Subject: port-i386/474: Kernel crashing on wrong access to mfs mounted /tmp
To: None <firstname.lastname@example.org>
From: Andrew Wheadon <email@example.com>
Date: 09/13/1994 10:05:06
>Synopsis: panic when userland executable messes with /tmp
>Responsible: gnats-admin (GNATS administrator)
>Arrival-Date: Tue Sep 13 10:05:04 1994
>Originator: Andrew Wheadon
System: NetBSD wipux2.wifo.uni-mannheim.de 1.0_BETA NetBSD 1.0_BETA (TEST) #0: Sun Sep 11 15:32:13 MET DST 1994 firstname.lastname@example.org:/src/src/sys/arch/i386/compile/TEST i386
There seems to be a problem in the mfs-layer which causes
a panic when for example pine messes with an mfs-mounted /tmp
and one then tries to create a file in /tmp.
mount /tmp as an mfs: (/etc/fstab)
/dev/sd0b /tmp mfs rw,-s=48000 0 0
Compile pine (./build bsi) (probs: sys_errlist and prototype
sstrcasecmp is wrong)
install with no special perms. Run as a normal user on a
mail folder with a few mails in. (I did it with 2,3 and 6)
read the mail with pine.
While running pine will create a file on /tmp of about
4 GB in size (according to ls -l /tmp) this takes less
than a second and nothing seems to really be written.
Do an ls -l /tmp and the file is gone.
Create a file on /tmp with 'cat >/tmp/t' and the kernel
panics on panic-ffs_vfree-ffs_blkpref-ffs_blkpref-ffs_alloc-
This bug is at least 2 months old but at the time I thought
it was just me. I've meanwhile tried it on a normal /tmp and
there it doesn't fail.--- So it seems to be a bug in the mfs-code
and since I'm a normal user and the binary has no special
permissions it seems that anybody who wishes to can crash the
machine. Just copy over a pine-binary and run it...
Don't use pine. || Don't use mount_mfs. ;-)