Fix a read-beyond-end string read.
coredump_buildname() copies 'pattern' into 'name', and handles special
characters such as "%n". "%n", if present, will be replaced by p->p_comm.
error = coredump_buildname(p, name, pattern, MAXPATHLEN);
This function handles overflows, and returns an error when 'name' becomes
larger than MAXPATHLEN. However, when coredump() calls it, 'name' is used
before the error check, with:
lastslash = strrchr(name, '/');
'name' is not guaranteed to be NUL-terminated, because of the *d = *s in
coredump_buildname(). This strrchr will read a string which is not NUL-
terminated (ie. until finding a '\0' in memory).
'pattern' can't be higher than MAXPATHLEN. A user can fill it in via a
PT_DUMPCORE ptrace call, given the input is not longer than MAXPATHLEN.
Since the 2-bytes-sized "%n"s will be replaced by p->p_comm (which is
user-settable, like a 10-bytes-sized "0123456789"), 'name' can become
longer than 'pattern' (and thus longer than MAXPATHLEN). Some 'a's at the
end of the buffer will make sure 'name' is not NUL-terminated.
pattern: "%n%n%naaaaaaaaaaaaaaaaaaaaaaaaaaaa\0"
| | | |||||||||||||||||||||||||||||
-> name: "012345678901234567890123456789aaaaa" [no \0]
| | | |||||MAXPATHLEN
Fix it by checking 'error' before calling strrchr.
2014-04-22 23:01:47 +04:00
|
|
|
/* $NetBSD: kern_core.c,v 1.23 2014/04/22 19:01:47 maxv Exp $ */
|
2007-02-10 00:55:00 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Copyright (c) 1982, 1986, 1989, 1991, 1993
|
|
|
|
* The Regents of the University of California. All rights reserved.
|
|
|
|
* (c) UNIX System Laboratories, Inc.
|
|
|
|
* All or some portions of this file are derived from material licensed
|
|
|
|
* to the University of California by American Telephone and Telegraph
|
|
|
|
* Co. or Unix System Laboratories, Inc. and are reproduced herein with
|
|
|
|
* the permission of UNIX System Laboratories, Inc.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 3. Neither the name of the University nor the names of its contributors
|
|
|
|
* may be used to endorse or promote products derived from this software
|
|
|
|
* without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*
|
|
|
|
* @(#)kern_sig.c 8.14 (Berkeley) 5/14/95
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <sys/cdefs.h>
|
Fix a read-beyond-end string read.
coredump_buildname() copies 'pattern' into 'name', and handles special
characters such as "%n". "%n", if present, will be replaced by p->p_comm.
error = coredump_buildname(p, name, pattern, MAXPATHLEN);
This function handles overflows, and returns an error when 'name' becomes
larger than MAXPATHLEN. However, when coredump() calls it, 'name' is used
before the error check, with:
lastslash = strrchr(name, '/');
'name' is not guaranteed to be NUL-terminated, because of the *d = *s in
coredump_buildname(). This strrchr will read a string which is not NUL-
terminated (ie. until finding a '\0' in memory).
'pattern' can't be higher than MAXPATHLEN. A user can fill it in via a
PT_DUMPCORE ptrace call, given the input is not longer than MAXPATHLEN.
Since the 2-bytes-sized "%n"s will be replaced by p->p_comm (which is
user-settable, like a 10-bytes-sized "0123456789"), 'name' can become
longer than 'pattern' (and thus longer than MAXPATHLEN). Some 'a's at the
end of the buffer will make sure 'name' is not NUL-terminated.
pattern: "%n%n%naaaaaaaaaaaaaaaaaaaaaaaaaaaa\0"
| | | |||||||||||||||||||||||||||||
-> name: "012345678901234567890123456789aaaaa" [no \0]
| | | |||||MAXPATHLEN
Fix it by checking 'error' before calling strrchr.
