tech-security: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot]

Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot]
To: None <tech-security@netbsd.org>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: tech-security
Date: 08/27/1999 12:31:16

  by redmail.netbsd.org with SMTP; 27 Aug 1999 10:31:18 -0000
	by antioche.lip6.fr (8.9.3/8.9.3) with ESMTP id MAA02092
	for <tech-security@netbsd.org>; Fri, 27 Aug 1999 12:31:17 +0200 (MEST)
Date: Fri, 27 Aug 1999 12:31:16 +0200
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
To: tech-security@netbsd.org
Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot]
Message-ID: <19990827123116.A345@antioche.lip6.fr>
References: <19990827115805.A4542@antioche.lip6.fr>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="Fba/0zbH8Xs+Fj9o"
In-Reply-To: <19990827115805.A4542@antioche.lip6.fr>; from Manuel Bouyer on Fri, Aug 27, 1999 at 11:58:05AM +0200


--Fba/0zbH8Xs+Fj9o
Content-Type: text/plain; charset=us-ascii

On Fri, Aug 27, 1999 at 11:58:05AM +0200, Manuel Bouyer wrote:
> !@#%$#, Sure this affects NetBSD as well, I just checked.
> A workaround is the following patch (I hope it is complete).
> Although the problem in libc needs to be solved, I wonder if a good practice
> wouldn't be to not dump core if the file already exists ?

Ok, the following patch should do this. I'd recommend this rather than
workarounds in various scripts (it's soo easy to forget one !).

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--

--Fba/0zbH8Xs+Fj9o
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="diff.00345b"

Index: kern_sig.c
===================================================================
RCS file: /cvsroot/syssrc/sys/kern/kern_sig.c,v
retrieving revision 1.92
diff -u -r1.92 kern_sig.c
--- kern_sig.c	1999/07/25 06:30:34	1.92
+++ kern_sig.c	1999/08/27 10:29:24
@@ -1297,7 +1297,12 @@
 		sprintf(name, "core");
 	else
 		sprintf(name, "%s.core", p->p_comm);
-	NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, name, p);
+	NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p);
+	error = namei(&nd);
+	if (error == 0)
+		return EEXIST;
+	if (error != ENOENT)
+		return error;
 	error = vn_open(&nd, O_CREAT | FWRITE, S_IRUSR | S_IWUSR);
 	if (error)
 		return (error);

--Fba/0zbH8Xs+Fj9o--