Change the current working directory to be inside the jail created by

the jail(8) command. [10:04] Fix a one-NUL-byte buffer overflow in libopie. [10:05] Correctly sanity-check a buffer length in nfs mount. [10:06] Approved by: so (cperciva) Approved by: re (kensmith) Security: FreeBSD-SA-10:04.jail Security: FreeBSD-SA-10:05.opie Security: FreeBSD-SA-10:06.nfsclient
2010-05-27 03:15:04 +00:00 · 2010-05-27 03:15:04 +00:00 · 8fd6c56d29
commit 8fd6c56d29
parent 87164cbbaa
4 changed files with 18 additions and 4 deletions
--- a/contrib/opie/libopie/readrec.c
+++ b/contrib/opie/libopie/readrec.c
@ -141,10 +141,8 @@ int __opiereadrec FUNCTION((opie), struct opie *opie)
    
    if (c = strchr(opie->opie_principal, ':'))
      *c = 0;
-    if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX)
-      (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0;
    
-    strcpy(principal, opie->opie_principal);
+    strlcpy(principal, opie->opie_principal, sizeof(principal));
    
    do {
      if ((opie->opie_recstart = ftell(f)) < 0)
--- a/lib/libc/sys/mount.2
+++ b/lib/libc/sys/mount.2
@ -107,7 +107,7 @@ This restriction can be removed by setting the
 .Va vfs.usermount
 .Xr sysctl 8
 variable
-to a non-zero value.
+to a non-zero value; see the BUGS section for more information.
 .Pp
 The following
 .Fa flags
@ -374,3 +374,10 @@ system call first appeared in
 .Fx 5.0 .
 .Sh BUGS
 Some of the error codes need translation to more obvious messages.
+.Pp
+Allowing untrusted users to mount arbitrary media, e.g. by enabling
+.Va vfs.usermount ,
+should not be considered safe.
+Most file systems in
+.Fx
+were not built to safeguard against malicious devices.
--- a/sys/nfsclient/nfs_vfsops.c
+++ b/sys/nfsclient/nfs_vfsops.c
@ -1074,6 +1074,11 @@ nfs_mount(struct mount *mp)
 		error = EINVAL;
 		goto out;
 	}
+	if (args.fhsize < 0 || args.fhsize > NFSX_V3FHMAX) {
+		vfs_mount_error(mp, "Bad file handle");
+		error = EINVAL;
+		goto out;
+	}

 	if (mp->mnt_flag & MNT_UPDATE) {
 		struct nfsmount *nmp = VFSTONFS(mp);
--- a/usr.sbin/jail/jail.c
+++ b/usr.sbin/jail/jail.c
@ -511,6 +511,10 @@ set_param(const char *name, char *value)
 			*value++ = '\0';
 	}

+	/* jail_set won't chdir along with its chroot, so do it here. */
+	if (!strcmp(name, "path") && chdir(value) < 0)
+		err(1, "chdir: %s", value);
+
 	/* Check for repeat parameters */
 	for (i = 0; i < nparams; i++)
 		if (!strcmp(name, params[i].jp_name)) {