svn commit: r278479 - in head: etc sys/kern

Tue Feb 10 03:15:29 UTC 2015

On  9 Feb, Don Lewis wrote:
> On 10 Feb, Mateusz Guzik wrote:
>> On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote:
>>> +notify 10 {
>>> +	match "system"          "kernel";
>>> +	match "subsystem"       "signal";
>>> +	match "type"            "coredump";
>>> +	action "logger $comm $core";
>>> +};
>>> +
>>>  */
>>> 
>> [..]
>>> +	if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) != 0)
>>> +		goto out;
>>> +	snprintf(data, len, "comm=%s", fullpath);
>> 
>> I cannot test it right now, but it looks like immediate privilege
>> escalation.
>> 
>> Path is not sanitized in any way and devd passes it to 'sh -c'.
>> 
>> So a file named "a.out; /bin/id; meh" or so should result in execution
>> of aforementioned /bin/id.
> 
> Then there is the issue of a user-generated core file being fed into the
> crash analyzer, possibly exploiting bugs in the latter.

Or worse, the contents of the executable, in particular the debug info,
could also be an attack vector.