FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file symlink) vulnerability

Eygene Ryabinkin rea-fbsd at codelabs.ru
Wed May 27 12:07:14 UTC 2009 

Wed, May 27, 2009 at 01:07:15PM +0200, Dag-Erling Sm??rgrav wrote:
> Eygene Ryabinkin <rea-fbsd at codelabs.ru> writes:
> > May be the attached patch will fix the thing? 
> 
> I'm not entirely convinced.  Try the regression test I wrote
> (head/tools/regression/vfs/trailing_slash.t)

I see: you mean that the bare '/' at the end of everything but directory
should produce ENOTDIR.  OK, patch was modified and now it passes all
your checks.

> > It adds an additional flag, but this was the only thing I was able to
> > invent to avoid ABI breakage.
> 
> The flag is a good idea, but I think the correct place to handle this is
> in namei(), around line 290

The problem with the check in namei() itself is the cleanup of all locks
that were held in the lookup().  If lookup() is finished without error,
then the burden of cleanup is ours (namei's).  I could duplicate the
stuff, but why?  lookup() already does it and it's better to keep the
things in one place.

The logics is laid as follows: if lookup() processes the last
component and it had seen the trailing slash, the flag is set.
When we have no more targets to get from the current path inside
lookup(), check if slashed flag is set and reject anything that
is non-directory.

Such strategy should also handle the cases of dereferencing (FOLLOWs) of
all symbolic links and when some link has slash at the end of the target
name: 'ln -s /etc/motd somefile; ln -s somefile/ anotherfile; cat
anotherfile' will fail on the last command.  If one agrees on such
behaviour, such test could be also added to the regression suite.

> (don't be fooled by the comment on line 270;
> the code inside the if statement is for the *non*-symlink case).

Me sees this on the line 226, but may be I hadn't updated my 7.x.  And
yes, I know what was meant by '(cnp->cn_flags & ISSYMLINK) == 0' ;))
-- 
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook
    {_.-``-'         {_/            #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vfs_lookup-trailing-symlink-with-slash.diff
Type: text/x-diff
Size: 5495 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20090527/cf5a3c5e/vfs_lookup-trailing-symlink-with-slash.bin

More information about the freebsd-hackers mailing list