Subject: Re: NetBSD Security Advisory 1999-008
To: None <grefen@hprc.tandem.com>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: current-users
Date: 04/13/1999 02:04:24
In message <13648.923987043@hrriss.hprc.tandem.com>Stefan Grefen writes
>In message <26497.923972993@eterna.com.au>  matthew green wrote:
>> 
>> Topic:		Kernel hang or panic in name lookup under certain circu
>mstances
>> Version:	NetBSD 1.3.X, NetBSD-current to 19990409, and
>> 			early versions of NetBSD-1.4_ALPHA
>> Severity:	In later versions of -current and in 1.4_ALPHA, unprivileged
>> 			users can panic the system.
>> 
>> 
>> Abstract
>> ========
>> 
>> Unprivileged users can trigger a file-system locking error, causing the
>> system to panic or hang.  The following command sequence will trigger
>> the vulnerability:
>> 
>> 	% ln -s ./ test
>> 	% ln -s ./ test
>
>You can also do a union mount (eg. mount -F union /usr/src /usr/sup/src) and
>run concurrent lookup/create/change opertations on it. (eg. multiple makes or 
>a make and a find)
>This will crash the system with locking errors after some time.
>Having a mounted union-fs also prevents a clean shutdown.
>As unionfs is known to be 'unstable' I haven't submited a PR.

Same deal with nullfs.
  `config <CONFIGFILE>; `make -j2' is a good way to reproduce it.