svn commit: r278479 - in head: etc sys/kern
Mateusz Guzik
mjguzik at gmail.com
Tue Feb 10 02:43:23 UTC 2015
On Mon, Feb 09, 2015 at 11:13:51PM +0000, Rui Paulo wrote:
> +notify 10 {
> + match "system" "kernel";
> + match "subsystem" "signal";
> + match "type" "coredump";
> + action "logger $comm $core";
> +};
> +
> */
>
[..]
> + if (vn_fullpath_global(td, p->p_textvp, &fullpath, &freepath) != 0)
> + goto out;
> + snprintf(data, len, "comm=%s", fullpath);
I cannot test it right now, but it looks like immediate privilege
escalation.
Path is not sanitized in any way and devd passes it to 'sh -c'.
So a file named "a.out; /bin/id; meh" or so should result in execution
of aforementioned /bin/id.
Another note is that currently devctl is record oriented, but this may
change at some point and free form userspace text could be used to forge
new events.
As such is trongly suggest we sanitize this somehow. Maybe a base64 or
something.
--
Mateusz Guzik <mjguzik gmail.com>
More information about the svn-src-all
mailing list