On Wed, Jun 27, 2018 at 07:42:52AM -0600, Warner Losh wrote: > On Wed, Jun 27, 2018 at 12:59 AM, Oliver Pinter < > oliver.pin...@hardenedbsd.org> wrote: > > > > > > > On Wednesday, June 27, 2018, Warner Losh <i...@freebsd.org> wrote: > > > >> Author: imp > >> Date: Wed Jun 27 04:11:09 2018 > >> New Revision: 335690 > >> URL: https://svnweb.freebsd.org/changeset/base/335690 > >> > >> Log: > >> Fix devctl generation for core files. > >> > >> We have a problem with vn_fullpath_global when the file exists. Work > >> around it by printing the full path if the core file name starts with /, > >> or current working directory followed by the filename if not. > >> > >> Sponsored by: Netflix > >> Differential Review: https://reviews.freebsd.org/D16026 > >> > >> Modified: > >> head/sys/kern/kern_sig.c > >> > >> Modified: head/sys/kern/kern_sig.c > >> ============================================================ > >> ================== > >> --- head/sys/kern/kern_sig.c Wed Jun 27 04:10:48 2018 (r335689) > >> +++ head/sys/kern/kern_sig.c Wed Jun 27 04:11:09 2018 (r335690) > >> @@ -3431,24 +3431,6 @@ out: > >> return (0); > >> } > >> > >> -static int > >> -coredump_sanitise_path(const char *path) > >> -{ > >> - size_t i; > >> - > >> - /* > >> - * Only send a subset of ASCII to devd(8) because it > >> - * might pass these strings to sh -c. > >> - */ > >> - for (i = 0; path[i]; i++) > >> - if (!(isalpha(path[i]) || isdigit(path[i])) && > >> - path[i] != '/' && path[i] != '.' && > >> - path[i] != '-') > >> - return (0); > > > > > > This part of code existed to prevent shell code injection via file names. > > After this commit we lose this. > > > > It's devd's job to prevent that, not the kernel's.
Has devd been updated? Or is this particular vulnerability manifest again? -- Shawn Webb Cofounder and Security Engineer HardenedBSD Tor-ified Signal: +1 443-546-8752 Tor+XMPP+OTR: latt...@is.a.hacker.sx GPG Key ID: 0x6A84658F52456EEE GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
signature.asc
Description: PGP signature