From owner-svn-src-head@freebsd.org  Wed Jun 27 13:45:27 2018
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9885A1024F95
 for <svn-src-head@mailman.ysv.freebsd.org>;
 Wed, 27 Jun 2018 13:45:27 +0000 (UTC)
 (envelope-from shawn.webb@hardenedbsd.org)
Received: from mail-wr0-x235.google.com (mail-wr0-x235.google.com
 [IPv6:2a00:1450:400c:c0c::235])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 032937DF0E
 for <svn-src-head@freebsd.org>; Wed, 27 Jun 2018 13:45:27 +0000 (UTC)
 (envelope-from shawn.webb@hardenedbsd.org)
Received: by mail-wr0-x235.google.com with SMTP id a12-v6so2129359wro.1
 for <svn-src-head@freebsd.org>; Wed, 27 Jun 2018 06:45:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hardenedbsd.org; s=google;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:in-reply-to:user-agent;
 bh=D/sygKQnfFe7jlq9GA4eLJ8Fm/t+adFvYKLp4+ivVZg=;
 b=RmT1R41b2fG8eKI30A7aXx3U5O+3UVyq7p2cehT/MKsrfX4dovRjL+ih/p2nTnRzkP
 EvjPDu/+qOpbOXUAlVSz3NvLZoyjkSq4hqAD4jjpJW9HZLsJ2xytPgIy8zsKVEckk2YZ
 6FmWq7AJeeZcpc4+4Gx9+7fiKkd6Gt4vlm4L5n0Ql0ESUCRY8esPqCg5OczAutSLHJiC
 2M4xIkgJCvg5IiAfEqMK9DsRSS9M8dlDQAYLVIznbhlFqbzuT3HsUPZFXyvRaclnu+EJ
 9TwamOtJRYQieMCMvlFv31I8iHRPsjqVGEH49YSloxNEE9MmBh4qNogtncLpXuvX/vgb
 JEww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:cc:subject:message-id:references
 :mime-version:content-disposition:in-reply-to:user-agent;
 bh=D/sygKQnfFe7jlq9GA4eLJ8Fm/t+adFvYKLp4+ivVZg=;
 b=Tr1sjVTaXcV3A1C8RUpKSUG4dEbFeARTqH0GUcFx0jwrJ7spu/DZYTQQ/QIlr99uwD
 SdtTjnorWwi1XhU+qfUPIeFyzCvtGocj7KJ31rPSN/VMs8JHKuNiuCi37SF/MvsUNogq
 XZgMmikuP6/eNQSZJUtuT4gXps6pP14EvfRWyZcX31rXtQfFjzkTaIYJ3FE4j9LL1rXc
 u5L3YXu7P7QAJkyHHniHdpbF5nO1lB5LCmDtRj67M/ZQ6yJ0wyA6QMqo/KH4/otMpnuF
 Mv99edDrNtHoSF30fZllik/gmx+wjxGr8XBMasb5AKUxdSqSdNzJiWru3XhfbLeaiUvt
 1awQ==
X-Gm-Message-State: APt69E0KEFmAf64nAAQCPgyJzQvUIxy0/4L+CXLn5gq22Qc9UyyxYW0K
 0NpeVC2AK3VWyirg95JpC1XjdA==
X-Google-Smtp-Source: AAOMgpd6la9lYGQweD64qxtROIIb1Af/tFaI8Zp9sqLgKxbMGJmtOumEcDia5cEjOKQkRWBIP1Hokw==
X-Received: by 2002:adf:bd89:: with SMTP id
 l9-v6mr5380139wrh.266.1530107125403; 
 Wed, 27 Jun 2018 06:45:25 -0700 (PDT)
Received: from mutt-hbsd ([46.29.248.238])
 by smtp.gmail.com with ESMTPSA id s2-v6sm6639224wrn.75.2018.06.27.06.45.22
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Wed, 27 Jun 2018 06:45:24 -0700 (PDT)
Date: Wed, 27 Jun 2018 09:44:55 -0400
From: Shawn Webb <shawn.webb@hardenedbsd.org>
To: Warner Losh <imp@bsdimp.com>
Cc: Oliver Pinter <oliver.pinter@hardenedbsd.org>,
 "svn-src-head@freebsd.org" <svn-src-head@freebsd.org>,
 "svn-src-all@freebsd.org" <svn-src-all@freebsd.org>,
 "src-committers@freebsd.org" <src-committers@freebsd.org>,
 Warner Losh <imp@freebsd.org>
Subject: Re: svn commit: r335690 - head/sys/kern
Message-ID: <20180627134455.k6jvum4pnuejas3x@mutt-hbsd>
References: <201806270411.w5R4B9ZB078994@repo.freebsd.org>
 <CAPQ4fftmp=51uCDL-p4deQwZ90c9op0GymWex45S+bW2HO-PRg@mail.gmail.com>
 <CANCZdfoj8te2JOiLQPT4PWGYaGtsXVu-h=4v2G353zQ7Q_3O_Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="kllacfhio377jhyz"
Content-Disposition: inline
In-Reply-To: <CANCZdfoj8te2JOiLQPT4PWGYaGtsXVu-h=4v2G353zQ7Q_3O_Q@mail.gmail.com>
X-Operating-System: FreeBSD mutt-hbsd 12.0-CURRENT FreeBSD 12.0-CURRENT 
X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0x6A84658F52456EEE
User-Agent: NeoMutt/20180323
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jun 2018 13:45:27 -0000


