From owner-freebsd-security@FreeBSD.ORG Tue May 26 17:36:47 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F0461065672 for ; Tue, 26 May 2009 17:36:47 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 1292A8FC1B for ; Tue, 26 May 2009 17:36:47 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1M90Ic-0003SW-F9 for freebsd-security@freebsd.org; Tue, 26 May 2009 10:18:50 -0700 Message-ID: <23727599.post@talk.nabble.com> Date: Tue, 26 May 2009 10:18:50 -0700 (PDT) From: Jakub Lach To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: jakub_lach@mailplus.pl X-Mailman-Approved-At: Tue, 26 May 2009 17:42:49 +0000 Subject: FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file symlink) vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 May 2009 17:36:47 -0000 http://www.milw0rm.com/exploits/8786 http://redmine.lighttpd.net/issues/1989 http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/21768 affected: FreeBSD, OSX, Solaris < 10 not affected: Linux, NetBSD, OpenBSD, DragonflyBSD, Solaris 10 -- View this message in context: http://www.nabble.com/FYI-Lighttpd-1.4.23--kernel-%28trailing-%27-%27-on-regular-file-symlink%29-vulnerability-tp23727599p23727599.html Sent from the freebsd-security mailing list archive at Nabble.com. From owner-freebsd-security@FreeBSD.ORG Tue May 26 20:32:45 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8362810656D9; Tue, 26 May 2009 20:32:45 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 44A638FC1A; Tue, 26 May 2009 20:32:45 +0000 (UTC) (envelope-from des@des.no) Received: from ds4.des.no (cm-84.215.252.34.getinternet.no [84.215.252.34]) by smtp.des.no (Postfix) with ESMTP id 9C5706D41E; Tue, 26 May 2009 22:13:21 +0200 (CEST) Received: by ds4.des.no (Postfix, from userid 1001) id 87F43844DE; Tue, 26 May 2009 22:13:21 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Jakub Lach References: <23727599.post@talk.nabble.com> Date: Tue, 26 May 2009 22:13:21 +0200 In-Reply-To: <23727599.post@talk.nabble.com> (Jakub Lach's message of "Tue, 26 May 2009 10:18:50 -0700 (PDT)") Message-ID: <86prdvipwe.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.92 (berkeley-unix) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Mailman-Approved-At: Tue, 26 May 2009 21:02:18 +0000 Cc: freebsd-hackers@freebsd.org Subject: Re: FYI Lighttpd 1.4.23 /kernel (trailing '/' on regular file symlink) vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 May 2009 20:32:46 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable [moving from security@ to hackers@] Jakub Lach writes: > http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dkern/21768 Like bde@ pointed out, the patch is incorrect. It moves the test for v_type !=3D VDIR up to a point where, in the case of a symlink, v_type is always (by definition) VLNK. The reason why the current code does not work is that, in the symlink case, the v_type !=3D VDIR test is never reached: we will have jumped to either bad2 or success. However, it should be safe to move the test to after the success label, because trailing_slash is only ever true for the last component of the path we were asked to look up (see lines 520 through 535). The attached patch should work. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=symlink-slash.diff Index: sys/kern/vfs_lookup.c =================================================================== --- sys/kern/vfs_lookup.c (revision 192614) +++ sys/kern/vfs_lookup.c (working copy) @@ -800,14 +800,6 @@ goto success; } - /* - * Check for bogus trailing slashes. - */ - if (trailing_slash && dp->v_type != VDIR) { - error = ENOTDIR; - goto bad2; - } - nextname: /* * Not a symbolic link. If more pathname, @@ -861,6 +853,14 @@ VOP_UNLOCK(dp, 0); success: /* + * Check for bogus trailing slashes. + */ + if (trailing_slash && dp->v_type != VDIR) { + error = ENOTDIR; + goto bad2; + } + + /* * Because of lookup_shared we may have the vnode shared locked, but * the caller may want it to be exclusively locked. */ --=-=-=--