freebsd-skq/lib/libutil/getlocalbase.c

91 lines
2.6 KiB
C
Raw Permalink Normal View History

/*-
* SPDX-License-Identifier: BSD-2-Clause
*
* Copyright 2020 Stefan Eßer <se@freebsd.org>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/sysctl.h>
#include <sys/limits.h>
Change getlocalbase() to not allocate any heap memory After the commit of the current version, Scott Long pointed out, that an attacker might be able to cause a use-after-free access if this function returned the value of the sysctl variable "user.localbase" by freeing the allocated memory without the cached address being cleared in the library function. To resolve this issue, I have proposed the originally suggested version with a statically allocated buffer in a review (D27370). There was no feedback on this review and after waiting for more than 2 weeks, the potential security issue is fixed by this commit. (There was no security risk in practice, since none of the programs converted to use this function attempted to free the buffer. The address could only have pointed into the heap if user.localbase was set to a non-default value, into r/o data or the environment, else.) This version uses a static buffer of size LOCALBASE_CTL_LEN, which defaults to MAXPATHLEN. This does not increase the memory footprint of the library at this time, since its data segment grows from less than 7 KB to less than 8 KB, i.e. it will get two 4 KB pages on typical architectures, anyway. Compiling with LOCALBASE_CTL_LEN defined as 0 will remove the code that accesses the sysctl variable, values between 1 and MAXPATHLEN-1 will limit the maximum size of the prefix. When built with such a value and if too large a value has been configured in user.localbase, the value defined as ILLEGAL_PREFIX will be returned to cause any file operations on that result to fail. (Default value is "/dev/null/", the review contained "/\177", but I assume that "/dev/null" exists and can not be accessed as a directory. Any other string that can be assumed not be a valid path prefix could be used.) I do suggest to use LOCALBASE_CTL_LEN to size the in-kernel buffer for the user.localbase variable, too. Doing this would guarantee that the result always fit into the buffer in this library function (unless run on a kernel built with a different buffer size.) The function always returns a valid string, and only in case it is built with a small static buffer and run on a system with too large a value in user.localbase, the ILLEGAL_PREFIX will be returned, effectively causing the created path to be non-existent. Differential Revision: https://reviews.freebsd.org/D27370
2020-12-12 11:23:52 +00:00
#include <errno.h>
#include <stdlib.h>
#include <paths.h>
#include <libutil.h>
#include <unistd.h>
#ifndef _PATH_LOCALBASE
#define _PATH_LOCALBASE "/usr/local"
#endif
Change getlocalbase() to not allocate any heap memory After the commit of the current version, Scott Long pointed out, that an attacker might be able to cause a use-after-free access if this function returned the value of the sysctl variable "user.localbase" by freeing the allocated memory without the cached address being cleared in the library function. To resolve this issue, I have proposed the originally suggested version with a statically allocated buffer in a review (D27370). There was no feedback on this review and after waiting for more than 2 weeks, the potential security issue is fixed by this commit. (There was no security risk in practice, since none of the programs converted to use this function attempted to free the buffer. The address could only have pointed into the heap if user.localbase was set to a non-default value, into r/o data or the environment, else.) This version uses a static buffer of size LOCALBASE_CTL_LEN, which defaults to MAXPATHLEN. This does not increase the memory footprint of the library at this time, since its data segment grows from less than 7 KB to less than 8 KB, i.e. it will get two 4 KB pages on typical architectures, anyway. Compiling with LOCALBASE_CTL_LEN defined as 0 will remove the code that accesses the sysctl variable, values between 1 and MAXPATHLEN-1 will limit the maximum size of the prefix. When built with such a value and if too large a value has been configured in user.localbase, the value defined as ILLEGAL_PREFIX will be returned to cause any file operations on that result to fail. (Default value is "/dev/null/", the review contained "/\177", but I assume that "/dev/null" exists and can not be accessed as a directory. Any other string that can be assumed not be a valid path prefix could be used.) I do suggest to use LOCALBASE_CTL_LEN to size the in-kernel buffer for the user.localbase variable, too. Doing this would guarantee that the result always fit into the buffer in this library function (unless run on a kernel built with a different buffer size.) The function always returns a valid string, and only in case it is built with a small static buffer and run on a system with too large a value in user.localbase, the ILLEGAL_PREFIX will be returned, effectively causing the created path to be non-existent. Differential Revision: https://reviews.freebsd.org/D27370
