From owner-svn-src-all@FreeBSD.ORG Tue Feb 10 03:15:29 2015 Return-Path: Delivered-To: svn-src-all@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 14BBCE0F; Tue, 10 Feb 2015 03:15:29 +0000 (UTC) Received: from gw.catspoiler.org (cl-1657.chi-02.us.sixxs.net [IPv6:2001:4978:f:678::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A900F68E; Tue, 10 Feb 2015 03:15:28 +0000 (UTC) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.13.3/8.13.3) with ESMTP id t1A3FGpQ016118; Mon, 9 Feb 2015 19:15:20 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201502100315.t1A3FGpQ016118@gw.catspoiler.org> Date: Mon, 9 Feb 2015 19:15:16 -0800 (PST) From: Don Lewis Subject: Re: svn commit: r278479 - in head: etc sys/kern To: mjguzik@gmail.com In-Reply-To: <201502100311.t1A3BkE0016096@gw.catspoiler.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Cc: svn-src-head@FreeBSD.org, svn-src-all@FreeBSD.org, src-committers@FreeBSD.org, rpaulo@FreeBSD.org X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Feb 2015 03:15:29 -0000 On 9 Feb, Don Lewis wrote: > On 10 Feb, Mateusz Guzik wrote: >> On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote: >>> +notify 10 { >>> + match "system" "kernel"; >>> + match "subsystem" "signal"; >>> + match "type" "coredump"; >>> + action "logger $comm $core"; >>> +}; >>> + >>> */ >>> >> [..] >>> + if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) != 0) >>> + goto out; >>> + snprintf(data, len, "comm=%s", fullpath); >> >> I cannot test it right now, but it looks like immediate privilege >> escalation. >> >> Path is not sanitized in any way and devd passes it to 'sh -c'. >> >> So a file named "a.out; /bin/id; meh" or so should result in execution >> of aforementioned /bin/id. > > Then there is the issue of a user-generated core file being fed into the > crash analyzer, possibly exploiting bugs in the latter. Or worse, the contents of the executable, in particular the debug info, could also be an attack vector.