From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 02:19:51 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E613316A417 for ; Mon, 18 Feb 2008 02:19:51 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id A63B613C45A for ; Mon, 18 Feb 2008 02:19:51 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id A36F546B7B; Sun, 17 Feb 2008 21:19:50 -0500 (EST) Date: Mon, 18 Feb 2008 02:19:50 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Borja Marcos In-Reply-To: Message-ID: <20080218021649.L96329@fledge.watson.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: MAC subsystem problem (FreeBSD 7) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 02:19:52 -0000 On Fri, 15 Feb 2008, Borja Marcos wrote: > I'm trying to set up a DNS server under FreeBSD using the mac_biba policy. I > use to run bind in low-integrity mode, so that neither it or any of its > descendants can modify configuration files, etc. > > With previous FreeBSD versions there was a handy sysctl setting, > "security.mac.enforce_socket" that allowed to bypass the MAC restrictions > for a socket. I think it's not a bad idea. After all machines can > communicate with untrusted nodes over a network. In my opinion, enforcing > the mac_biba restrictions so that a network communication with a local > process behaves _differently_ than a network communication with a different > node is a bad idea. > > Any reason why this setting has been eliminated? I think that the best > solution is to keep it and let the administrator decide. Borja, The interface was removed on the basis that it was a debugging setting, and in some cases can lead to the incorrect behavior of policies (for example, lomac, although not biba). The interface should actually be implemented within the policy so that policies still receive the entry points, but decide to ignore them for policy reasons, rather than preventing the entry points from being made to the policy. However, we can add them to individual policies, especially if they are useful. Could I ask you to file a PR for this issue, and forward me the PR receipt? I probably won't get to this for a week or two, but would be happy to investigate making the change to reintroduce object class controls of the same sort in biba (and the other policies). Just to be clear: the problem you're running into is that loopback network connections are controlled by biba, preventing certain loopback operations? Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 04:36:46 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C8BB16A421; Mon, 18 Feb 2008 04:36:46 +0000 (UTC) (envelope-from freebsd@electron-tube.net) Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by mx1.freebsd.org (Postfix) with ESMTP id 3367613C468; Mon, 18 Feb 2008 04:36:46 +0000 (UTC) (envelope-from freebsd@electron-tube.net) Received: from [10.0.0.100] (c-66-41-19-246.hsd1.mn.comcast.net [66.41.19.246]) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis) id 0MKpCa-1JQxY10LmJ-0007KF; Sun, 17 Feb 2008 23:24:13 -0500 Message-ID: <47B90868.7000900@electron-tube.net> Date: Sun, 17 Feb 2008 22:24:08 -0600 From: Jim Bryant User-Agent: Thunderbird 1.5 (X11/20061230) MIME-Version: 1.0 To: freebsd-fs@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX18m4aZlpkrjVLAus8S+nj9gMeQSg5ef1kVfeL5 kBvaXrPkqcAljL7hUedzmZ1BOHwODKY8ldhtqzyKn8pRB4DeKh 4bKiIPYGZxwcwiK7ZMCUAgx2hLv+EHY Cc: freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org Subject: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 04:36:46 -0000 One line summary: Too many files in a top-level UFS-2 filesystem directory will cause a panic on mount. Kern/Critical/High Priority/SW-Bug Which FreeBSD Release You Are Using: 6.3-STABLE Environment (output of "uname -a" on the problem machine): FreeBSD wahoo.sd67dfl.org 6.3-STABLE FreeBSD 6.3-STABLE #0: Sun Feb 10 21:13:39 CST 2008 jbryant@wahoo.sd67dfl.org:/usr/obj/usr/src/sys/WAHOO-SMP i386 Note: I just cvsupped earlier, and no changes have been put into cvsup that would fix this problem. Full Description: I was doing a reorganization of my filesystems, and since I do offline installs, I keep a local distfiles collection (or did until yesterday when this happened), and in the process, put all of the distfiles on their own filesystem to be mounted under /usr/ports/distfiles. All was fine until I rebooted. On rebooting, I got a page fault panic on mount of the new distfiles filesystem. i booted again, got it again, booted again this time into single-user, and did a fsck on the filesystem, and it only showed as being "dirty", but otherwise had no problems in the eyes of fsck. booted again, instant panic. i booted an older 6.2 CD and mounted the filesystem fine. i then put that filesystem the way it was by mkdir'ing a distfiles dir and mv'ing everything into it, but on reboot it still paniced on mount. only a newfs was able to enable the filesystem to be mounted. today i did further research, thinking it had to do with the number of files in the top-level filesystem directory, and found that to be true. the short c program in the next section (how to repeat the problem) contains this. a second test shows that, after a newfs, if this done in any subdirectory of that filesystem, the panic is averted, and all is well. apparently this bug only effects top-level directories of a UFS2 filesystem. I have not attempted this to a non-UFS2 filesystem. IMHO, a security advisory should be released, since any user with write access to ANY top level directory of ANY mounted filesystem (most systems have /tmp as a world writable top level filesystem directory) can create a panic situation requiring a newfs of the said filesystem. A malicious user with root access can do this to /. Either way, on boot, or any attempt to mount said filesystem on a running system, will cause a panic, which of course will cause an unbootable system on reboot. How to repeat the problem: Compile and run the following as instructed: #include #include int main(int argc, char **argv) { int i; char buf[1024]; bzero(buf, 1024); for(i = 0; i < 10000; i++) { sprintf(buf, "touch %s%05d\n", argv[1], i); system((const char *)buf);} return(0);} /* pass a top-level mountpoint directory name of a mounted