svn commit: r335690 - head/sys/kern

Warner Losh imp at bsdimp.com
Thu Jun 28 07:42:31 UTC 2018 

On Wed, Jun 27, 2018 at 7:46 AM, Warner Losh <imp at bsdimp.com> wrote:

>
>
> On Wed, Jun 27, 2018 at 7:44 AM, Shawn Webb <shawn.webb at hardenedbsd.org>
> wrote:
>
>> On Wed, Jun 27, 2018 at 07:42:52AM -0600, Warner Losh wrote:
>> > On Wed, Jun 27, 2018 at 12:59 AM, Oliver Pinter <
>> > oliver.pinter at hardenedbsd.org> wrote:
>> >
>> > >
>> > >
>> > > On Wednesday, June 27, 2018, Warner Losh <imp at freebsd.org> wrote:
>> > >
>> > >> Author: imp
>> > >> Date: Wed Jun 27 04:11:09 2018
>> > >> New Revision: 335690
>> > >> URL: https://svnweb.freebsd.org/changeset/base/335690
>> > >>
>> > >> Log:
>> > >>   Fix devctl generation for core files.
>> > >>
>> > >>   We have a problem with vn_fullpath_global when the file exists.
>> Work
>> > >>   around it by printing the full path if the core file name starts
>> with /,
>> > >>   or current working directory followed by the filename if not.
>> > >>
>> > >>   Sponsored by: Netflix
>> > >>   Differential Review: https://reviews.freebsd.org/D16026
>> > >>
>> > >> Modified:
>> > >>   head/sys/kern/kern_sig.c
>> > >>
>> > >> Modified: head/sys/kern/kern_sig.c
>> > >> ============================================================
>> > >> ==================
>> > >> --- head/sys/kern/kern_sig.c    Wed Jun 27 04:10:48 2018
>> (r335689)
>> > >> +++ head/sys/kern/kern_sig.c    Wed Jun 27 04:11:09 2018
>> (r335690)
>> > >> @@ -3431,24 +3431,6 @@ out:
>> > >>         return (0);
>> > >>  }
>> > >>
>> > >> -static int
>> > >> -coredump_sanitise_path(const char *path)
>> > >> -{
>> > >> -       size_t i;
>> > >> -
>> > >> -       /*
>> > >> -        * Only send a subset of ASCII to devd(8) because it
>> > >> -        * might pass these strings to sh -c.
>> > >> -        */
>> > >> -       for (i = 0; path[i]; i++)
>> > >> -               if (!(isalpha(path[i]) || isdigit(path[i])) &&
>> > >> -                   path[i] != '/' && path[i] != '.' &&
>> > >> -                   path[i] != '-')
>> > >> -                       return (0);
>> > >
>> > >
>> > > This part of code existed to prevent shell code injection via file
>> names.
>> > > After this commit we lose this.
>> > >
>> >
>> > It's devd's job to prevent that, not the kernel's.
>>
>> Has devd been updated? Or is this particular vulnerability manifest
>> again?
>>
>
> devd is fine as far as I know, apart from the default action. I'm fixing
> that now.
>

As of r335756 the quoting issue that this code was for was fixed. I thought
I'd jumped through these hoops years ago, but I can't find the tree I did
it in, and it's clear I never committed it.

Warner

More information about the svn-src-head mailing list