Hello everyone,
Basically multiple mounts don't check the requested options from the
system call against what the superblock already has stored in sb->s_flags
and since it just uses the existing superblock it is possible to mount
partitions with options different than what you requested, without
userland ever being the wiser. I've tried this on several machines with
up-to-date mount + kernels (2.10m, 2.4.0test5-prex).
Here is a quick example, say sda1 is already mounted as /, rw. next step
is 'mount -t ext2 -o ro /dev/sda1 /mnt'. this goes fine, running 'mount'
or 'cat /etc/mtab' looks fine (mounted ro). however if you 'touch
/mnt/file' it lets you, so it is obviously not ro. looking a little
further, 'cat /proc/mounts and you see the kernel has mounted it rw. this
inconsistency is no good. it needs to do some sort of check around line
778 maybe.. not really sure if there are masks involved or what not so
I'll leave the real coding to you guys.
pseudocode:
if(sb->flags == flags){
if (fs_type == sb->s_type) {
path_release(&nd);
return sb;
}
}else {
error=-ESOMETHING;
goto out;
}
This bug is also present in the bind mounts, although I'm not positive on
how it works there because I haven't looked at the code (I am not much of
a kernel person anyways, this is all giving me large headaches ;). The
same example but with 'mount -t bind -o ro / /mnt' should do the trick to
show the bug.
This has already been sent to sct, tytso, al vito, and lkml, and I've
finally been advised I should send it here. hopefully someone can now
patch it so I can stop fwding this everywhere ;)
enjoy,
-b
