From owner-svn-src-all@FreeBSD.ORG Tue Feb 10 03:11:59 2015 Return-Path: Delivered-To: svn-src-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2301EA40; Tue, 10 Feb 2015 03:11:59 +0000 (UTC) Received: from gw.catspoiler.org (cl-1657.chi-02.us.sixxs.net [IPv6:2001:4978:f:678::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BECF566C; Tue, 10 Feb 2015 03:11:58 +0000 (UTC) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.13.3/8.13.3) with ESMTP id t1A3BkE0016096; Mon, 9 Feb 2015 19:11:50 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201502100311.t1A3BkE0016096@gw.catspoiler.org> Date: Mon, 9 Feb 2015 19:11:46 -0800 (PST) From: Don Lewis Subject: Re: svn commit: r278479 - in head: etc sys/kern To: mjguzik@gmail.com In-Reply-To: <20150210024317.GA21779@dft-labs.eu> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org, rpaulo@FreeBSD.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2015 03:11:59 -0000 On 10 Feb, Mateusz Guzik wrote: > On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote: >> +notify 10 { >> + match "system" "kernel"; >> + match "subsystem" "signal"; >> + match "type" "coredump"; >> + action "logger $comm $core"; >> +}; >> + >> */ >> > [..] >> + if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) != 0) >> + goto out; >> + snprintf(data, len, "comm=%s", fullpath); > > I cannot test it right now, but it looks like immediate privilege > escalation. > > Path is not sanitized in any way and devd passes it to 'sh -c'. > > So a file named "a.out; /bin/id; meh" or so should result in execution > of aforementioned /bin/id. Then there is the issue of a user-generated core file being fed into the crash analyzer, possibly exploiting bugs in the latter.