6c2596f00c
After the commit of the current version, Scott Long pointed out, that an attacker might be able to cause a use-after-free access if this function returned the value of the sysctl variable "user.localbase" by freeing the allocated memory without the cached address being cleared in the library function. To resolve this issue, I have proposed the originally suggested version with a statically allocated buffer in a review (D27370). There was no feedback on this review and after waiting for more than 2 weeks, the potential security issue is fixed by this commit. (There was no security risk in practice, since none of the programs converted to use this function attempted to free the buffer. The address could only have pointed into the heap if user.localbase was set to a non-default value, into r/o data or the environment, else.) This version uses a static buffer of size LOCALBASE_CTL_LEN, which defaults to MAXPATHLEN. This does not increase the memory footprint of the library at this time, since its data segment grows from less than 7 KB to less than 8 KB, i.e. it will get two 4 KB pages on typical architectures, anyway. Compiling with LOCALBASE_CTL_LEN defined as 0 will remove the code that accesses the sysctl variable, values between 1 and MAXPATHLEN-1 will limit the maximum size of the prefix. When built with such a value and if too large a value has been configured in user.localbase, the value defined as ILLEGAL_PREFIX will be returned to cause any file operations on that result to fail. (Default value is "/dev/null/", the review contained "/\177", but I assume that "/dev/null" exists and can not be accessed as a directory. Any other string that can be assumed not be a valid path prefix could be used.) I do suggest to use LOCALBASE_CTL_LEN to size the in-kernel buffer for the user.localbase variable, too. Doing this would guarantee that the result always fit into the buffer in this library function (unless run on a kernel built with a different buffer size.) The function always returns a valid string, and only in case it is built with a small static buffer and run on a system with too large a value in user.localbase, the ILLEGAL_PREFIX will be returned, effectively causing the created path to be non-existent. Differential Revision: https://reviews.freebsd.org/D27370 |
||
|---|---|---|
| .github/workflows | ||
| bin | ||
| cddl | ||
| contrib | ||
| crypto | ||
| etc | ||
| gnu | ||
| include | ||
| kerberos5 | ||
| lib | ||
| libexec | ||
| release | ||
| rescue | ||
| sbin | ||
| secure | ||
| share | ||
| stand | ||
| sys | ||
| targets | ||
| tests | ||
| tools | ||
| usr.bin | ||
| usr.sbin | ||
| .arcconfig | ||
| .arclint | ||
| .cirrus.yml | ||
| .clang-format | ||
| .gitattributes | ||
| .gitignore | ||
| COPYRIGHT | ||
| LOCKS | ||
| MAINTAINERS | ||
| Makefile | ||
| Makefile.inc1 | ||
| Makefile.libcompat | ||
| Makefile.sys.inc | ||
| ObsoleteFiles.inc | ||
| README | ||
| README.md | ||
| RELNOTES | ||
| UPDATING | ||
FreeBSD Source:
This is the top level of the FreeBSD source directory. This file
was last revised on:
FreeBSD
FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms. A large community has continually developed it for more than thirty years. Its advanced networking, security, and storage features have made FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage devices.
For copyright information, please see the file COPYRIGHT in this directory. Additional copyright information also exists for some sources in this tree - please see the specific source directories for more information.
The Makefile in this directory supports a number of targets for building components (or all) of the FreeBSD source tree. See build(7), config(8), https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html, and https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html for more information, including setting make(1) variables.
Source Roadmap:
bin System/user commands.
cddl Various commands and libraries under the Common Development
and Distribution License.
contrib Packages contributed by 3rd parties.
crypto Cryptography stuff (see crypto/README).
etc Template files for /etc.
gnu Various commands and libraries under the GNU Public License.
Please see gnu/COPYING* for more information.
include System include files.
kerberos5 Kerberos5 (Heimdal) package.
lib System libraries.
libexec System daemons.
release Release building Makefile & associated tools.
rescue Build system for statically linked /rescue utilities.
sbin System commands.
secure Cryptographic libraries and commands.
share Shared resources.
stand Boot loader sources.
sys Kernel sources.
sys/<arch>/conf Kernel configuration files. GENERIC is the configuration
used in release builds. NOTES contains documentation of
all possible entries.
tests Regression tests which can be run by Kyua. See tests/README
for additional information.
tools Utilities for regression testing and miscellaneous tasks.
usr.bin User commands.
usr.sbin System administration commands.
For information on synchronizing your source tree with one or more of the FreeBSD Project's development branches, please see:
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/current-stable.html