2014-04-22 23:01:47 +04:00
|
|
|
__KERNEL_RCSID(0, "$NetBSD: kern_core.c,v 1.23 2014/04/22 19:01:47 maxv Exp $");
|
2007-02-10 00:55:00 +03:00
|
|
|
|
|
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/vnode.h>
|
|
|
|
#include <sys/namei.h>
|
|
|
|
#include <sys/acct.h>
|
|
|
|
#include <sys/file.h>
|
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <sys/proc.h>
|
|
|
|
#include <sys/exec.h>
|
|
|
|
#include <sys/filedesc.h>
|
|
|
|
#include <sys/kauth.h>
|
2008-11-19 21:35:57 +03:00
|
|
|
#include <sys/module.h>
|
2007-02-10 00:55:00 +03:00
|
|
|
|
2008-11-19 21:35:57 +03:00
|
|
|
MODULE(MODULE_CLASS_MISC, coredump, NULL);
|
2007-02-10 00:55:00 +03:00
|
|
|
|
|
|
|
struct coredump_iostate {
|
|
|
|
struct lwp *io_lwp;
|
|
|
|
struct vnode *io_vp;
|
|
|
|
kauth_cred_t io_cred;
|
|
|
|
off_t io_offset;
|
|
|
|
};
|
|
|
|
|
2008-11-19 21:35:57 +03:00
|
|
|
static int coredump(struct lwp *, const char *);
|
2007-02-10 00:55:00 +03:00
|
|
|
static int coredump_buildname(struct proc *, char *, const char *, size_t);
|
|
|
|
|
2008-11-19 21:35:57 +03:00
|
|
|
static int
|
|
|
|
coredump_modcmd(modcmd_t cmd, void *arg)
|
|
|
|
{
|
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
case MODULE_CMD_INIT:
|
|
|
|
coredump_vec = coredump;
|
|
|
|
return 0;
|
|
|
|
case MODULE_CMD_FINI:
|
|
|
|
/*
|
|
|
|
* In theory we don't need to patch this, as the various
|
|
|
|
* exec formats depend on this module. If this module has
|
|
|
|
* no references, and so can be unloaded, no user programs
|
|
|
|
* can be running and so nothing can call *coredump_vec.
|
|
|
|
*/
|
|
|
|
coredump_vec = (int (*)(struct lwp *, const char *))enosys;
|
|
|
|
return 0;
|
|
|
|
default:
|
|
|
|
return ENOTTY;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-02-10 00:55:00 +03:00
|
|
|
/*
|
|
|
|
* Dump core, into a file named "progname.core" or "core" (depending on the
|
|
|
|
* value of shortcorename), unless the process was setuid/setgid.
|
|
|
|
*/
|
2008-11-19 21:35:57 +03:00
|
|
|
static int
|
2007-02-10 00:55:00 +03:00
|
|
|
coredump(struct lwp *l, const char *pattern)
|
|
|
|
{
|
|
|
|
struct vnode *vp;
|
|
|
|
struct proc *p;
|
|
|
|
struct vmspace *vm;
|
|
|
|
kauth_cred_t cred;
|
2010-11-19 09:44:33 +03:00
|
|
|
struct pathbuf *pb;
|
2007-02-10 00:55:00 +03:00
|
|
|
struct nameidata nd;
|
|
|
|
struct vattr vattr;
|
|
|
|
struct coredump_iostate io;
|
2007-09-22 17:34:23 +04:00
|
|
|
struct plimit *lim;
|
2007-02-10 00:55:00 +03:00
|
|
|
int error, error1;
|
2011-09-23 04:03:29 +04:00
|
|
|
char *name, *lastslash;
|
2007-09-22 17:34:23 +04:00
|
|
|
|
|
|
|
name = PNBUF_GET();
|
2007-02-10 00:55:00 +03:00
|
|
|
|
|
|
|
p = l->l_proc;
|
|
|
|
vm = p->p_vmspace;
|
|
|
|
|
2008-04-24 19:35:27 +04:00
|
|
|
mutex_enter(proc_lock); /* p_session */
|
2008-04-24 22:39:20 +04:00
|
|
|
mutex_enter(p->p_lock);
|
2007-02-10 00:55:00 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Refuse to core if the data + stack + user size is larger than
|
|
|
|
* the core dump limit. XXX THIS IS WRONG, because of mapped
|
|
|
|
* data.
|
|
|
|
*/
|
|
|
|
if (USPACE + ctob(vm->vm_dsize + vm->vm_ssize) >=
|
|
|
|
p->p_rlimit[RLIMIT_CORE].rlim_cur) {
|
2007-09-22 17:34:23 +04:00
|
|
|
error = EFBIG; /* better error code? */
|
2008-04-24 22:39:20 +04:00
|
|
|
mutex_exit(p->p_lock);
|
2008-04-24 19:35:27 +04:00
|
|
|
mutex_exit(proc_lock);
|
2007-09-22 17:34:23 +04:00
|
|
|
goto done;
|
2007-02-10 00:55:00 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* It may well not be curproc, so grab a reference to its current
|
|
|
|
* credentials.