filesystem, with a trailing slash to the above as argv[1], and run. This will create 10,000 zero-length files in the specified directory. umount that filesystem. perform a shitload of sync's to make sure everything outstanding is flushed to disk on all filesystems. mount the target filesystem (preferably from a vty or serial console to catch the messages when it panics, which it will as soon as the mount is attempted). */ Fix to the problem if known: newfs(8) From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 04:58:47 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 847FE16A419; Mon, 18 Feb 2008 04:58:47 +0000 (UTC) (envelope-from freebsd@electron-tube.net) Received: from mout.perfora.net (mout.perfora.net [74.208.4.196]) by mx1.freebsd.org (Postfix) with ESMTP id 4D54213C447; Mon, 18 Feb 2008 04:58:47 +0000 (UTC) (envelope-from freebsd@electron-tube.net) Received: from [10.0.0.100] (c-66-41-19-246.hsd1.mn.comcast.net [66.41.19.246]) by mrelay.perfora.net (node=mrus0) with ESMTP (Nemesis) id 0MKp8S-1JQy5R0Kry-0003kN; Sun, 17 Feb 2008 23:58:46 -0500 Message-ID: <47B91080.9010109@electron-tube.net> Date: Sun, 17 Feb 2008 22:58:40 -0600 From: Jim Bryant User-Agent: Thunderbird 1.5 (X11/20061230) MIME-Version: 1.0 To: Jim Bryant References: <47B90868.7000900@electron-tube.net> In-Reply-To: <47B90868.7000900@electron-tube.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX1+TSUngQSCLZj+rWqUub9RwbMJN1nqDMkMpISR 1WRDrxdOUfQ9zTCoTOTZMh1eiKT5A/hSaexTQe1EGjGhEOSK3r B28Pl8SI7AAWxjBu2uOxFvX6z4laLVr Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 04:58:47 -0000 FYI: The system assigned kern/120781 to this bug report. IMHO, a security advisory should be issued ASAP. Jim Bryant wrote: > One line summary: > Too many files in a top-level UFS-2 filesystem directory will cause > a panic on mount. > > Kern/Critical/High Priority/SW-Bug > > Which FreeBSD Release You Are Using: > 6.3-STABLE > > Environment (output of "uname -a" on the problem machine): > FreeBSD wahoo.sd67dfl.org 6.3-STABLE FreeBSD 6.3-STABLE #0: Sun Feb > 10 21:13:39 CST 2008 > jbryant@wahoo.sd67dfl.org:/usr/obj/usr/src/sys/WAHOO-SMP i386 > > Note: I just cvsupped earlier, and no changes have been put into > cvsup that would fix this problem. > > Full Description: > I was doing a reorganization of my filesystems, and since I do > offline installs, I keep a local distfiles collection (or did until > yesterday when this happened), and in the process, put all of the > distfiles on their own filesystem to be mounted under > /usr/ports/distfiles. > > All was fine until I rebooted. > > On rebooting, I got a page fault panic on mount of the new distfiles > filesystem. > > i booted again, got it again, booted again this time into single-user, > and did a fsck on the filesystem, and it only showed as being "dirty", > but otherwise had no problems in the eyes of fsck. booted again, > instant panic. > > i booted an older 6.2 CD and mounted the filesystem fine. i then put > that filesystem the way it was by mkdir'ing a distfiles dir and mv'ing > everything into it, but on reboot it still paniced on mount. > > only a newfs was able to enable the filesystem to be mounted. > > today i did further research, thinking it had to do with the number of > files in the top-level filesystem directory, and found that to be > true. the short c program in the next section (how to repeat the > problem) contains this. > > a second test shows that, after a newfs, if this done in any > subdirectory of that filesystem, the panic is averted, and all is > well. apparently this bug only effects top-level directories of a > UFS2 filesystem. > > I have not attempted this to a non-UFS2 filesystem. > > IMHO, a security advisory should be released, since any user with > write access to ANY top level directory of ANY mounted filesystem > (most systems have /tmp as a world writable top level filesystem > directory) can create a panic situation requiring a newfs of the said > filesystem. A malicious user with root access can do this to /. > Either way, on boot, or any attempt to mount said filesystem on a > running system, will cause a panic, which of course will cause an > unbootable system on reboot. > > How to repeat the problem: > Compile and run the following as instructed: > > #include > #include > > int main(int argc, char **argv) { int i; char buf[1024]; bzero(buf, > 1024); for(i = 0; i < 10000; i++) { sprintf(buf, "touch %s%05d\n", > argv[1], i); system((const char *)buf);} return(0);} > > /* pass a top-level mountpoint directory name of a mounted filesystem, > with a trailing slash to the above as argv[1], and run. > > This will create 10,000 zero-length files in the specified directory. > > umount that filesystem. > > perform a shitload of sync's to make sure everything outstanding is > flushed to disk on all filesystems. > > mount the target filesystem (preferably from a vty or serial console > to catch the messages when it panics, which it will as soon as the > mount is attempted). > */ > > Fix to the problem if known: > newfs(8) > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 13:23:07 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B30616A46C; Mon, 18 Feb 2008 13:23:07 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id 21B0E13C4D1; Mon, 18 Feb 2008 13:23:06 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 5BF4F2083; Mon, 18 Feb 2008 14:23:00 +0100 (CET) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: -0.3/3.0 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on tim.des.no Received: from ds4.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id 46FD9207F; Mon, 18 Feb 2008 14:23:00 +0100 (CET) Received: by ds4.des.no (Postfix, from userid 1001) id 2A84F8449D; Mon, 18 Feb 2008 14:23:00 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Jim Bryant References: <47B90868.7000900@electron-tube.net> Date: Mon, 18 Feb 2008 14:23:00 +0100 In-Reply-To: <47B90868.7000900@electron-tube.net> (Jim Bryant's message of "Sun\, 17 Feb 2008 22\:24\:08 -0600") Message-ID: <86odae5rgr.fsf@ds4.