From owner-svn-src-head@FreeBSD.ORG Tue Feb 10 02:43:23 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A6C9DE8C; Tue, 10 Feb 2015 02:43:23 +0000 (UTC) Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4EF4D77; Tue, 10 Feb 2015 02:43:23 +0000 (UTC) Received: by mail-we0-f173.google.com with SMTP id w55so19275413wes.4; Mon, 09 Feb 2015 18:43:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=PJC+/LRGZb1DUfrRrF7cr+lGO1zUM9oVyHf6DnrtnrQ=; b=LTCg2eC6zJPCUCvOIuulFZ1LT/jI2hzF706IsK9bolKAx0H7nKZu69niRQDLM574Gc 0t8YQvX7VecP8H90Bln35MdhXnsg6UOS5bDlMWWAGewZQIH5XezXgxv3e/UGXcoJQ+Aa ofkp6VXAO5FmtBiQf2T8zCyT4EW7OVwchwTLFLeUAlziM3zogO+BTqUFj2+ypF/tHc2B /6KsRp26MDeZs4uf1a6dI18MzooYxIC32dVAaVk24q0QNbMJ8K4Xi8V0HuawhABm6Mp+ YYNlDryCb1AQ31+ZgcUqC5BoeCg7GC3oQJgxGjVy3HPI4mFaPXlKDNth5cuDYGIaexOE 4p8g== X-Received: by 10.194.238.193 with SMTP id vm1mr7652290wjc.124.1423536201668; Mon, 09 Feb 2015 18:43:21 -0800 (PST) Received: from dft-labs.eu (n1x0n-1-pt.tunnel.tserv5.lon1.ipv6.he.net. [2001:470:1f08:1f7::2]) by mx.google.com with ESMTPSA id bv16sm16832864wib.0.2015.02.09.18.43.20 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Mon, 09 Feb 2015 18:43:20 -0800 (PST) Date: Tue, 10 Feb 2015 03:43:18 +0100 From: Mateusz Guzik To: Rui Paulo Subject: Re: svn commit: r278479 - in head: etc sys/kern Message-ID: <20150210024317.GA21779@dft-labs.eu> References: <201502092313.t19NDpoS083043@svn.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <201502092313.t19NDpoS083043@svn.freebsd.org> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2015 02:43:23 -0000 On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote: > +notify 10 { > + match "system" "kernel"; > + match "subsystem" "signal"; > + match "type" "coredump"; > + action "logger $comm $core"; > +}; > + > */ > [..] > + if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) != 0) > + goto out; > + snprintf(data, len, "comm=%s", fullpath); I cannot test it right now, but it looks like immediate privilege escalation. Path is not sanitized in any way and devd passes it to 'sh -c'. So a file named "a.out; /bin/id; meh" or so should result in execution of aforementioned /bin/id. Another note is that currently devctl is record oriented, but this may change at some point and free form userspace text could be used to forge new events. As such is trongly suggest we sanitize this somehow. Maybe a base64 or something. -- Mateusz Guzik