|
|
|
|
*/
|
|
|
|
kauth_cred_hold(p->p_cred);
|
|
|
|
cred = p->p_cred;
|
|
|
|
|
2007-09-22 17:34:23 +04:00
|
|
|
/*
|
|
|
|
* Make sure the process has not set-id, to prevent data leaks,
|
|
|
|
* unless it was specifically requested to allow set-id coredumps.
|
|
|
|
*/
|
|
|
|
if (p->p_flag & PK_SUGID) {
|
|
|
|
if (!security_setidcore_dump) {
|
|
|
|
error = EPERM;
|
2008-04-24 22:39:20 +04:00
|
|
|
mutex_exit(p->p_lock);
|
2008-04-24 19:35:27 +04:00
|
|
|
mutex_exit(proc_lock);
|
2007-09-22 17:34:23 +04:00
|
|
|
goto done;
|
|
|
|
}
|
2007-02-10 00:55:00 +03:00
|
|
|
pattern = security_setidcore_path;
|
2007-09-22 17:34:23 +04:00
|
|
|
}
|
2007-02-10 00:55:00 +03:00
|
|
|
|
2011-04-30 02:57:54 +04:00
|
|
|
/* Lock, as p_limit and pl_corename might change. */
|
2007-09-22 17:34:23 +04:00
|
|
|
lim = p->p_limit;
|
|
|
|
mutex_enter(&lim->pl_lock);
|
2011-04-30 02:57:54 +04:00
|
|
|
if (pattern == NULL) {
|
2007-09-22 17:34:23 +04:00
|
|
|
pattern = lim->pl_corename;
|
2011-04-30 02:57:54 +04:00
|
|
|
}
|
2007-02-10 00:55:00 +03:00
|
|
|
error = coredump_buildname(p, name, pattern, MAXPATHLEN);
|
2007-09-22 17:34:23 +04:00
|
|
|
mutex_exit(&lim->pl_lock);
|
2011-04-30 02:57:54 +04:00
|
|
|
|
Fix a read-beyond-end string read.
coredump_buildname() copies 'pattern' into 'name', and handles special
characters such as "%n". "%n", if present, will be replaced by p->p_comm.
error = coredump_buildname(p, name, pattern, MAXPATHLEN);
This function handles overflows, and returns an error when 'name' becomes
larger than MAXPATHLEN. However, when coredump() calls it, 'name' is used
before the error check, with:
lastslash = strrchr(name, '/');
'name' is not guaranteed to be NUL-terminated, because of the *d = *s in
coredump_buildname(). This strrchr will read a string which is not NUL-
terminated (ie. until finding a '\0' in memory).
'pattern' can't be higher than MAXPATHLEN. A user can fill it in via a
PT_DUMPCORE ptrace call, given the input is not longer than MAXPATHLEN.
Since the 2-bytes-sized "%n"s will be replaced by p->p_comm (which is
user-settable, like a 10-bytes-sized "0123456789"), 'name' can become
longer than 'pattern' (and thus longer than MAXPATHLEN). Some 'a's at the
end of the buffer will make sure 'name' is not NUL-terminated.
pattern: "%n%n%naaaaaaaaaaaaaaaaaaaaaaaaaaaa\0"
| | | |||||||||||||||||||||||||||||
-> name: "012345678901234567890123456789aaaaa" [no \0]
| | | |||||MAXPATHLEN
Fix it by checking 'error' before calling strrchr.
2014-04-22 23:01:47 +04:00
|
|
|
if (error) {
|
|
|
|
mutex_exit(p->p_lock);
|
|
|
|
mutex_exit(proc_lock);
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
2011-09-23 04:03:29 +04:00
|
|
|
/*
|
|
|
|
* On a simple filename, see if the filesystem allow us to write
|
|
|
|
* core dumps there.