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 13:23:07 -0000 Jim Bryant writes: > #include > #include > > int main(int argc, char **argv) { int i; char buf[1024]; bzero(buf, 1024)= ; for(i =3D 0; i < 10000; i++) { sprintf(buf, "touch %s%05d\n", argv[1], i)= ; system((const char *)buf);} return(0);} Subject should be "how to take down a system [...] with three lines of badly written C, provided you have root privileges already and are too lazy to just dd if=3D/dev/zero of=3D/dev/ad0s1 count=3D100", which would accomplish the job much faster. Purely in the interest of showing off, here is my version. It is 81 bytes shorter than yours, it is valid C99 with POSIX extensions (yours is not), and it produces 11,450 files in about 0.2% of the time yours takes to produce 10,000. #include #define b(i,v) for(int v=3D48;v<127;++v){f[i]=3Dv; #define a(i) b(i,v##i) int main(void){char f[5]=3D{'/'};a(1)a(2)a(3)truncate(f,0);}}}} DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 13:41:06 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9267016A418 for ; Mon, 18 Feb 2008 13:41:06 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: from ag-out-0708.google.com (ag-out-0708.google.com [72.14.246.244]) by mx1.freebsd.org (Postfix) with ESMTP id 501F913C455 for ; Mon, 18 Feb 2008 13:41:06 +0000 (UTC) (envelope-from kurt.buff@gmail.com) Received: by ag-out-0708.google.com with SMTP id 5so2473871agb.7 for ; Mon, 18 Feb 2008 05:41:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=vq0l9z0xMsw4JpD6hWHmXb0iheAhmfajBGVA7nobMCk=; b=lgoHdV8xuG3Pk6wCyUOgAl7p80M3ORTq0MVs5nh9eJA3Naq8xE8P97UYQ5I52EwhcDykO5Q27gxOOE9A7Uhvfs+XrE1qK1UDs2c/8iWVkXpLvT20pp+fJHZEdZN618DSKUBOg4idF6fx32Zhtg9cG1TxIStgteykuruxSNCU/xc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kFxUD/W+qYjD81YNTsovhIihqaMZv14XDq+2mbEOhXyGfNOZBQ9LZb7NaUMYeJvbcI40zqqqK/MhQWnVj2FAiGs6jeEzI7MtSA0jLmTp682GLnnMlJ00rx6ql9r8e24FAqlcpnkDmp3JNZ4TMZ8QrWakjDVEm1t19eu9JARwe7I= Received: by 10.142.216.9 with SMTP id o9mr4282453wfg.173.1203341221352; Mon, 18 Feb 2008 05:27:01 -0800 (PST) Received: by 10.142.87.9 with HTTP; Mon, 18 Feb 2008 05:27:01 -0800 (PST) Message-ID: Date: Mon, 18 Feb 2008 13:27:01 +0000 From: "Kurt Buff" To: "=?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?=" In-Reply-To: <86odae5rgr.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <47B90868.7000900@electron-tube.net> <86odae5rgr.fsf@ds4.des.no> Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, Jim Bryant , freebsd-stable@freebsd.org, FreeBSD-bugs@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 13:41:06 -0000 Patient: Doctor, it hurts when I do this! Doctor: Don't do that... On Feb 18, 2008 1:23 PM, Dag-Erling Sm=F8rgrav wrote: > Jim Bryant writes: > > #include > > #include > > > > int main(int argc, char **argv) { int i; char buf[1024]; bzero(buf, 102= 4); for(i =3D 0; i < 10000; i++) { sprintf(buf, "touch %s%05d\n", argv[1], = i); system((const char *)buf);} return(0);} > > Subject should be "how to take down a system [...] with three lines of > badly written C, provided you have root privileges already and are too > lazy to just dd if=3D/dev/zero of=3D/dev/ad0s1 count=3D100", which would > accomplish the job much faster. > > Purely in the interest of showing off, here is my version. It is 81 > bytes shorter than yours, it is valid C99 with POSIX extensions (yours > is not), and it produces 11,450 files in about 0.2% of the time yours > takes to produce 10,000. > > #include > #define b(i,v) for(int v=3D48;v<127;++v){f[i]=3Dv; > #define a(i) b(i,v##i) > int main(void){char f[5]=3D{'/'};a(1)a(2)a(3)truncate(f,0);}}}} > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" > From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 13:54:06 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9ED916A418; Mon, 18 Feb 2008 13:54:06 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.freebsd.org (Postfix) with ESMTP id A49D413C45E; Mon, 18 Feb 2008 13:54:06 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 59B252090; Mon, 18 Feb 2008 14:53:59 +0100 (CET) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: -0.3/3.0 X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on tim.des.no Received: from ds4.des.no (des.no [80.203.243.180]) by smtp.des.no (Postfix) with ESMTP id 438A52087; Mon, 18 Feb 2008 14:53:59 +0100 (CET) Received: by ds4.des.no (Postfix, from userid 1001) id 1A0068449D; Mon, 18 Feb 2008 14:53:59 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Jim Bryant References: <47B90868.7000900@electron-tube.net> <86odae5rgr.fsf@ds4.des.no> Date: Mon, 18 Feb 2008 14:53:59 +0100 In-Reply-To: <86odae5rgr.fsf@ds4.des.no> ("Dag-Erling =?utf-8?Q?Sm=C3=B8rg?= =?utf-8?Q?rav=22's?= message of "Mon\, 18 Feb 2008 14\:23\:00 +0100") Message-ID: <863arq5q14.fsf@ds4.des.no> User-Agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.1 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 13:54:07 -0000 Dag-Erling Sm=C3=B8rgrav writes: > Purely in the interest of showing off, here is my version. It is 81 > bytes shorter than yours, it is valid C99 with POSIX extensions (yours > is not), and it produces 11,450 files in about 0.2% of the time yours > takes to produce 10,000. > > #include > #define b(i,v) for(int v=3D48;v<127;++v){f[i]=3Dv; > #define a(i) b(i,v##i) > int main(void){char f[5]=3D{'/'};a(1)a(2)a(3)truncate(f,0);}}}} Two bugs: 1) I forgot to include the correct version of the code 2) the version I had created a few files with '/' in their names; this slightly nastier creates 10,648 files with only letters. #include #define b(i,v)for(int v=3D65;v<87;){i[f]=3Dv++; #define a(i)b(i,v##i) int main(void){char f[4]=3D{47};a(1)a(2)a(3)truncate(f,0);}}}} DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 14:14:15 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14D5A16A46C for ; Mon, 18 Feb 2008 14:14:15 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) by mx1.freebsd.org (Postfix) with ESMTP id C166D13C45E for ; Mon, 18 Feb 2008 14:14:09 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.1) with ESMTP id m1IEE8bd075081; Tue, 19 Feb 2008 01:14:08 +1100 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200802181414.m1IEE8bd075081@drugs.dv.isc.org> To: "Kurt Buff" From: Mark Andrews In-reply-to: Your message of "Mon, 18 Feb 2008 13:27:01 -0000." Date: Tue, 19 Feb 2008 01:14:08 +1100 Sender: marka@isc.org Cc: FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org, freebsd-fs@freebsd.org, freebsd-security@freebsd.org, Jim Bryant , =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 14:14:15 -0000 > Patient: Doctor, it hurts when I do this! > > Doctor: Don't do that... Did you actually bother to read his report? While his example is used "/", if the report is correct then you just need to replace "/" with the path of any file system mount point that is world writable like say "/tmp". Do you have /tmp mounted like this? /dev/ad0s4e 507630 162050 304970 35% /tmp Have you tried using "/tmp" or some other suitable mount point before slinging off with the old Doctor joke? Even if it is only "/", having the system die and not be recoverable due to having a excessive number of files in "/" is a critical error. I'm sure you have *never* accidently copied a set of files to "/" in your life. Me, I know I've made that sort of mistake in the past, and as I'm not perfect, I'm sure I'll make that sort of mistake at some point in the future. I would however like the machine not to fallover when I do make that mistake. Now why don't you be constructive and verify whether the report is valid or not. I don't have a spare machine to test it on so I'm not going to attempt it. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 14:25:51 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9647C16A418; Mon, 18 Feb 2008 14:25:51 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id EB16813C467; Mon, 18 Feb 2008 14:25:49 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id F094046B62; Mon, 18 Feb 2008 09:25:48 -0500 (EST) Date: Mon, 18 Feb 2008 14:25:48 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Jim Bryant In-Reply-To: <47B91080.9010109@electron-tube.net> Message-ID: <20080218142004.O49202@fledge.watson.org> References: <47B90868.7000900@electron-tube.net> <47B91080.9010109@electron-tube.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 14:25:51 -0000 On Sun, 17 Feb 2008, Jim Bryant wrote: > FYI: The system assigned kern/120781 to this bug report. > > IMHO, a security advisory should be issued ASAP. Thanks for the report, I'm sure your widely distributed e-mail will get someone looking at it quickly. In the future if you run into an issue you think might require a security advisory, consider e-mailing it privately to secteam@FreeBSD.org so that the release of patches can cooincide with publication of the problem. That said, this is probably more a candidate for an errata patch rather than a security advisory -- security advisories are normally limited to local/remote privilege escalation or serious remote denial of service. Local denial of service problems occur in all operating systems I'm aware of with such frequency that the world would be continuously innundated with advisories to the point of rendering advisories useless if we did them every time someone discovered a way users could crash the system. You need only watch the change logs of the various open source kernels for the words "fix panic", "don't dereference NULL pointer", "don't leak a lock...", etc, to get a sense of the quantity of locally exercisable system bugs, many of which can lead to reboots, hangs, or data loss, to see why. Hopefully this bug will get resolved shortly, and then we can evaluate if an errata notice is necessary. Robert N M Watson Computer Laboratory University of Cambridge > > Jim Bryant wrote: >> One line summary: >> Too many files in a top-level UFS-2 filesystem directory will cause a >> panic on mount. >> >> Kern/Critical/High Priority/SW-Bug >> >> Which FreeBSD Release You Are Using: >> 6.3-STABLE >> >> Environment (output of "uname -a" on the problem machine): >> FreeBSD wahoo.sd67dfl.org 6.3-STABLE FreeBSD 6.3-STABLE #0: Sun Feb 10 >> 21:13:39 CST 2008 >> jbryant@wahoo.sd67dfl.org:/usr/obj/usr/src/sys/WAHOO-SMP i386 >> >> Note: I just cvsupped earlier, and no changes have been put into cvsup >> that would fix this problem. >> >> Full Description: >> I was doing a reorganization of my filesystems, and since I do offline >> installs, I keep a local distfiles collection (or did until yesterday when >> this happened), and in the process, put all of the distfiles on their own >> filesystem to be mounted under /usr/ports/distfiles. >> >> All was fine until I rebooted. >> >> On rebooting, I got a page fault panic on mount of the new distfiles >> filesystem. >> >> i booted again, got it again, booted again this time into single-user, and >> did a fsck on the filesystem, and it only showed as being "dirty", but >> otherwise had no problems in the eyes of fsck. booted again, instant >> panic. >> >> i booted an older 6.2 CD and mounted the filesystem fine. i then put that >> filesystem the way it was by mkdir'ing a distfiles dir and mv'ing >> everything into it, but on reboot it still paniced on mount. >> >> only a newfs was able to enable the filesystem to be mounted. >> >> today i did further research, thinking it had to do with the number of >> files in the top-level filesystem directory, and found that to be true. >> the short c program in the next section (how to repeat the problem) >> contains this. >> >> a second test shows that, after a newfs, if this done in any subdirectory >> of that filesystem, the panic is averted, and all is well. apparently this >> bug only effects top-level directories of a UFS2 filesystem. >> >> I have not attempted this to a non-UFS2 filesystem. >> >> IMHO, a security advisory should be released, since any user with write >> access to ANY top level directory of ANY mounted filesystem (most systems >> have /tmp as a world writable top level filesystem directory) can create a >> panic situation requiring a newfs of the said filesystem. A malicious user >> with root access can do this to /. Either way, on boot, or any attempt to >> mount said filesystem on a running system, will cause a panic, which of >> course will cause an unbootable system on reboot. >> >> How to repeat the problem: >> Compile and run the following as instructed: >> >> #include >> #include >> >> int main(int argc, char **argv) { int i; char buf[1024]; bzero(buf, 1024); >> for(i = 0; i < 10000; i++) { sprintf(buf, "touch %s%05d\n", argv[1], i); >> system((const char *)buf);} return(0);} >> >> /* pass