Subject: kern/1202: union file system fishes around inside someone else's private mount data
To: None <gnats-admin@sun-lamp.pc.cs.cmu.edu>
From: John Kohl <jtk@kolvir.blrc.ma.us>
List: netbsd-bugs
Date: 07/10/1995 00:50:04
>Number: 1202
>Category: kern
>Synopsis: the union FS is illegitimately accessing another FS's privates
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people (Kernel Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Jul 10 00:50:02 1995
>Originator: John Kohl
>Organization:
NetBSD Kernel Hackers `R` Us
>Release: July 7th -current
>Environment:
System: NetBSD kolvir 1.0A NetBSD 1.0A (KOLVIR) #604: Sun Jul 9 20:01:06 EDT 1995 jtk@kolvir:/u1/NetBSD-current/src/sys/arch/i386/compile/KOLVIR i386
>Description:
Inside union_access(), the union file system accesses another
filesystem's private mount data when it is trying to find its own mount
point information.
>How-To-Repeat:
Mount an AFS file system underneath a UFS filesystem, and try to access
an underlying file. The union FS will try to follow AFS's
vp->v_mount->mnt_data, which is NULL. The kernel will then croak.
>Fix:
I think this is what the code was trying to do. I haven't tested this
yet (I can't test it from home):
*** union_vnops.c 1995/06/16 01:31:56 1.10
--- union_vnops.c 1995/07/10 02:47:43
***************
*** 626,632 ****
VOP_LOCK(vp);
error = VOP_ACCESS(vp, ap->a_mode, ap->a_cred, ap->a_p);
if (error == 0) {
! struct union_mount *um = MOUNTTOUNIONMOUNT(vp->v_mount);
if (um->um_op == UNMNT_BELOW)
error = VOP_ACCESS(vp, ap->a_mode,
--- 626,632 ----
VOP_LOCK(vp);
error = VOP_ACCESS(vp, ap->a_mode, ap->a_cred, ap->a_p);
if (error == 0) {
! struct union_mount *um = MOUNTTOUNIONMOUNT(ap->a_vp->v_mount);
if (um->um_op == UNMNT_BELOW)
error = VOP_ACCESS(vp, ap->a_mode,
>Audit-Trail:
>Unformatted: