The Linux kernel.core_pattern support for core dump handlers using the pipe syntax does argument splitting after template expansion. At minimum this bug could cause truncated values for the executable name. This also means that the argument parsing for core dump handlers is slightly more complicated because they have to deal with the fact that an attacker that can control the executable name via %E and %e could pass additional arguments, including command-line options, to the handler. Usually this is easy to deal with by merging the remaining arguments after an options termination indicator but it is very unlikely that core dump handler implementers are aware of the issue. Theoretically hostnames with %h could also be split up but in practice they do not appear to be allowed to contain spaces. Steps to reproduce: $ cat foo #!/bin/sh printf "%s~" "$@" >> /var/log/core echo >> /var/log/core $ chmod a+rx foo $ sudo sysctl kernel.core_pattern="|`pwd`/foo %E" kernel.core_pattern = |/home/pabs/foo %E $ cp /bin/sleep 'sleep with spaces' $ ./sleep\ with\ spaces 55555 & [1] 16041 $ kill -SEGV %1 [1]+ Segmentation fault (core dumped) ./sleep\ with\ spaces 55555 Incorrect results: $ cat /var/log/core !home!pabs!sleep~with~spaces~ Correct results: $ cat /var/log/core !home!pabs!sleep with spaces~ This was originally reported by Jakub Wilk <jwilk@xxxxxxxxx>: <20190312145043.jxjoj66kqssptolr@xxxxxxxxx> https://bugs.debian.org/924398 -- bye, pabs https://bonedaddy.net/pabs3/
Attachment:
signature.asc
Description: This is a digitally signed message part