a top-level mountpoint directory name of a mounted filesystem, with >> a trailing slash to the above as argv[1], and run. >> >> This will create 10,000 zero-length files in the specified directory. >> >> umount that filesystem. >> >> perform a shitload of sync's to make sure everything outstanding is flushed >> to disk on all filesystems. >> >> mount the target filesystem (preferably from a vty or serial console to >> catch the messages when it panics, which it will as soon as the mount is >> attempted). >> */ >> >> Fix to the problem if known: >> newfs(8) >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 14:47:28 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C03F516A418 for ; Mon, 18 Feb 2008 14:47:28 +0000 (UTC) (envelope-from ady@ady.ro) Received: from ag-out-0708.google.com (ag-out-0708.google.com [72.14.246.242]) by mx1.freebsd.org (Postfix) with ESMTP id 863AE13C45A for ; Mon, 18 Feb 2008 14:47:28 +0000 (UTC) (envelope-from ady@ady.ro) Received: by ag-out-0708.google.com with SMTP id 5so2548706agb.7 for ; Mon, 18 Feb 2008 06:47:28 -0800 (PST) Received: by 10.142.72.21 with SMTP id u21mr4365062wfa.82.1203345155884; Mon, 18 Feb 2008 06:32:35 -0800 (PST) Received: by 10.142.109.6 with HTTP; Mon, 18 Feb 2008 06:32:35 -0800 (PST) Message-ID: <78cb3d3f0802180632u1d38ec67i432052d9c77dd706@mail.gmail.com> Date: Mon, 18 Feb 2008 16:32:35 +0200 From: "Adrian Penisoara" Sender: ady@ady.ro To: freebsd-stable@freebsd.org, freebsd-fs@freebsd.org, freebsd-security@freebsd.org In-Reply-To: <200802181414.m1IEE8bd075081@drugs.dv.isc.org> MIME-Version: 1.0 References: <200802181414.m1IEE8bd075081@drugs.dv.isc.org> X-Google-Sender-Auth: 624f5be56ab92cd1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 14:47:28 -0000 Hi, I would agree with Mark and Jim, this is a serious issue for enterprise servers. Yet another example where I would have wanted to see a more supportive response from the FreeBSD project members, like Robert Watson just did. This would benefit keeping a good relation with the business users. Thanks, Adrian Penisoara ROFUG / EnterpriseBSD On Feb 18, 2008 4:14 PM, Mark Andrews wrote: > > > Patient: Doctor, it hurts when I do this! > > > > Doctor: Don't do that... > > Did you actually bother to read his report? > > While his example is used "/", if the report is correct then you > just need to replace "/" with the path of any file system mount > point that is world writable like say "/tmp". > > Do you have /tmp mounted like this? > /dev/ad0s4e 507630 162050 304970 35% /tmp > > Have you tried using "/tmp" or some other suitable mount point > before slinging off with the old Doctor joke? > > Even if it is only "/", having the system die and not be recoverable > due to having a excessive number of files in "/" is a critical > error. I'm sure you have *never* accidently copied a set of files > to "/" in your life. Me, I know I've made that sort of mistake in > the past, and as I'm not perfect, I'm sure I'll make that sort of > mistake at some point in the future. I would however like the > machine not to fallover when I do make that mistake. > > Now why don't you be constructive and verify whether the report is > valid or not. I don't have a spare machine to test it on so I'm > not going to attempt it. > > Mark > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 14:13:57 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AAA9516A49E for ; Mon, 18 Feb 2008 14:13:57 +0000 (UTC) (envelope-from speedtoys.racing@gmail.com) Received: from qb-out-0506.google.com (qb-out-0506.google.com [72.14.204.227]) by mx1.freebsd.org (Postfix) with ESMTP id 513E313C4D5 for ; Mon, 18 Feb 2008 14:13:56 +0000 (UTC) (envelope-from speedtoys.racing@gmail.com) Received: by qb-out-0506.google.com with SMTP id a10so1634968qbd.7 for ; Mon, 18 Feb 2008 06:13:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:references:message-id:from:to:in-reply-to:content-type:x-mailer:mime-version:subject:content-transfer-encoding:date:cc; bh=9bLxeBN1YR5P3J2TSpLos4itvksm2Ux1AanE2niW2bg=; b=ZOyEdss95X3i8MhsBN78Bfix8JDkL7TFMi4gMJYZ9EUIZPkyEujwimahKNvfu/IqNOGN38fjogkwzGfq4ywdYDY+5ieboOoWspZCZgkd4yhDEKMEqn8uAfIAIkPBGw/xp91bDgLf4mcd+dThBCKcxBmeiUjytb45XtIO5EnwCgQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=references:message-id:from:to:in-reply-to:content-type:x-mailer:mime-version:subject:content-transfer-encoding:date:cc; b=K8WTuo+gYNAU8BscKx9WUJ+sYcbKzVrxD9L63QBa+ggoz5AZwSDBAoRJnt5kcjoqK1gwLS8RG0+1Dc3JWgBSId99lhXsVcrKKB1Tn4I9SrI4c70JG3jGYX7THSqyBt1KufWhilFPjRl9dlaefKk8JM6FiKRPfsv+v8FPT5B5/ms= Received: by 10.110.68.10 with SMTP id q10mr3339856tia.28.1203343083226; Mon, 18 Feb 2008 05:58:03 -0800 (PST) Received: from ?10.6.146.10? ( [166.193.195.177]) by mx.google.com with ESMTPS id h18sm10024404wxd.18.2008.02.18.05.57.55 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 18 Feb 2008 05:58:01 -0800 (PST) References: <47B90868.7000900@electron-tube.net> <86odae5rgr.fsf@ds4.des.no> Message-Id: From: Speedtoys To: Kurt Buff In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes X-Mailer: iPhone Mail (4A93) Mime-Version: 1.0 (iPhone Mail 4A93) Content-Transfer-Encoding: quoted-printable Date: Mon, 18 Feb 2008 08:57:46 -0500 X-Mailman-Approved-At: Mon, 18 Feb 2008 15:06:44 +0000 Cc: "freebsd-fs@freebsd.org" , =?UTF-8?Q?Dag-Erling_Sm=C3=B8rgrav?