• Paul Wise's avatar
    coredump: split pipe command whitespace before expanding template · 315c6926
    Paul Wise authored
    Save the offsets of the start of each argument to avoid having to update
    pointers to each argument after every corename krealloc and to avoid
    having to duplicate the memory for the dump command.
    Executable names containing spaces were previously being expanded from
    %e or %E and then split in the middle of the filename.  This is
    incorrect behaviour since an argument list can represent arguments with
    The splitting could lead to extra arguments being passed to the core
    dump handler that it might have interpreted as options or ignored
    Core dump handlers that are not aware of this Linux kernel issue will be
    using %e or %E without considering that it may be split and so they will
    be vulnerable to processes with spaces in their names breaking their
    argument list.  If their internals are otherwise well written, such as
    if they are written in shell but quote arguments, they will work better
    after this change than before.  If they are not well written, then there
    is a slight chance of breakage depending on the details of the code but
    they will already be fairly broken by the split filenames.
    Core dump handlers that are aware of this Linux kernel issue will be
    placing %e or %E as the last item in their core_pattern and then
    aggregating all of the remaining arguments into one, separated by
    spaces.  Alternatively they will be obtaining the filename via other
    methods.  Both of these will be compatible with the new arrangement.
    A side effect from this change is that unknown template types (for
    example %z) result in an empty argument to the dump handler instead of
    the argument being dropped.  This is a desired change as:
    It is easier for dump handlers to process empty arguments than dropped
    ones, especially if they are written in shell or don't pass each
    template item with a preceding command-line option in order to
    differentiate between individual template types.  Most core_patterns in
    the wild do not use options so they can confuse different template types
    (especially numeric ones) if an earlier one gets dropped in old kernels.
    If the kernel introduces a new template type and a core_pattern uses it,
    the core dump handler might not expect that the argument can be dropped
    in old kernels.
    For example, this can result in security issues when %d is dropped in
    old kernels.  This happened with the corekeeper package in Debian and
    resulted in the interface between corekeeper and Linux having to be
    rewritten to use command-line options to differentiate between template
    The core_pattern for most core dump handlers is written by the handler
    author who would generally not insert unknown template types so this
    change should be compatible with all the core dump handlers that exist.
    Link: http://lkml.kernel.org/r/20190528051142.24939-1-pabs3@bonedaddy.net
    Fixes: 74aadce9 ("core_pattern: allow passing of arguments to user mode helper when core_pattern is a pipe")
    Signed-off-by: default avatarPaul Wise <pabs3@bonedaddy.net>
    Reported-by: Jakub Wilk <jwilk@jwilk.net> [https://bugs.debian.org/924398]
    Reported-by: Paul Wise <pabs3@bonedaddy.net> [https://lore.kernel.org/linux-fsdevel/c8b7ecb8508895bf4adb62a748e2ea2c71854597.camel@bonedaddy.net/]
    Suggested-by: default avatarJakub Wilk <jwilk@jwilk.net>
    Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
coredump.c 22.1 KB