>Number:         2426
>Category:       kern
>Synopsis:       mount_union a/ b/; mount_union -b a/ b/
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri May 17 05:20:01 1996
>Last-Modified:
>Originator:     Greg Stark
>Organization:
The Student Information Processing Board
	
>Release:        1.1
>Environment:
	
System: NetBSD limekiller 1.1B NetBSD 1.1B (LIMEKILLER) #13: Sat May 11 17:43:31 EDT 1996 ghudson@zygorthian-space-raiders:/afs/sipb.mit.edu/project/netbsd/dev/current-source/build/i386_nbsd1/sys/arch/i386/compile/LIMEKILLER i386
from strings mount_union
$NetBSD: mount_union.c,v 1.2 1995/03/18 14:58:24 cgd Exp $
$NetBSD: getmntopts.c,v 1.3 1995/03/18 14:56:58 cgd Exp $


>Description:
	

Some combinations of circular or otherwise confusing union mounts and
presumably nullfs mounts cause the machine to crash.

I verified this remotely so i didn't see exactly how the failure
occured. The machine seemed ok for a while; it responded to finger,
but a second login froze and it eventually crashed.

I fear this isn't the only danger, what would happen if you nullfs
mount a over b and b over a?  Or the same with union mounts?

This was recently reported as a "security hole" in FreeBSD 2.1 by
"Krzysztof Labanowski" <CHRISL@gazeta.pl> and Adam Kubicki.

>How-To-Repeat:
	
cd /var/tmp
mkdir a b
mount_union    a/ b/
mount_union -b a/ b/
# for me this second command never returned.

>Fix:
	
>Audit-Trail:
>Unformatted:
<synopsis of the problem (one line)>