Date: Mon, 9 Feb 2015 19:15:16 -0800 (PST) From: Don Lewis <truckman@FreeBSD.org> To: mjguzik@gmail.com Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org, rpaulo@FreeBSD.org Subject: Re: svn commit: r278479 - in head: etc sys/kern Message-ID: <201502100315.t1A3FGpQ016118@gw.catspoiler.org> In-Reply-To: <201502100311.t1A3BkE0016096@gw.catspoiler.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9 Feb, Don Lewis wrote:
> On 10 Feb, Mateusz Guzik wrote:
>> On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote:
>>> +notify 10 {
>>> + match "system" "kernel";
>>> + match "subsystem" "signal";
>>> + match "type" "coredump";
>>> + action "logger $comm $core";
>>> +};
>>> +
>>> */
>>>
>> [..]
>>> + if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) != 0)
>>> + goto out;
>>> + snprintf(data, len, "comm=%s", fullpath);
>>
>> I cannot test it right now, but it looks like immediate privilege
>> escalation.
>>
>> Path is not sanitized in any way and devd passes it to 'sh -c'.
>>
>> So a file named "a.out; /bin/id; meh" or so should result in execution
>> of aforementioned /bin/id.
>
> Then there is the issue of a user-generated core file being fed into the
> crash analyzer, possibly exploiting bugs in the latter.
Or worse, the contents of the executable, in particular the debug info,
could also be an attack vector.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201502100315.t1A3FGpQ016118>