Re: Root can panic kernel with mknod on a tmpfs filesystem

2016-07-06 Thread Todd C. Miller
On Wed, 06 Jul 2016 15:28:33 +0200, Marc Espie wrote: > Note: it seems strange to have extra checks for VT_CHAR... in tmpfs_mknod > as well. These should be fs-independent ?... Do you mean this? if (vt != VBLK && vt != VCHR && vt != VFIFO) { vput(dvp);

Re: Root can panic kernel with mknod on a tmpfs filesystem

2016-07-06 Thread Ted Unangst
Todd C. Miller wrote: > On Wed, 06 Jul 2016 06:53:06 -0600, "Todd C. Miller" wrote: > > > Is there any reason to not do the check higher up in domknodat()? > > A mknod of -1 on ffs results in a device of major 0, minor 0 which > > is unexpected. > > The following should be sufficient and not

Re: Root can panic kernel with mknod on a tmpfs filesystem

2016-07-06 Thread Marc Espie
On Wed, Jul 06, 2016 at 07:18:14AM -0600, Bob Beck wrote: > ok beck@ > > On Wednesday, 6 July 2016, Todd C. Miller wrote: > > > On Wed, 06 Jul 2016 06:53:06 -0600, "Todd C. Miller" wrote: > > > > > Is there any reason to not do the check higher up in domknodat()? > >

Re: Root can panic kernel with mknod on a tmpfs filesystem

2016-07-06 Thread Bob Beck
ok beck@ On Wednesday, 6 July 2016, Todd C. Miller wrote: > On Wed, 06 Jul 2016 06:53:06 -0600, "Todd C. Miller" wrote: > > > Is there any reason to not do the check higher up in domknodat()? > > A mknod of -1 on ffs results in a device of major 0, minor 0 which > >

Re: Root can panic kernel with mknod on a tmpfs filesystem

2016-07-06 Thread Todd C. Miller
On Wed, 06 Jul 2016 06:53:06 -0600, "Todd C. Miller" wrote: > Is there any reason to not do the check higher up in domknodat()? > A mknod of -1 on ffs results in a device of major 0, minor 0 which > is unexpected. The following should be sufficient and not interfere with creating FIFOs or

Re: Root can panic kernel with mknod on a tmpfs filesystem

2016-07-06 Thread Todd C. Miller
Is there any reason to not do the check higher up in domknodat()? A mknod of -1 on ffs results in a device of major 0, minor 0 which is unexpected. - todd

Re: Root can panic kernel with mknod on a tmpfs filesystem

2016-07-06 Thread Marc Espie
E.g., this should be equivalent. Index: tmpfs_vnops.c === RCS file: /build/data/openbsd/cvs/src/sys/tmpfs/tmpfs_vnops.c,v retrieving revision 1.27 diff -u -p -r1.27 tmpfs_vnops.c --- tmpfs_vnops.c 19 Jun 2016 11:54:33 -

Re: Root can panic kernel with mknod on a tmpfs filesystem

2016-07-05 Thread Marc Espie
On Tue, Jul 05, 2016 at 07:21:57PM -0400, Ted Unangst wrote: > Tim Newsham wrote: > > Recommendation: > > Validate the device number vap->va_rdev in tmpfs_mknod() and return > > an error if it is VNOVAL (-1). > > Sounds about right to me. > > Index: tmpfs_vnops.c >

Re: Root can panic kernel with mknod on a tmpfs filesystem

2016-07-05 Thread Ted Unangst
Tim Newsham wrote: > Recommendation: > Validate the device number vap->va_rdev in tmpfs_mknod() and return > an error if it is VNOVAL (-1). Sounds about right to me. Index: tmpfs_vnops.c === RCS file:

Root can panic kernel with mknod on a tmpfs filesystem

2016-07-05 Thread Tim Newsham
knod * * gcc -g tmpfs_mknod_panic.c -o tmpfs_mknod_panic */ #ifdef BUG_WRITEUP //--- Root can panic kernel with mknod on a tmpfs filesystem Impact: Root can panic the kernel. Description: When performing a mknod system call on a tmpfs filesy