Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 27 Nov 2016 14:56:27 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 214881] jail with path=/ and sysctl.disablefullpath=1 leads to NULL dereference
Message-ID:  <bug-214881-8@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214881

            Bug ID: 214881
           Summary: jail with path=/ and sysctl.disablefullpath=1 leads to
                    NULL dereference
           Product: Base System
           Version: 11.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: aler@playground.ru

How to reproduce:
 sysctl debug.disablefullpath=1
 jail / x 127.0.0.1 csh

Source of the problem:
/sys/kern/kern_jail.c, kern_jail_set(), lines near 930-1000 depending on source
version (9.3, 10.x, 11.x, HEAD), "path" option handling branch

This sets path=NULL when it is "" or "/" and disablefullpath=1
936                     error = vn_path_to_global_path(td, root, g_path,
MAXPATHLEN);
937                     if (error == 0)
938                             path = g_path;
939                     else if (error == ENODEV) {
940                             /* proceed if sysctl debug.disablefullpath == 1
*/
941                             fullpath_disabled = 1;
942                             if (len < 2 || (len == 2 && path[0] == '/'))
943                                     path = NULL;

This dereferencing it:
954                     if (fullpath_disabled) {
955                             /* Leave room for a real-root full pathname. */
956                             if (len + (path[0] == '/' &&
strcmp(mypr->pr_path, "/")
957                                 ? strlen(mypr->pr_path) : 0) > MAXPATHLEN)
{
958                                     error = ENAMETOOLONG;
959                                     vrele(root);
960                                     goto done_free;
961                             }
962                     }


Most likely it should release all things that it locked/allocated for
path-handling after vfs_getopt(opts, "path", (void **)&path, &len) and jump out
of this if() after setting path to NULL, but i'm not sure how exactly.
May be, comparsion of path with "/" is not in place and should be done after
successful vn_path_to_global_path() too.
The whole "path" option handling branch code looks a bit weird to me.

-- 
You are receiving this mail because:
You are the assignee for the bug.
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-214881-8>