2020-12-12 11:23:52 +00:00
#ifndef LOCALBASE_CTL_LEN
#define LOCALBASE_CTL_LEN MAXPATHLEN
#endif
/* Any prefix guaranteed to not be the start of a valid path name */
#define ILLEGAL_PREFIX "/dev/null/"
const char *
getlocalbase(void)
{
Change getlocalbase() to not allocate any heap memory After the commit of the current version, Scott Long pointed out, that an attacker might be able to cause a use-after-free access if this function returned the value of the sysctl variable "user.localbase" by freeing the allocated memory without the cached address being cleared in the library function. To resolve this issue, I have proposed the originally suggested version with a statically allocated buffer in a review (D27370). There was no feedback on this review and after waiting for more than 2 weeks, the potential security issue is fixed by this commit. (There was no security risk in practice, since none of the programs converted to use this function attempted to free the buffer. The address could only have pointed into the heap if user.localbase was set to a non-default value, into r/o data or the environment, else.) This version uses a static buffer of size LOCALBASE_CTL_LEN, which defaults to MAXPATHLEN. This does not increase the memory footprint of the library at this time, since its data segment grows from less than 7 KB to less than 8 KB, i.e. it will get two 4 KB pages on typical architectures, anyway. Compiling with LOCALBASE_CTL_LEN defined as 0 will remove the code that accesses the sysctl variable, values between 1 and MAXPATHLEN-1 will limit the maximum size of the prefix. When built with such a value and if too large a value has been configured in user.localbase, the value defined as ILLEGAL_PREFIX will be returned to cause any file operations on that result to fail. (Default value is "/dev/null/", the review contained "/\177", but I assume that "/dev/null" exists and can not be accessed as a directory. Any other string that can be assumed not be a valid path prefix could be used.) I do suggest to use LOCALBASE_CTL_LEN to size the in-kernel buffer for the user.localbase variable, too. Doing this would guarantee that the result always fit into the buffer in this library function (unless run on a kernel built with a different buffer size.) The function always returns a valid string, and only in case it is built with a small static buffer and run on a system with too large a value in user.localbase, the ILLEGAL_PREFIX will be returned, effectively causing the created path to be non-existent. Differential Revision: https://reviews.freebsd.org/D27370
2020-12-12 11:23:52 +00:00
#if LOCALBASE_CTL_LEN > 0
int localbase_oid[2] = {CTL_USER, USER_LOCALBASE};
static char localpath[LOCALBASE_CTL_LEN];
size_t localpathlen = LOCALBASE_CTL_LEN;
#endif
char *tmppath;
static const char *localbase = NULL;
Change getlocalbase() to not allocate any heap memory After the commit of the current version, Scott Long pointed out, that an attacker might be able to cause a use-after-free access if this function returned the value of the sysctl variable "user.localbase" by freeing the allocated memory without the cached address being cleared in the library function. To resolve this issue, I have proposed the originally suggested version with a statically allocated buffer in a review (D27370). There was no feedback on this review and after waiting for more than 2 weeks, the potential security issue is fixed by this commit. (There was no security risk in practice, since none of the programs converted to use this function attempted to free the buffer. The address could only have pointed into the heap if user.localbase was set to a non-default value, into r/o data or the environment, else.) This version uses a static buffer of size LOCALBASE_CTL_LEN, which defaults to MAXPATHLEN. This does not increase the memory footprint of the library at this time, since its data segment grows from less than 7 KB to less than 8 KB, i.e. it will get two 4 KB pages on typical architectures, anyway. Compiling with LOCALBASE_CTL_LEN defined as 0 will remove the code that accesses the sysctl variable, values between 1 and MAXPATHLEN-1 will limit the maximum size of the prefix. When built with such a value and if too large a value has been configured in user.localbase, the value defined as ILLEGAL_PREFIX will be returned to cause any file operations on that result to fail. (Default value is "/dev/null/", the review contained "/\177", but I assume that "/dev/null" exists and can not be accessed as a directory. Any other string that can be assumed not be a valid path prefix could be used.) I do suggest to use LOCALBASE_CTL_LEN to size the in-kernel buffer for the user.localbase variable, too. Doing this would guarantee that the result always fit into the buffer in this library function (unless run on a kernel built with a different buffer size.) The function always returns a valid string, and only in case it is built with a small static buffer and run on a system with too large a value in user.localbase, the ILLEGAL_PREFIX will be returned, effectively causing the created path to be non-existent. Differential Revision: https://reviews.freebsd.org/D27370
