From owner-svn-src-all@FreeBSD.ORG Tue Feb 10 02:58:09 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CF7BF624; Tue, 10 Feb 2015 02:58:09 +0000 (UTC) Received: from st11p02mm-asmtp002.mac.com (st11p02mm-asmtpout002.mac.com [17.172.220.237]) (using TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A28E619C; Tue, 10 Feb 2015 02:58:09 +0000 (UTC) Received: from fukuyama.hsd1.ca.comcast.net (unknown [73.162.13.215]) by st11p02mm-asmtp002.mac.com (Oracle Communications Messaging Server 7.0.5.35.0 64bit (built Dec 4 2014)) with ESMTPSA id <0NJJ001BWC801J20@st11p02mm-asmtp002.mac.com>; Tue, 10 Feb 2015 02:57:41 +0000 (GMT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68,1.0.33,0.0.0000 definitions=2015-02-10_01:2015-02-09,2015-02-10,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=2 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1412110000 definitions=main-1502100027 Content-type: text/plain; charset=us-ascii MIME-version: 1.0 (Mac OS X Mail 8.2 \(2070.6\)) Subject: Re: svn commit: r278479 - in head: etc sys/kern From: Rui Paulo In-reply-to: <20150210024317.GA21779@dft-labs.eu> Date: Mon, 09 Feb 2015 18:57:36 -0800 Content-transfer-encoding: quoted-printable Message-id: References: <201502092313.t19NDpoS083043@svn.freebsd.org> <20150210024317.GA21779@dft-labs.eu> To: Mateusz Guzik X-Mailer: Apple Mail (2.2070.6) Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, Rui Paulo X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2015 02:58:09 -0000 On Feb 9, 2015, at 18:43, Mateusz Guzik wrote: >=20 > On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote: >> +notify 10 { >> + match "system" "kernel"; >> + match "subsystem" "signal"; >> + match "type" "coredump"; >> + action "logger $comm $core"; >> +}; >> + >> */ >>=20 > [..] >> + if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) !=3D= 0) >> + goto out; >> + snprintf(data, len, "comm=3D%s", fullpath); >=20 > I cannot test it right now, but it looks like immediate privilege > escalation. >=20 > Path is not sanitized in any way and devd passes it to 'sh -c'. >=20 > So a file named "a.out; /bin/id; meh" or so should result in execution > of aforementioned /bin/id. Well, you can't have a file name with "/" but you're right. > Another note is that currently devctl is record oriented, but this may > change at some point and free form userspace text could be used to = forge > new events. >=20 > As such is trongly suggest we sanitize this somehow. Maybe a base64 or > something. I was trying hard to avoid this issue in unpublished my crash helper, = but I forgot that devd runs execl("sh -c", ....); :-( It might just be easier to inspect the path names and allow only = [a-z][A-Z][0-9] and '/' before sending the devctl message. -- Rui Paulo