From owner-freebsd-bugs@freebsd.org Sun Nov 27 14:56:28 2016 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0196CC58054 for ; Sun, 27 Nov 2016 14:56:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D683E864 for ; Sun, 27 Nov 2016 14:56:27 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id uAREuRjO008941 for ; Sun, 27 Nov 2016 14:56:27 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 214881] jail with path=/ and sysctl.disablefullpath=1 leads to NULL dereference Date: Sun, 27 Nov 2016 14:56:27 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 11.0-RELEASE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: aler@playground.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Nov 2016 14:56:28 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D214881 Bug ID: 214881 Summary: jail with path=3D/ and sysctl.disablefullpath=3D1 leads= to NULL dereference Product: Base System Version: 11.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: aler@playground.ru How to reproduce: sysctl debug.disablefullpath=3D1 jail / x 127.0.0.1 csh Source of the problem: /sys/kern/kern_jail.c, kern_jail_set(), lines near 930-1000 depending on so= urce version (9.3, 10.x, 11.x, HEAD), "path" option handling branch This sets path=3DNULL when it is "" or "/" and disablefullpath=3D1 936 error =3D vn_path_to_global_path(td, root, g_path, MAXPATHLEN); 937 if (error =3D=3D 0) 938 path =3D g_path; 939 else if (error =3D=3D ENODEV) { 940 /* proceed if sysctl debug.disablefullpath = =3D=3D 1 */ 941 fullpath_disabled =3D 1; 942 if (len < 2 || (len =3D=3D 2 && path[0] =3D= =3D '/')) 943 path =3D NULL; This dereferencing it: 954 if (fullpath_disabled) { 955 /* Leave room for a real-root full pathname= . */ 956 if (len + (path[0] =3D=3D '/' && strcmp(mypr->pr_path, "/") 957 ? strlen(mypr->pr_path) : 0) > MAXPATHL= EN) { 958 error =3D ENAMETOOLONG; 959 vrele(root); 960 goto done_free; 961 } 962 } Most likely it should release all things that it locked/allocated for path-handling after vfs_getopt(opts, "path", (void **)&path, &len) and jump= out of this if() after setting path to NULL, but i'm not sure how exactly. May be, comparsion of path with "/" is not in place and should be done after successful vn_path_to_global_path() too. The whole "path" option handling branch code looks a bit weird to me. --=20 You are receiving this mail because: You are the assignee for the bug.=