Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp1080422img; Mon, 18 Mar 2019 23:16:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqyuQAhSucmRuHoTu0tGWsUS8ffdk554FuY05yb+31H6SCMnXJIhp7kZWVUfzEJgv2fVlEnG X-Received: by 2002:a63:6a48:: with SMTP id f69mr1150205pgc.7.1552976175590; Mon, 18 Mar 2019 23:16:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552976175; cv=none; d=google.com; s=arc-20160816; b=fQCj4wBmCW8Z/u2JtRhLBuJ+xPhNh9HA1AWU3KXM4AqQ2tg3ti8oIn/1GbikS00bta Km6JbmKUnvLCFqekZcuaPM1garM604eIlro3SQX+eWGdYyQe+Gf4tCfEZ+cja7Q6/eSi 1cpHOByp0UK7m745XI/jOhMkVlE7Z7olBnfia7guYg0aIhs5zWTr+2CHU3nz3wCsH/wo Bp9vzBWnwGfRv94txwcD83ojZsty7O1Gm/rmcfngXYFGCyTSseVYZjn340dKZdyYBCYG QN5i8rh/HqCcztLqVeUM+hs++Vaq8nnnZ445QXskKa/wX+ebdLInS5unlareWXJx+Eoi a8pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:mime-version:date:cc:to:from :subject:message-id; bh=/oorv8CTnmtbT7mE97lqXhjgO4f+36KahVLMr7UPoGQ=; b=YQaud5JiiXyENbKcuYPqxk3LsIMHi7X8ZY9RCAj/A/jVLTdxVg3TIxPTtlS7CayEeC Zs/QJ3OsSVLQHFHE43ixlqofS48eMpp1PjuwIhb3ezYidvZ/uUdyl++0CKns5JgmnNny 8zIMD5VT+BByBPcu5yXCwao2dnViK6LkJru5ZqJDGF62Fvddhs6QzqgCK+FQDEixgihc kmC4x9tiNhi5p/aurnSUp+v2iL9eoPd3p+TpxiEzWh/dFYVssJlkKjVRyawMBaBOTLf2 j7O70nLukeLBANUVl/zyDW4yg3F3cJkgKoOjbBO3wXY9cSpfOvW9w+neDV6OmcKTU/ah IDog== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e15si10677304pgk.488.2019.03.18.23.16.00; Mon, 18 Mar 2019 23:16:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727017AbfCSGOz (ORCPT + 99 others); Tue, 19 Mar 2019 02:14:55 -0400 Received: from smtp.bonedaddy.net ([45.33.94.42]:42126 "EHLO smtp.bonedaddy.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725988AbfCSGOz (ORCPT ); Tue, 19 Mar 2019 02:14:55 -0400 X-Greylist: delayed 501 seconds by postgrey-1.27 at vger.kernel.org; Tue, 19 Mar 2019 02:14:54 EDT Received: from chianamo (unknown [114.111.153.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: pabs3@bonedaddy.net) by smtp.bonedaddy.net (Postfix) with ESMTPSA id 7BAF1180043; Tue, 19 Mar 2019 02:06:33 -0400 (EDT) Message-ID: Subject: PROBLEM: Linux kernel.core_pattern with pipes does argument splitting after template expansion From: Paul Wise To: Alexander Viro , linux-fsdevel@vger.kernel.org, linux-kernel Cc: Jakub Wilk Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-/kAUG1cFZlcQ+Edi9z5s" Date: Tue, 19 Mar 2019 14:06:27 +0800 MIME-Version: 1.0 User-Agent: Evolution 3.30.5-1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-/kAUG1cFZlcQ+Edi9z5s Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable The Linux kernel.core_pattern support for core dump handlers using the pipe syntax does argument splitting after template expansion. At minimum this bug could cause truncated values for the executable name. This also means that the argument parsing for core dump handlers is slightly more complicated because they have to deal with the fact that an attacker that can control the executable name via %E and %e could pass additional arguments, including command-line options, to the handler. Usually this is easy to deal with by merging the remaining arguments after an options termination indicator but it is very unlikely that core dump handler implementers are aware of the issue. Theoretically hostnames with %h could also be split up but in practice they do not appear to be allowed to contain spaces. Steps to reproduce: $ cat foo=20 #!/bin/sh printf "%s~" "$@" >> /var/log/core echo >> /var/log/core $ chmod a+rx foo $ sudo sysctl kernel.core_pattern=3D"|`pwd`/foo %E" kernel.core_pattern =3D |/home/pabs/foo %E $ cp /bin/sleep 'sleep with spaces' $ ./sleep\ with\ spaces 55555 & [1] 16041 $ kill -SEGV %1 [1]+ Segmentation fault (core dumped) ./sleep\ with\ spaces 55555 Incorrect results: $ cat /var/log/core !home!pabs!sleep~with~spaces~ Correct results: $ cat /var/log/core !home!pabs!sleep with spaces~ This was originally reported by Jakub Wilk : <20190312145043.jxjoj66kqssptolr@jwilk.net> https://bugs.debian.org/924398 --=20 bye, pabs https://bonedaddy.net/pabs3/ --=-/kAUG1cFZlcQ+Edi9z5s Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAlyQht8ACgkQMRa6Xp/6 aaNflhAAqeV4lwN8MJQOpFEUQPbk/Nwy0gw/oO9oCTOg//oVcn4WA0xm4KHkc2cK 8YNdsr0AziSH+/6legrCS8X3yL9BFLza6V7T296oLXTdlhDhEI4qqSKKiF6fWTT3 p0YLgIvBe+4mOMXRZx2821oUhTdAZQ8Pn2gN76HqCFfy/0Ym28j+FlcRhfdGRm4E dh3mbwqUcig4Klv9BXnlHh7qLGo4ZnezFLLO/yJsyPjxJKxNpgaYenF1OwdP3S6s rSjXOBPRN8mriqVE9X4kw5eLGOkUHVV78xhtVzqTPNVCTfgMgjkXpNPIe5v+qL/2 ymJAeJDT7ghwG+v0Nc6aWZuXvn0tBvmx45hKZcSWNdOJtWcqgi3EloRvrY/OJxEw A/P2wvfb2WgSPIQ3i4snoqAcbn9+wdPzCt4RrkBbCFnSWs4/sB5MnNR6DuG+T5/V r1hUqdRJAzco8oZ1n9MW+rkWYJdhZV8pDcCKv+OGPmw3O3W9S4eOAjrNzGciBTej epkkLOwewot/PrNqj9Rsqgf6yz0plkXRsKC4hIXE6DyntiIU6wtn435YKYEi8QxR ma7PFV4ylVjYWaTp1Pjbv+c7ToG2QN841rHvtfEOM8xhniSX4b9oOLi++f5ky1g8 qjam1ie9H0NrcCg615arLD8hnB7qT+xWg5SGem3dzeut1aC9JJk= =66OZ -----END PGP SIGNATURE----- --=-/kAUG1cFZlcQ+Edi9z5s--