|
|
|
|
*/
|
|
|
|
lastslash = strrchr(name, '/');
|
|
|
|
if (!lastslash) {
|
|
|
|
vp = p->p_cwdi->cwdi_cdir;
|
|
|
|
if (vp->v_mount == NULL ||
|
|
|
|
(vp->v_mount->mnt_flag & MNT_NOCOREDUMP) != 0)
|
|
|
|
error = EPERM;
|
|
|
|
}
|
|
|
|
|
2008-04-24 22:39:20 +04:00
|
|
|
mutex_exit(p->p_lock);
|
2008-04-24 19:35:27 +04:00
|
|
|
mutex_exit(proc_lock);
|
2011-09-23 04:03:29 +04:00
|
|
|
if (error)
|
2007-02-10 00:55:00 +03:00
|
|
|
goto done;
|
2011-09-23 04:03:29 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* On a complex filename, see if the filesystem allow us to write
|
|
|
|
* core dumps there.
|
|
|
|
*
|
|
|
|
* XXX: We should have an API that avoids double lookups
|
|
|
|
*/
|
|
|
|
if (lastslash) {
|
|
|
|
char c[2];
|
|
|
|
|
|
|
|
if (lastslash - name >= MAXPATHLEN - 2) {
|
|
|
|
error = EPERM;
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
|
|
|
|
c[0] = lastslash[1];
|
|
|
|
c[1] = lastslash[2];
|
|
|
|
lastslash[1] = '.';
|
|
|
|
lastslash[2] = '\0';
|
|
|
|
error = namei_simple_kernel(name, NSM_FOLLOW_NOEMULROOT, &vp);
|
|
|
|
if (error)
|
|
|
|
goto done;
|
|
|
|
if (vp->v_mount == NULL ||
|
|
|
|
(vp->v_mount->mnt_flag & MNT_NOCOREDUMP) != 0)
|
|
|
|
error = EPERM;
|
|
|
|
vrele(vp);
|
|
|
|
if (error)
|
|
|
|
goto done;
|
|
|
|
lastslash[1] = c[0];
|
|
|
|
lastslash[2] = c[1];
|
2011-04-30 02:57:54 +04:00
|
|
|
}
|
2010-11-19 09:44:33 +03:00
|
|
|
|
|
|
|
pb = pathbuf_create(name);
|
|
|
|
if (pb == NULL) {
|
|
|
|
error = ENOMEM;
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
NDINIT(&nd, LOOKUP, NOFOLLOW, pb);
|
2007-02-10 00:55:00 +03:00
|
|
|
if ((error = vn_open(&nd, O_CREAT | O_NOFOLLOW | FWRITE,
|
2010-11-19 09:44:33 +03:00
|
|
|
S_IRUSR | S_IWUSR)) != 0) {
|
|
|
|
pathbuf_destroy(pb);
|
2007-02-10 00:55:00 +03:00
|
|
|
goto done;
|
2010-11-19 09:44:33 +03:00
|
|
|
}
|
2007-02-10 00:55:00 +03:00
|
|
|
vp = nd.ni_vp;
|
2010-11-19 09:44:33 +03:00
|
|
|
pathbuf_destroy(pb);
|
2007-02-10 00:55:00 +03:00
|
|
|
|
2011-09-25 02:53:50 +04:00
|
|
|
/*
|
|
|
|
* Don't dump to:
|
|
|
|
* - non-regular files
|
|
|
|
* - files with links
|
|
|
|
* - files we don't own
|
|
|
|
*/
|
2007-02-10 00:55:00 +03:00
|
|
|
if (vp->v_type != VREG ||
|
2011-09-25 02:53:50 +04:00
|
|
|
VOP_GETATTR(vp, &vattr, cred) || vattr.va_nlink != 1 ||
|
|
|
|
vattr.va_uid != kauth_cred_geteuid(cred)) {
|
|
|
|
error = EACCES;
|
2007-02-10 00:55:00 +03:00
|
|
|
goto out;
|
|
|
|
}
|
2010-01-08 14:35:07 +03:00
|
|
|
vattr_null(&vattr);
|
2007-02-10 00:55:00 +03:00
|
|
|
vattr.va_size = 0;
|
|
|
|
|
2007-02-18 01:31:36 +03:00
|
|
|
if ((p->p_flag & PK_SUGID) && security_setidcore_dump) {
|
2007-02-10 00:55:00 +03:00
|
|
|
vattr.va_uid = security_setidcore_owner;
|
|
|
|
vattr.va_gid = security_setidcore_group;
|
|
|
|
vattr.va_mode = security_setidcore_mode;