2020-12-12 11:23:52 +00:00
if (localbase != NULL)
return (localbase);
if (issetugid() == 0) {
tmppath = getenv("LOCALBASE");
Change getlocalbase() to not allocate any heap memory After the commit of the current version, Scott Long pointed out, that an attacker might be able to cause a use-after-free access if this function returned the value of the sysctl variable "user.localbase" by freeing the allocated memory without the cached address being cleared in the library function. To resolve this issue, I have proposed the originally suggested version with a statically allocated buffer in a review (D27370). There was no feedback on this review and after waiting for more than 2 weeks, the potential security issue is fixed by this commit. (There was no security risk in practice, since none of the programs converted to use this function attempted to free the buffer. The address could only have pointed into the heap if user.localbase was set to a non-default value, into r/o data or the environment, else.) This version uses a static buffer of size LOCALBASE_CTL_LEN, which defaults to MAXPATHLEN. This does not increase the memory footprint of the library at this time, since its data segment grows from less than 7 KB to less than 8 KB, i.e. it will get two 4 KB pages on typical architectures, anyway. Compiling with LOCALBASE_CTL_LEN defined as 0 will remove the code that accesses the sysctl variable, values between 1 and MAXPATHLEN-1 will limit the maximum size of the prefix. When built with such a value and if too large a value has been configured in user.localbase, the value defined as ILLEGAL_PREFIX will be returned to cause any file operations on that result to fail. (Default value is "/dev/null/", the review contained "/\177", but I assume that "/dev/null" exists and can not be accessed as a directory. Any other string that can be assumed not be a valid path prefix could be used.) I do suggest to use LOCALBASE_CTL_LEN to size the in-kernel buffer for the user.localbase variable, too. Doing this would guarantee that the result always fit into the buffer in this library function (unless run on a kernel built with a different buffer size.) The function always returns a valid string, and only in case it is built with a small static buffer and run on a system with too large a value in user.localbase, the ILLEGAL_PREFIX will be returned, effectively causing the created path to be non-existent. Differential Revision: https://reviews.freebsd.org/D27370
2020-12-12 11:23:52 +00:00
if (tmppath != NULL && tmppath[0] != '\0') {
localbase = tmppath;
Change getlocalbase() to not allocate any heap memory After the commit of the current version, Scott Long pointed out, that an attacker might be able to cause a use-after-free access if this function returned the value of the sysctl variable "user.localbase" by freeing the allocated memory without the cached address being cleared in the library function. To resolve this issue, I have proposed the originally suggested version with a statically allocated buffer in a review (D27370). There was no feedback on this review and after waiting for more than 2 weeks, the potential security issue is fixed by this commit. (There was no security risk in practice, since none of the programs converted to use this function attempted to free the buffer. The address could only have pointed into the heap if user.localbase was set to a non-default value, into r/o data or the environment, else.) This version uses a static buffer of size LOCALBASE_CTL_LEN, which defaults to MAXPATHLEN. This does not increase the memory footprint of the library at this time, since its data segment grows from less than 7 KB to less than 8 KB, i.e. it will get two 4 KB pages on typical architectures, anyway. Compiling with LOCALBASE_CTL_LEN defined as 0 will remove the code that accesses the sysctl variable, values between 1 and MAXPATHLEN-1 will limit the maximum size of the prefix. When built with such a value and if too large a value has been configured in user.localbase, the value defined as ILLEGAL_PREFIX will be returned to cause any file operations on that result to fail. (Default value is "/dev/null/", the review contained "/\177", but I assume that "/dev/null" exists and can not be accessed as a directory. Any other string that can be assumed not be a valid path prefix could be used.) I do suggest to use LOCALBASE_CTL_LEN to size the in-kernel buffer for the user.localbase variable, too. Doing this would guarantee that the result always fit into the buffer in this library function (unless run on a kernel built with a different buffer size.) The function always returns a valid string, and only in case it is built with a small static buffer and run on a system with too large a value in user.localbase, the ILLEGAL_PREFIX will be returned, effectively causing the created path to be non-existent. Differential Revision: https://reviews.freebsd.org/D27370
2020-12-12 11:23:52 +00:00
return (localbase);
