either bad2 or success. However, it should be safe to move the test to after the success label, because trailing_slash is only ever true for the last component of the path we were asked to look up (see lines 520 through 535). The attached patch should work. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=symlink-slash.diff Index: sys/kern/vfs_lookup.c =================================================================== --- sys/kern/vfs_lookup.c (revision 192614) +++ sys/kern/vfs_lookup.c (working copy) @@ -800,14 +800,6 @@ goto success; } - /* - * Check for bogus trailing slashes. - */ - if (trailing_slash && dp->v_type != VDIR) { - error = ENOTDIR; - goto bad2; - } - nextname: /* * Not a symbolic link. If more pathname, @@ -861,6 +853,14 @@ VOP_UNLOCK(dp, 0); success: /* + * Check for bogus trailing slashes. + */ + if (trailing_slash && dp->v_type != VDIR) { + error = ENOTDIR; + goto bad2; + } + + /* * Because of lookup_shared we may have the vnode shared locked, but * the caller may want it to be exclusively locked. */ --=-=-=--