[Bug 214881] jail with path=/ and sysctl.disablefullpath=1 leads to NULL dereference
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Sun Nov 27 14:56:28 UTC 2016
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214881
Bug ID: 214881
Summary: jail with path=/ and sysctl.disablefullpath=1 leads to
NULL dereference
Product: Base System
Version: 11.0-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: freebsd-bugs at FreeBSD.org
Reporter: aler at playground.ru
How to reproduce:
sysctl debug.disablefullpath=1
jail / x 127.0.0.1 csh
Source of the problem:
/sys/kern/kern_jail.c, kern_jail_set(), lines near 930-1000 depending on source
version (9.3, 10.x, 11.x, HEAD), "path" option handling branch
This sets path=NULL when it is "" or "/" and disablefullpath=1
936 error = vn_path_to_global_path(td, root, g_path,
MAXPATHLEN);
937 if (error == 0)
938 path = g_path;
939 else if (error == ENODEV) {
940 /* proceed if sysctl debug.disablefullpath == 1
*/
941 fullpath_disabled = 1;
942 if (len < 2 || (len == 2 && path[0] == '/'))
943 path = NULL;
This dereferencing it:
954 if (fullpath_disabled) {
955 /* Leave room for a real-root full pathname. */
956 if (len + (path[0] == '/' &&
strcmp(mypr->pr_path, "/")
957 ? strlen(mypr->pr_path) : 0) > MAXPATHLEN)
{
958 error = ENAMETOOLONG;
959 vrele(root);
960 goto done_free;
961 }
962 }
Most likely it should release all things that it locked/allocated for
path-handling after vfs_getopt(opts, "path", (void **)&path, &len) and jump out
of this if() after setting path to NULL, but i'm not sure how exactly.
May be, comparsion of path with "/" is not in place and should be done after
successful vn_path_to_global_path() too.
The whole "path" option handling branch code looks a bit weird to me.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list