git: c1576434e9cf - stable/13 - mfc jail: handle jailsys parameters in modification permission test

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Jamie Gritton <jamie_at_FreeBSD.org>
Date: Mon, 28 Mar 2022 23:40:55 UTC
The branch stable/13 has been updated by jamie:

URL: https://cgit.FreeBSD.org/src/commit/?id=c1576434e9cf9c48b4d3975717c9f6cc6427cfd9

commit c1576434e9cf9c48b4d3975717c9f6cc6427cfd9
Author:     Jamie Gritton <jamie@FreeBSD.org>
AuthorDate: 2022-03-26 02:16:51 +0000
Commit:     Jamie Gritton <jamie@FreeBSD.org>
CommitDate: 2022-03-28 23:39:54 +0000

    mfc jail: handle jailsys parameters in modification permission test
    
    Avoid a null dereference when a value-less jailsys parameter is passed
    to "jail -m".  There was already code to handle boolean parameters,
    but in reality any parameter could be passed without a value.
    
    PR:             262471
    Reported by:    jcaplan at blackberry.com
    
    (cherry picked from commit 8f1543785f77086494c73310ba8f5d09b61ff7eb)
---
 usr.sbin/jail/jail.c | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c
index eb3b19f2cb82..63096146f176 100644
--- a/usr.sbin/jail/jail.c
+++ b/usr.sbin/jail/jail.c
@@ -790,7 +790,9 @@ static int
 rdtun_params(struct cfjail *j, int dofail)
 {
 	struct jailparam *jp, *rtparams, *rtjp;
-	int nrt, rval;
+	const void *jp_value;
+	size_t jp_valuelen;
+	int nrt, rval, bool_true;
 
 	if (j->flags & JF_RDTUN)
 		return 0;
@@ -818,15 +820,25 @@ rdtun_params(struct cfjail *j, int dofail)
 		rtjp = rtparams + 1;
 		for (jp = j->jp; rtjp < rtparams + nrt; jp++) {
 			if (JP_RDTUN(jp) && strcmp(jp->jp_name, "jid")) {
-				if (!((jp->jp_flags & (JP_BOOL | JP_NOBOOL)) &&
-				    jp->jp_valuelen == 0 &&
-				    *(int *)jp->jp_value) &&
-				    !(rtjp->jp_valuelen == jp->jp_valuelen &&
-				    !((jp->jp_ctltype & CTLTYPE) ==
-				    CTLTYPE_STRING ? strncmp(rtjp->jp_value,
-				    jp->jp_value, jp->jp_valuelen) :
-				    memcmp(rtjp->jp_value, jp->jp_value,
-				    jp->jp_valuelen)))) {
+				jp_value = jp->jp_value;
+				jp_valuelen = jp->jp_valuelen;
+				if (jp_value == NULL && jp_valuelen > 0) {
+					if (jp->jp_flags & (JP_BOOL |
+					    JP_NOBOOL | JP_JAILSYS)) {
+						bool_true = 1;
+						jp_value = &bool_true;
+						jp_valuelen = sizeof(bool_true);
+					} else if ((jp->jp_ctltype & CTLTYPE) ==
+					    CTLTYPE_STRING)
+						jp_value = "";
+					else
+						jp_valuelen = 0;
+				}
+				if (rtjp->jp_valuelen != jp_valuelen ||
+				    (CTLTYPE_STRING ? strncmp(rtjp->jp_value,
+				    jp_value, jp_valuelen)
+				    : memcmp(rtjp->jp_value, jp_value,
+				    jp_valuelen))) {
 					if (dofail) {
 						jail_warnx(j, "%s cannot be "
 						    "changed after creation",