svn commit: r335690 - head/sys/kern

Shawn Webb shawn.webb at hardenedbsd.org
Wed Jun 27 13:45:27 UTC 2018 

On Wed, Jun 27, 2018 at 07:42:52AM -0600, Warner Losh wrote:
> On Wed, Jun 27, 2018 at 12:59 AM, Oliver Pinter <
> oliver.pinter at hardenedbsd.org> wrote:
> 
> >
> >
> > On Wednesday, June 27, 2018, Warner Losh <imp at freebsd.org> wrote:
> >
> >> Author: imp
> >> Date: Wed Jun 27 04:11:09 2018
> >> New Revision: 335690
> >> URL: https://svnweb.freebsd.org/changeset/base/335690
> >>
> >> Log:
> >>   Fix devctl generation for core files.
> >>
> >>   We have a problem with vn_fullpath_global when the file exists. Work
> >>   around it by printing the full path if the core file name starts with /,
> >>   or current working directory followed by the filename if not.
> >>
> >>   Sponsored by: Netflix
> >>   Differential Review: https://reviews.freebsd.org/D16026
> >>
> >> Modified:
> >>   head/sys/kern/kern_sig.c
> >>
> >> Modified: head/sys/kern/kern_sig.c
> >> ============================================================
> >> ==================
> >> --- head/sys/kern/kern_sig.c    Wed Jun 27 04:10:48 2018        (r335689)
> >> +++ head/sys/kern/kern_sig.c    Wed Jun 27 04:11:09 2018        (r335690)
> >> @@ -3431,24 +3431,6 @@ out:
> >>         return (0);
> >>  }
> >>
> >> -static int
> >> -coredump_sanitise_path(const char *path)
> >> -{
> >> -       size_t i;
> >> -
> >> -       /*
> >> -        * Only send a subset of ASCII to devd(8) because it
> >> -        * might pass these strings to sh -c.
> >> -        */
> >> -       for (i = 0; path[i]; i++)
> >> -               if (!(isalpha(path[i]) || isdigit(path[i])) &&
> >> -                   path[i] != '/' && path[i] != '.' &&
> >> -                   path[i] != '-')
> >> -                       return (0);
> >
> >
> > This part of code existed to prevent shell code injection via file names.
> > After this commit we lose this.
> >
> 
> It's devd's job to prevent that, not the kernel's.

Has devd been updated? Or is this particular vulnerability manifest
again?

-- 
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

Tor-ified Signal:    +1 443-546-8752
Tor+XMPP+OTR:        lattera at is.a.hacker.sx
GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20180627/19d065d7/attachment.sig>

More information about the svn-src-head mailing list