kern/44648: access("/tmp/lose", 8) panics when /tmp is on tmpfs

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/44648: access("/tmp/lose", 8) panics when /tmp is on tmpfs
From: Taylor R Campbell <campbell+netbsd%mumble.net@localhost>
Date: Sun, 27 Feb 2011 22:50:00 +0000 (UTC)

>Number:         44648
>Category:       kern
>Synopsis:       access("/tmp/lose", 8) panics when /tmp is on tmpfs
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Feb 27 22:50:00 +0000 2011
>Originator:     Taylor R Campbell <campbell+netbsd%mumble.net@localhost>
>Release:        NetBSD 5.99.46
>Organization:
>Environment:
System: NetBSD oberon.local 5.99.46 NetBSD 5.99.46 (RIAMONODEBUG) #30: Fri Feb 
25 21:04:59 UTC 2011 
riastradh@smalltalk.local:/home/riastradh/netbsd/current/obj/sys/arch/i386/compile/RIAMONODEBUG
 i386
Architecture: i386
Machine: i386
>Description:

        access("/tmp/lose", 8) causes the flags argument to VOP_ACCESS
        in sys_access to be zero.  tmpfs_access passes the zero flags
        through kauth_mode_to_action, which yields a zero action for
        kauth_authorize_vnode, where kauth_authorize_action_internal
        asserts that the action is nonzero.

        I don't know what program does this, or whether any program
        actually did -- it happened during a bulk build on a MacBook1,1
        (dual-core i386) with a -current kernel, on which I have seen
        bizarre behaviour, panics, and silent reboots recently.  The
        bulk build was at sysutils/cdrtools, which I've built several
        times before, so I suspect something else is afoot.

>How-To-Repeat:

        The following program reliably makes NetBSD panic for me if I
        pass it the pathname of a file in a tmpfs:

#include <err.h>
#include <unistd.h>

int
main(int argc, char **argv)
{
        if (argc != 2)
                err(1, "Usage: %s <pathname>\n", argv[0]);
        if (access(argv[1], 8) == -1)
                err(1, "access");
        return (0);
}

>Fix:

        Apply the following patch to vfs_syscalls.c.  It would have
        sufficed to change `if (SCARG(uap, flags))' to `if (SCARG(uap,
        flags) & (R_OK | W_OK | X_OK))', but this will help to flag
        broken programs.  (Actually, just changing access(2) to return
        EINVAL all the time would help to flag broken programs, but
        that's a separate issue...)

Index: vfs_syscalls.c
===================================================================
RCS file: /cvsroot/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.414
diff -p -u -r1.414 vfs_syscalls.c
--- vfs_syscalls.c      13 Jan 2011 07:25:50 -0000      1.414
+++ vfs_syscalls.c      27 Feb 2011 22:37:47 -0000
@@ -2504,7 +2504,9 @@ sys_access(struct lwp *l, const struct s
        pathbuf_destroy(pb);
 
        /* Flags == 0 means only check for existence. */
-       if (SCARG(uap, flags)) {
+       if (SCARG(uap, flags) &~ (R_OK | W_OK | X_OK)) {
+               error = EINVAL;
+       } else if (SCARG(uap, flags)) {
                flags = 0;
                if (SCARG(uap, flags) & R_OK)
                        flags |= VREAD;

Prev by Date: kern/44647: routed sometimes thinls kernel routes disappear
Next by Date: PR/44648 CVS commit: src/sys/kern
Previous by Thread: kern/44647: routed sometimes thinls kernel routes disappear
Next by Thread: PR/44648 CVS commit: src/sys/kern
Indexes:

Home | Main Index | Thread Index | Old Index