Date: Mon, 9 Feb 2015 19:11:46 -0800 (PST) From: Don Lewis <truckman@FreeBSD.org> To: mjguzik@gmail.com Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org, rpaulo@FreeBSD.org Subject: Re: svn commit: r278479 - in head: etc sys/kern Message-ID: <201502100311.t1A3BkE0016096@gw.catspoiler.org> In-Reply-To: <20150210024317.GA21779@dft-labs.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10 Feb, Mateusz Guzik wrote:
> On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote:
>> +notify 10 {
>> + match "system" "kernel";
>> + match "subsystem" "signal";
>> + match "type" "coredump";
>> + action "logger $comm $core";
>> +};
>> +
>> */
>>
> [..]
>> + if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) != 0)
>> + goto out;
>> + snprintf(data, len, "comm=%s", fullpath);
>
> I cannot test it right now, but it looks like immediate privilege
> escalation.
>
> Path is not sanitized in any way and devd passes it to 'sh -c'.
>
> So a file named "a.out; /bin/id; meh" or so should result in execution
> of aforementioned /bin/id.
Then there is the issue of a user-generated core file being fed into the
crash analyzer, possibly exploiting bugs in the latter.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201502100311.t1A3BkE0016096>