}
}
#if LOCALBASE_CTL_LEN > 0
if (sysctl(localbase_oid, 2, localpath, &localpathlen, NULL, 0) != 0) {
if (errno != ENOMEM)
localbase = _PATH_LOCALBASE;
else
Change getlocalbase() to not allocate any heap memory After the commit of the current version, Scott Long pointed out, that an attacker might be able to cause a use-after-free access if this function returned the value of the sysctl variable "user.localbase" by freeing the allocated memory without the cached address being cleared in the library function. To resolve this issue, I have proposed the originally suggested version with a statically allocated buffer in a review (D27370). There was no feedback on this review and after waiting for more than 2 weeks, the potential security issue is fixed by this commit. (There was no security risk in practice, since none of the programs converted to use this function attempted to free the buffer. The address could only have pointed into the heap if user.localbase was set to a non-default value, into r/o data or the environment, else.) This version uses a static buffer of size LOCALBASE_CTL_LEN, which defaults to MAXPATHLEN. This does not increase the memory footprint of the library at this time, since its data segment grows from less than 7 KB to less than 8 KB, i.e. it will get two 4 KB pages on typical architectures, anyway. Compiling with LOCALBASE_CTL_LEN defined as 0 will remove the code that accesses the sysctl variable, values between 1 and MAXPATHLEN-1 will limit the maximum size of the prefix. When built with such a value and if too large a value has been configured in user.localbase, the value defined as ILLEGAL_PREFIX will be returned to cause any file operations on that result to fail. (Default value is "/dev/null/", the review contained "/\177", but I assume that "/dev/null" exists and can not be accessed as a directory. Any other string that can be assumed not be a valid path prefix could be used.) I do suggest to use LOCALBASE_CTL_LEN to size the in-kernel buffer for the user.localbase variable, too. Doing this would guarantee that the result always fit into the buffer in this library function (unless run on a kernel built with a different buffer size.) The function always returns a valid string, and only in case it is built with a small static buffer and run on a system with too large a value in user.localbase, the ILLEGAL_PREFIX will be returned, effectively causing the created path to be non-existent. Differential Revision: https://reviews.freebsd.org/D27370
2020-12-12 11:23:52 +00:00
localbase = ILLEGAL_PREFIX;
} else {
if (localpath[0] != '\0')
localbase = localpath;
else
localbase = _PATH_LOCALBASE;
}
Change getlocalbase() to not allocate any heap memory After the commit of the current version, Scott Long pointed out, that an attacker might be able to cause a use-after-free access if this function returned the value of the sysctl variable "user.localbase" by freeing the allocated memory without the cached address being cleared in the library function. To resolve this issue, I have proposed the originally suggested version with a statically allocated buffer in a review (D27370). There was no feedback on this review and after waiting for more than 2 weeks, the potential security issue is fixed by this commit. (There was no security risk in practice, since none of the programs converted to use this function attempted to free the buffer. The address could only have pointed into the heap if user.localbase was set to a non-default value, into r/o data or the environment, else.) This version uses a static buffer of size LOCALBASE_CTL_LEN, which defaults to MAXPATHLEN. This does not increase the memory footprint of the library at this time, since its data segment grows from less than 7 KB to less than 8 KB, i.e. it will get two 4 KB pages on typical architectures, anyway. Compiling with LOCALBASE_CTL_LEN defined as 0 will remove the code that accesses the sysctl variable, values between 1 and MAXPATHLEN-1 will limit the maximum size of the prefix. When built with such a value and if too large a value has been configured in user.localbase, the value defined as ILLEGAL_PREFIX will be returned to cause any file operations on that result to fail. (Default value is "/dev/null/", the review contained "/\177", but I assume that "/dev/null" exists and can not be accessed as a directory. Any other string that can be assumed not be a valid path prefix could be used.) I do suggest to use LOCALBASE_CTL_LEN to size the in-kernel buffer for the user.localbase variable, too. Doing this would guarantee that the result always fit into the buffer in this library function (unless run on a kernel built with a different buffer size.) The function always returns a valid string, and only in case it is built with a small static buffer and run on a system with too large a value in user.localbase, the ILLEGAL_PREFIX will be returned, effectively causing the created path to be non-existent. Differential Revision: https://reviews.freebsd.org/D27370
2020-12-12 11:23:52 +00:00
#else
localbase = _PATH_LOCALBASE;
#endif
return (localbase);
}