realpath(3)

To: tech-security%NetBSD.org@localhost
Subject: realpath(3)
From: tlaronde%polynum.com@localhost
Date: Thu, 25 May 2023 09:48:13 +0200

NetBSD realpath(3) has an extension not in the POSIX.1 specification:

---8<---
If an error occurs, realpath() returns NULL,
and if resolvedname was not allocated by realpath(), it will
contain the pathname which caused the problem.
--->8---

Returning in the buffer designed to be defined with the correct result
(if not NULL) precisely the erroneous path chunk, is expecting to much
about the i.e. that they will test the return value of realpath(3)
without taking resolvedname for granted and correctly defined or the
empty string.

And this is precisely what the NetBSD src does: the mount incarnation
all use src/sbin/mount/pathadj.c, that does strictly nothing useful with
the return value of realpath(3) (it returns nothing and doesn't exit on
error)---note too: if "adjusted" is NULL, the returned allocated buffer
by realpath(3) is leaked by pathadj().

This does mean that calling realpath(3) with an input on which
realpath(3) will choke leads to precisely call mount() with the
offending part.

IMO, this extension to realpath(3) behavior should be suppressed, and
pathadj() should be fixed.
-- 
        Thierry Laronde <tlaronde +AT+ polynum +dot+ com>
                     http://www.kergis.com/
                    http://kertex.kergis.com/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C

Follow-Ups:
- Re: realpath(3)
  - From: Robert Elz

Prev by Date: NetBSD Security Advisory 2022-004: procfs(5) missing permission checks
Next by Date: Re: realpath(3)
Previous by Thread: NetBSD Security Advisory 2022-004: procfs(5) missing permission checks
Next by Thread: Re: realpath(3)
Indexes:

Home | Main Index | Thread Index | Old Index