= , "FreeBSD-bugs@freebsd.org" , "freebsd-stable@freebsd.org" , "freebsd-security@freebsd.org" Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 14:13:57 -0000 Time for the idiot(proof) function call. Got brakes? =3D=3D=3D=3D=3D=3D 25hrs or one season with one pad set is possible. Save money and pit =20= time, compromise nothing. Ask how. TXT or Tone: 8414546712@txt.att.net http://www.speedtoys.com On Feb 18, 2008, at 8:27 AM, "Kurt Buff" wrote: > Patient: Doctor, it hurts when I do this! > > Doctor: Don't do that... > > On Feb 18, 2008 1:23 PM, Dag-Erling Sm=C3=B8rgrav wrote: >> Jim Bryant writes: >>> #include >>> #include >>> >>> int main(int argc, char **argv) { int i; char buf[1024]; bzero=20 >>> (buf, 1024); for(i =3D 0; i < 10000; i++) { sprintf(buf, "touch %s%=20= >>> 05d\n", argv[1], i); system((const char *)buf);} return(0);} >> >> Subject should be "how to take down a system [...] with three lines =20= >> of >> badly written C, provided you have root privileges already and are =20= >> too >> lazy to just dd if=3D/dev/zero of=3D/dev/ad0s1 count=3D100", which = would >> accomplish the job much faster. >> >> Purely in the interest of showing off, here is my version. It is 81 >> bytes shorter than yours, it is valid C99 with POSIX extensions =20 >> (yours >> is not), and it produces 11,450 files in about 0.2% of the time yours >> takes to produce 10,000. >> >> #include >> #define b(i,v) for(int v=3D48;v<127;++v){f[i]=3Dv; >> #define a(i) b(i,v##i) >> int main(void){char f[5]=3D{'/'};a(1)a(2)a(3)truncate(f,0);}}}} >> >> DES >> -- >> Dag-Erling Sm=C3=B8rgrav - des@des.no >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org=20 >> " >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org=20 > " > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 14:32:14 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54DAA16A41A; Mon, 18 Feb 2008 14:32:14 +0000 (UTC) (envelope-from scottl@samsco.org) Received: from pooker.samsco.org (pooker.samsco.org [168.103.85.57]) by mx1.freebsd.org (Postfix) with ESMTP id 0407C13C4F7; Mon, 18 Feb 2008 14:32:13 +0000 (UTC) (envelope-from scottl@samsco.org) Received: from scoo-longs-computer.local (74-92-209-69-Colorado.hfc.comcastbusiness.net [74.92.209.69] (may be forged)) (authenticated bits=0) by pooker.samsco.org (8.13.8/8.13.8) with ESMTP id m1IE9FaX012939; Mon, 18 Feb 2008 07:09:21 -0700 (MST) (envelope-from scottl@samsco.org) Message-ID: <47B9918B.6010301@samsco.org> Date: Mon, 18 Feb 2008 07:09:15 -0700 From: Scott Long User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.11) Gecko/20071128 SeaMonkey/1.1.7 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= References: <47B90868.7000900@electron-tube.net> <86odae5rgr.fsf@ds4.des.no> <863arq5q14.fsf@ds4.des.no> In-Reply-To: <863arq5q14.fsf@ds4.des.no> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=0.0 required=5.4 tests=none autolearn=failed version=3.1.8 X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on pooker.samsco.org X-Mailman-Approved-At: Mon, 18 Feb 2008 15:06:52 +0000 Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, Jim Bryant , freebsd-stable@freebsd.org, FreeBSD-bugs@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 14:32:14 -0000 Dag-Erling Smrgrav wrote: > Dag-Erling Smrgrav writes: >> Purely in the interest of showing off, here is my version. It is 81 >> bytes shorter than yours, it is valid C99 with POSIX extensions (yours >> is not), and it produces 11,450 files in about 0.2% of the time yours >> takes to produce 10,000. >> >> #include >> #define b(i,v) for(int v=48;v<127;++v){f[i]=v; >> #define a(i) b(i,v##i) >> int main(void){char f[5]={'/'};a(1)a(2)a(3)truncate(f,0);}}}} > > Two bugs: > > 1) I forgot to include the correct version of the code > > 2) the version I had created a few files with '/' in their names; this > slightly nastier creates 10,648 files with only letters. > > #include > #define b(i,v)for(int v=65;v<87;){i[f]=v++; > #define a(i)b(i,v##i) > int main(void){char f[4]={47};a(1)a(2)a(3)truncate(f,0);}}}} > > DES This version also omits the constructive comments on the actual problem that the original poster identified. Scott From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 14:35:36 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E7D7316A417; Mon, 18 Feb 2008 14:35:36 +0000 (UTC) (envelope-from eugen@www.svzserv.kemerovo.su) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.freebsd.org (Postfix) with ESMTP id 99F3213C45B; Mon, 18 Feb 2008 14:35:35 +0000 (UTC) (envelope-from eugen@www.svzserv.kemerovo.su) Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1]) by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id m1IDxmF0062860; Mon, 18 Feb 2008 20:59:48 +0700 (KRAT) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id m1IDxmFb062859; Mon, 18 Feb 2008 20:59:48 +0700 (KRAT) (envelope-from eugen) Date: Mon, 18 Feb 2008 20:59:48 +0700 From: Eugene Grosbein To: des@des.no Message-ID: <20080218135948.GB62360@svzserv.kemerovo.su> References: <47B90868.7000900@electron-tube.net> <86odae5rgr.fsf@ds4.des.no> <863arq5q14.fsf@ds4.des.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <863arq5q14.fsf@ds4.des.no> User-Agent: Mutt/1.4.2.3i X-Mailman-Approved-At: Mon, 18 Feb 2008 15:07:16 +0000 Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, Jim Bryant , freebsd-stable@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 14:35:37 -0000 On Mon, Feb 18, 2008 at 02:53:59PM +0100, Dag-Erling Sm??rgrav wrote: > Two bugs: [skip] That's all very funny, but what about a panic? It it true that it's possible for non-root to bring a file system to not-mountable state? Eugene Grosbein From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 15:29:02 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5BC1B16A420 for ; Mon, 18 Feb 2008 15:29:02 +0000 (UTC) (envelope-from phisher1@gmail.com) Received: from qb-out-0506.google.com (qb-out-0506.google.com [72.14.204.239]) by mx1.freebsd.org (Postfix) with ESMTP id F0CB513C448 for ; Mon, 18 Feb 2008 15:29:01 +0000 (UTC) (envelope-from phisher1@gmail.com) Received: by qb-out-0506.google.com with SMTP id a10so1687349qbd.7 for ; Mon, 18 Feb 2008 07:29:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; bh=C1CPtFis2TVigXkW1JLW7KwnehKe6ffMD4EnW37XqqU=; b=DTj0KFzOweXJ8dyFSpL0mTA1swb4dBdUR+Zq7Xe4TPAq10bNEgfCKGZR+dkMkPK5GBSPuSZFX/vvteyaZmGBYAws5kiYwMuQRW/G6HOOtPVS/qZILjjIY9bVKdLQwPTX4sbJf07y8R33N2x47VFN3Yz0TtvaabEdyaqKyWGqLMk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=i0GtlivR/YwwY3zY4XVY43RfbVZG++mLScK1pNeT5NQCTnv/Cjd8/3gRkDEDJ2mkySrp/jE5zsmNHE5DPTE96RcEnxbxnOX7ese9xQZNpW+eiKEQLiEBauHNS7dtVZaqFqG6/0gTrHJOna0mte0c3vFGW/EPa50tENj8y0BXhSw= Received: by 10.114.37.1 with SMTP id k1mr2931815wak.6.1203347670178; Mon, 18 Feb 2008 07:14:30 -0800 (PST) Received: by 10.114.109.15 with HTTP; Mon, 18 Feb 2008 07:14:30 -0800 (PST) Message-ID: <291ddc4f0802180714g3d326626v9d9b767a61232cec@mail.gmail.com> Date: Mon, 18 Feb 2008 09:14:30 -0600 From: "Daniel Corrigan" To: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org In-Reply-To: <47B90868.7000900@electron-tube.net> MIME-Version: 1.0 References: <47B90868.7000900@electron-tube.