|
|
|
|
}
|
|
|
|
|
2007-11-26 22:01:26 +03:00
|
|
|
VOP_SETATTR(vp, &vattr, cred);
|
2007-02-10 00:55:00 +03:00
|
|
|
p->p_acflag |= ACORE;
|
|
|
|
|
|
|
|
io.io_lwp = l;
|
|
|
|
io.io_vp = vp;
|
|
|
|
io.io_cred = cred;
|
|
|
|
io.io_offset = 0;
|
|
|
|
|
|
|
|
/* Now dump the actual core file. */
|
|
|
|
error = (*p->p_execsw->es_coredump)(l, &io);
|
|
|
|
out:
|
2010-06-24 16:58:48 +04:00
|
|
|
VOP_UNLOCK(vp);
|
2008-03-22 00:54:58 +03:00
|
|
|
error1 = vn_close(vp, FWRITE, cred);
|
2007-02-10 00:55:00 +03:00
|
|
|
if (error == 0)
|
|
|
|
error = error1;
|
|
|
|
done:
|
|
|
|
if (name != NULL)
|
|
|
|
PNBUF_PUT(name);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
coredump_buildname(struct proc *p, char *dst, const char *src, size_t len)
|
|
|
|
{
|
|
|
|
const char *s;
|
|
|
|
char *d, *end;
|
|
|
|
int i;
|
|
|
|
|
2008-04-24 19:35:27 +04:00
|
|
|
KASSERT(mutex_owned(proc_lock));
|
2007-02-10 00:55:00 +03:00
|
|
|
|
|
|
|
for (s = src, d = dst, end = d + len; *s != '\0'; s++) {
|
|
|
|
if (*s == '%') {
|
|
|
|
switch (*(s + 1)) {
|
|
|
|
case 'n':
|
|
|
|
i = snprintf(d, end - d, "%s", p->p_comm);
|
|
|
|
break;
|
|
|
|
case 'p':
|
|
|
|
i = snprintf(d, end - d, "%d", p->p_pid);
|
|
|
|
break;
|
|
|
|
case 'u':
|
|
|
|
i = snprintf(d, end - d, "%.*s",
|
|
|
|
(int)sizeof p->p_pgrp->pg_session->s_login,
|
|
|
|
p->p_pgrp->pg_session->s_login);
|
|
|
|
break;
|
|
|
|
case 't':
|
2009-01-11 05:45:45 +03:00
|
|
|
i = snprintf(d, end - d, "%lld",
|
|
|
|
(long long)p->p_stats->p_start.tv_sec);
|
2007-02-10 00:55:00 +03:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
goto copy;
|
|
|
|
}
|
|
|
|
d += i;
|
|
|
|
s++;
|
|
|
|
} else {
|
|
|
|
copy: *d = *s;
|
|
|
|
d++;
|
|
|
|
}
|
|
|
|
if (d >= end)
|
|
|
|
return (ENAMETOOLONG);
|
|
|
|
}
|
|
|
|
*d = '\0';
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2014-01-04 00:52:47 +04:00
|
|
|
coredump_write(struct coredump_iostate *io, enum uio_seg segflg,
|
2014-01-01 22:57:15 +04:00
|
|
|
const void *data, size_t len)
|
2007-02-10 00:55:00 +03:00
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
|
|
|
error = vn_rdwr(UIO_WRITE, io->io_vp, __UNCONST(data), len,
|
|
|
|
io->io_offset, segflg,
|
|
|
|
IO_NODELOCKED|IO_UNIT, io->io_cred, NULL,
|
|
|
|
segflg == UIO_USERSPACE ? io->io_lwp : NULL);
|
|
|
|
if (error) {
|
|
|
|
printf("pid %d (%s): %s write of %zu@%p at %lld failed: %d\n",
|
|
|
|
io->io_lwp->l_proc->p_pid, io->io_lwp->l_proc->p_comm,
|
|
|
|
segflg == UIO_USERSPACE ? "user" : "system",
|
|
|
|
len, data, (long long) io->io_offset, error);
|
|
|
|
return (error);
|
|
|
|
}
|
|
|
|
|
|
|
|
io->io_offset += len;
|
|
|
|
return (0);
|
|
|
|
}
|
2014-01-04 00:52:47 +04:00
|
|
|
|
|
|
|
off_t
|
|
|
|
coredump_offset(struct coredump_iostate *io)
|
|
|
|
{
|
|
|
|
return io->io_offset;
|
|
|
|
}
|