Subject: Re: NetBSD Security Advisory 1999-008
To: matthew green <>
From: Stefan Grefen <>
List: tech-security
Date: 04/13/1999 09:04:03
In message <>  matthew green wrote:
> Topic:		Kernel hang or panic in name lookup under certain circumstances
> Version:	NetBSD 1.3.X, NetBSD-current to 19990409, and
> 			early versions of NetBSD-1.4_ALPHA
> Severity:	In later versions of -current and in 1.4_ALPHA, unprivileged
> 			users can panic the system.
> Abstract
> ========
> Unprivileged users can trigger a file-system locking error, causing the
> system to panic or hang.  The following command sequence will trigger
> the vulnerability:
> 	% ln -s ./ test
> 	% ln -s ./ test

You can also do a union mount (eg. mount -F union /usr/src /usr/sup/src) and
run concurrent lookup/create/change opertations on it. (eg. multiple makes or 
a make and a find)
This will crash the system with locking errors after some time.
Having a mounted union-fs also prevents a clean shutdown.
As unionfs is known to be 'unstable' I haven't submited a PR.


Stefan Grefen                                Tantau Software International Inc.              
 --- Hacking's just another word for nothing left to kludge. ---