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 15:29:02 -0000 Since this was released to a public mailing list, I can only assume some less than nice user will attempt this. The only top level file system I have that can be written to by normal users is /tmp Should clear_tmp_enable="YES" in /etc/rc.conf prevent this from causing harm? Dan On Feb 17, 2008 10:24 PM, Jim Bryant wrote: > One line summary: > Too many files in a top-level UFS-2 filesystem directory will cause > a panic on mount. > > Kern/Critical/High Priority/SW-Bug > > Which FreeBSD Release You Are Using: > 6.3-STABLE > > Environment (output of "uname -a" on the problem machine): > FreeBSD wahoo.sd67dfl.org 6.3-STABLE FreeBSD 6.3-STABLE #0: Sun Feb > 10 21:13:39 CST 2008 > jbryant@wahoo.sd67dfl.org:/usr/obj/usr/src/sys/WAHOO-SMP i386 > > Note: I just cvsupped earlier, and no changes have been put into > cvsup that would fix this problem. > > Full Description: > I was doing a reorganization of my filesystems, and since I do > offline installs, I keep a local distfiles collection (or did until > yesterday when this happened), and in the process, put all of the > distfiles on their own filesystem to be mounted under > /usr/ports/distfiles. > > All was fine until I rebooted. > > On rebooting, I got a page fault panic on mount of the new distfiles > filesystem. > > i booted again, got it again, booted again this time into single-user, > and did a fsck on the filesystem, and it only showed as being "dirty", > but otherwise had no problems in the eyes of fsck. booted again, > instant panic. > > i booted an older 6.2 CD and mounted the filesystem fine. i then put > that filesystem the way it was by mkdir'ing a distfiles dir and mv'ing > everything into it, but on reboot it still paniced on mount. > > only a newfs was able to enable the filesystem to be mounted. > > today i did further research, thinking it had to do with the number of > files in the top-level filesystem directory, and found that to be true. > the short c program in the next section (how to repeat the problem) > contains this. > > a second test shows that, after a newfs, if this done in any > subdirectory of that filesystem, the panic is averted, and all is well. > apparently this bug only effects top-level directories of a UFS2 > filesystem. > > I have not attempted this to a non-UFS2 filesystem. > > IMHO, a security advisory should be released, since any user with write > access to ANY top level directory of ANY mounted filesystem (most > systems have /tmp as a world writable top level filesystem directory) > can create a panic situation requiring a newfs of the said filesystem. > A malicious user with root access can do this to /. Either way, on > boot, or any attempt to mount said filesystem on a running system, will > cause a panic, which of course will cause an unbootable system on reboot. > > How to repeat the problem: > Compile and run the following as instructed: > > #include > #include > > int main(int argc, char **argv) { int i; char buf[1024]; bzero(buf, > 1024); for(i = 0; i < 10000; i++) { sprintf(buf, "touch %s%05d\n", > argv[1], i); system((const char *)buf);} return(0);} > > /* pass a top-level mountpoint directory name of a mounted filesystem, > with a trailing slash to the above as argv[1], and run. > > This will create 10,000 zero-length files in the specified directory. > > umount that filesystem. > > perform a shitload of sync's to make sure everything outstanding is > flushed to disk on all filesystems. > > mount the target filesystem (preferably from a vty or serial console to > catch the messages when it panics, which it will as soon as the mount is > attempted). > */ > > Fix to the problem if known: > newfs(8) > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 15:21:18 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B775C16A4AB for ; Mon, 18 Feb 2008 15:21:18 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id 985FE13C4DB for ; Mon, 18 Feb 2008 15:21:18 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id E70665C5B; Mon, 18 Feb 2008 10:07:48 -0500 (EST) Date: Mon, 18 Feb 2008 10:07:48 -0500 From: Wesley Shields To: Mark Andrews Message-ID: <20080218150748.GD90004@atarininja.org> References: <200802181414.m1IEE8bd075081@drugs.dv.isc.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200802181414.m1IEE8bd075081@drugs.dv.isc.org> User-Agent: Mutt/1.5.17 (2007-11-01) X-Mailman-Approved-At: Mon, 18 Feb 2008 15:33:06 +0000 Cc: Dag-Erling Sm?rgrav , Jim Bryant , Kurt Buff , freebsd-security@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 15:21:18 -0000 On Tue, Feb 19, 2008 at 01:14:08AM +1100, Mark Andrews wrote: > > > Patient: Doctor, it hurts when I do this! > > > > Doctor: Don't do that... > > Did you actually bother to read his report? > > While his example is used "/", if the report is correct then you > just need to replace "/" with the path of any file system mount > point that is world writable like say "/tmp". > > Do you have /tmp mounted like this? > /dev/ad0s4e 507630 162050 304970 35% /tmp > > Have you tried using "/tmp" or some other suitable mount point > before slinging off with the old Doctor joke? > > Even if it is only "/", having the system die and not be recoverable > due to having a excessive number of files in "/" is a critical > error. I'm sure you have *never* accidently copied a set of files > to "/" in your life. Me, I know I've made that sort of mistake in > the past, and as I'm not perfect, I'm sure I'll make that sort of > mistake at some point in the future. I would however like the > machine not to fallover when I do make that mistake. > > Now why don't you be constructive and verify whether the report is > valid or not. I don't have a spare machine to test it on so I'm > not going to attempt it. I tried this using /tmp/ as argv[1] and it didn't crash a 6.2 machine or a -current from a few weeks ago. Maybe the number of files has to be increased? I bumped it up to 100000 and tried on a 6.2 machine, but I ran out of inodes before I could induce a crash. :) Maybe I'm doing something wrong? -- WXS From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 16:29:03 