Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 27 Nov 2016 14:56:27 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 214881] jail with path=/ and sysctl.disablefullpath=1 leads to NULL dereference
Message-ID:  <bug-214881-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D214881

            Bug ID: 214881
           Summary: jail with path=3D/ and sysctl.disablefullpath=3D1 leads=
 to
                    NULL dereference
           Product: Base System
           Version: 11.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: aler@playground.ru

How to reproduce:
 sysctl debug.disablefullpath=3D1
 jail / x 127.0.0.1 csh

Source of the problem:
/sys/kern/kern_jail.c, kern_jail_set(), lines near 930-1000 depending on so=
urce
version (9.3, 10.x, 11.x, HEAD), "path" option handling branch

This sets path=3DNULL when it is "" or "/" and disablefullpath=3D1
936                     error =3D vn_path_to_global_path(td, root, g_path,
MAXPATHLEN);
937                     if (error =3D=3D 0)
938                             path =3D g_path;
939                     else if (error =3D=3D ENODEV) {
940                             /* proceed if sysctl debug.disablefullpath =
=3D=3D 1
*/
941                             fullpath_disabled =3D 1;
942                             if (len < 2 || (len =3D=3D 2 && path[0] =3D=
=3D '/'))
943                                     path =3D NULL;

This dereferencing it:
954                     if (fullpath_disabled) {
955                             /* Leave room for a real-root full pathname=
. */
956                             if (len + (path[0] =3D=3D '/' &&
strcmp(mypr->pr_path, "/")
957                                 ? strlen(mypr->pr_path) : 0) > MAXPATHL=
EN)
{
958                                     error =3D ENAMETOOLONG;
959                                     vrele(root);
960                                     goto done_free;
961                             }
962                     }


Most likely it should release all things that it locked/allocated for
path-handling after vfs_getopt(opts, "path", (void **)&path, &len) and jump=
 out
of this if() after setting path to NULL, but i'm not sure how exactly.
May be, comparsion of path with "/" is not in place and should be done after
successful vn_path_to_global_path() too.
The whole "path" option handling branch code looks a bit weird to me.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-214881-8>