--kllacfhio377jhyz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jun 27, 2018 at 07:42:52AM -0600, Warner Losh wrote:
> On Wed, Jun 27, 2018 at 12:59 AM, Oliver Pinter <
> oliver.pinter@hardenedbsd.org> wrote:
>=20
> >
> >
> > On Wednesday, June 27, 2018, Warner Losh <imp@freebsd.org> wrote:
> >
> >> Author: imp
> >> Date: Wed Jun 27 04:11:09 2018
> >> New Revision: 335690
> >> URL: https://svnweb.freebsd.org/changeset/base/335690
> >>
> >> Log:
> >>   Fix devctl generation for core files.
> >>
> >>   We have a problem with vn_fullpath_global when the file exists. Work
> >>   around it by printing the full path if the core file name starts wit=
h /,
> >>   or current working directory followed by the filename if not.
> >>
> >>   Sponsored by: Netflix
> >>   Differential Review: https://reviews.freebsd.org/D16026
> >>
> >> Modified:
> >>   head/sys/kern/kern_sig.c
> >>
> >> Modified: head/sys/kern/kern_sig.c
> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >> --- head/sys/kern/kern_sig.c    Wed Jun 27 04:10:48 2018        (r3356=
89)
> >> +++ head/sys/kern/kern_sig.c    Wed Jun 27 04:11:09 2018        (r3356=
90)
> >> @@ -3431,24 +3431,6 @@ out:
> >>         return (0);
> >>  }
> >>
> >> -static int
> >> -coredump_sanitise_path(const char *path)
> >> -{
> >> -       size_t i;
> >> -
> >> -       /*
> >> -        * Only send a subset of ASCII to devd(8) because it
> >> -        * might pass these strings to sh -c.
> >> -        */
> >> -       for (i =3D 0; path[i]; i++)
> >> -               if (!(isalpha(path[i]) || isdigit(path[i])) &&
> >> -                   path[i] !=3D '/' && path[i] !=3D '.' &&
> >> -                   path[i] !=3D '-')
> >> -                       return (0);
> >
> >
> > This part of code existed to prevent shell code injection via file name=
s.
> > After this commit we lose this.
> >
>=20
> It's devd's job to prevent that, not the kernel's.

Has devd been updated? Or is this particular vulnerability manifest
again?

--=20
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera@is.a.hacker.sx
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

--kllacfhio377jhyz
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlszlNIACgkQaoRlj1JF
bu4lyRAAtxbhqWlQb9g9q7Jn8chInkludGnPqDRsC1Md7vrqT8dSbIQE1PsD5grQ
I4Z0yTrJC1f5gmY1NXNyTyF8G0jHHMpjXOKAusDw/hHIE8aWm+2fBvVjQJMqchN8
DmeV+xKYNC1A7seTDbGQz9Vyqu8kKec7DFt6+SemA6TEj2Y8LPGGYWVGrrF+grZp
MlIlubf3uf07wAdua6+mgUEGa1qHfrTbC+84FxLmuOD6IlbVhAJNaaSPMhHNYtIS
E4bpaatFSscE9qePrSfNQagFlwyKR1kUtHkuKgEZ4OFLVFYvGTb9OXsbyRRpjfd+
RLABFk79zd57xlI9zNj1MSSyeXTC7Ue/MdbjiyEOK85+lt73A+FEFh4IxV1IQExr
vNtgud5wW/8DPNK8xHHY0xLEaL4KrrM4EO5IdxjMNS7Wcn8VHnw87xp7i4vIG2k9
zsHrcQXb+TdGeLFBSlZ6MOs3Zv5r7KjKmqLLSf2DRqFKSBucwtU1bSfWZK0lYwne
hix29eTQyz3aZmPW/M8reNnOqRCGfewFVhpK62CA9M4tgQBmoz0I5ZUoUfYytqPh
DAwBVaCp5nmIWxn/IcLubnQeiGLK1XkEUuHWeuqICrMfDYBZ8fULA8ukJwjVjw+X
kxWYNlyHIXapJgVa2QNlu+tH0kC3JYfSSe2/8alXfW40ROizTVc=
=l2nY
-----END PGP SIGNATURE-----

--kllacfhio377jhyz--