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3035016A46B for ; Mon, 18 Feb 2008 16:29:03 +0000 (UTC) (envelope-from admin@su29.net) Received: from aliska.alo.ru (aliska.alo.ru [80.251.131.12]) by mx1.freebsd.org (Postfix) with ESMTP id A8A8313C4CE for ; Mon, 18 Feb 2008 16:29:02 +0000 (UTC) (envelope-from admin@su29.net) Received: from aliska (aliska.alo.ru [80.251.131.12]) by aliska.alo.ru (Postfix) with SMTP id 7EDA824CC86 for ; Mon, 18 Feb 2008 18:56:56 +0300 (MSK) Received: from ws.su29.net (ppp85-141-155-76.pppoe.mtu-net.ru [85.141.155.76]) by aliska.alo.ru (Postfix) with ESMTP id A181124CC11; Mon, 18 Feb 2008 18:56:54 +0300 (MSK) Message-ID: <47B9AAB3.4090407@su29.net> Date: Mon, 18 Feb 2008 18:56:35 +0300 From: "Alexander V. Chernikov" Organization: AlmazTelecom User-Agent: Thunderbird 2.0.0.9 (X11/20080210) MIME-Version: 1.0 To: Daniel Corrigan References: <47B90868.7000900@electron-tube.net> <291ddc4f0802180714g3d326626v9d9b767a61232cec@mail.gmail.com> In-Reply-To: <291ddc4f0802180714g3d326626v9d9b767a61232cec@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 18 Feb 2008 17:10:07 +0000 Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: admin@su29.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 16:29:03 -0000 Daniel Corrigan wrote: > Since this was released to a public mailing list, I can only assume some > less than nice user will attempt this. > The only top level file system I have that can be written to by normal users > is /tmp > > Should clear_tmp_enable="YES" in /etc/rc.conf prevent this from causing > harm? /etc/rc.d/cleartmp does /tmp clearing only at startup, after file systems are mounted. > > Dan > > On Feb 17, 2008 10:24 PM, Jim Bryant wrote: > >> One line summary: >> Too many files in a top-level UFS-2 filesystem directory will cause >> a panic on mount. >> >> Kern/Critical/High Priority/SW-Bug >> >> Which FreeBSD Release You Are Using: >> 6.3-STABLE >> >> Environment (output of "uname -a" on the problem machine): >> FreeBSD wahoo.sd67dfl.org 6.3-STABLE FreeBSD 6.3-STABLE #0: Sun Feb >> 10 21:13:39 CST 2008 >> jbryant@wahoo.sd67dfl.org:/usr/obj/usr/src/sys/WAHOO-SMP i386 >> >> Note: I just cvsupped earlier, and no changes have been put into >> cvsup that would fix this problem. >> >> Full Description: >> I was doing a reorganization of my filesystems, and since I do >> offline installs, I keep a local distfiles collection (or did until >> yesterday when this happened), and in the process, put all of the >> distfiles on their own filesystem to be mounted under >> /usr/ports/distfiles. >> >> All was fine until I rebooted. >> >> On rebooting, I got a page fault panic on mount of the new distfiles >> filesystem. >> >> i booted again, got it again, booted again this time into single-user, >> and did a fsck on the filesystem, and it only showed as being "dirty", >> but otherwise had no problems in the eyes of fsck. booted again, >> instant panic. >> >> i booted an older 6.2 CD and mounted the filesystem fine. i then put >> that filesystem the way it was by mkdir'ing a distfiles dir and mv'ing >> everything into it, but on reboot it still paniced on mount. >> >> only a newfs was able to enable the filesystem to be mounted. >> >> today i did further research, thinking it had to do with the number of >> files in the top-level filesystem directory, and found that to be true. >> the short c program in the next section (how to repeat the problem) >> contains this. >> >> a second test shows that, after a newfs, if this done in any >> subdirectory of that filesystem, the panic is averted, and all is well. >> apparently this bug only effects top-level directories of a UFS2 >> filesystem. >> >> I have not attempted this to a non-UFS2 filesystem. >> >> IMHO, a security advisory should be released, since any user with write >> access to ANY top level directory of ANY mounted filesystem (most >> systems have /tmp as a world writable top level filesystem directory) >> can create a panic situation requiring a newfs of the said filesystem. >> A malicious user with root access can do this to /. Either way, on >> boot, or any attempt to mount said filesystem on a running system, will >> cause a panic, which of course will cause an unbootable system on reboot. >> >> How to repeat the problem: >> Compile and run the following as instructed: >> >> #include >> #include >> >> int main(int argc, char **argv) { int i; char buf[1024]; bzero(buf, >> 1024); for(i = 0; i < 10000; i++) { sprintf(buf, "touch %s%05d\n", >> argv[1], i); system((const char *)buf);} return(0);} >> >> /* pass a top-level mountpoint directory name of a mounted filesystem, >> with a trailing slash to the above as argv[1], and run. >> >> This will create 10,000 zero-length files in the specified directory. >> >> umount that filesystem. >> >> perform a shitload of sync's to make sure everything outstanding is >> flushed to disk on all filesystems. >> >> mount the target filesystem (preferably from a vty or serial console to >> catch the messages when it panics, which it will as soon as the mount is >> attempted). >> */ >> >> Fix to the problem if known: >> newfs(8) >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org >> " >> > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 17:21:24 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DCCA316A421; Mon, 18 Feb 2008 17:21:24 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id B462913C4D3; Mon, 18 Feb 2008 17:21:24 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 2541D46B45; Mon, 18 Feb 2008 12:21:24 -0500 (EST) Date: Mon, 18 Feb 2008 17:21:24 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Jim Bryant In-Reply-To: <20080218142004.O49202@fledge.watson.org> Message-ID: <20080218171841.O49202@fledge.watson.org> References: <47B90868.7000900@electron-tube.net> <47B91080.9010109@electron-tube.net> <20080218142004.O49202@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 17:21:25 -0000 On Mon, 18 Feb 2008, Robert Watson wrote: > Hopefully this bug will get resolved shortly, and then we can evaluate if an > errata notice is necessary. FYI, I have been unable, thus far, to reproduce it with 150,000 entries in the root of a test file system on an 8.x kernel. I'm not set up to test 6.x and 7.x currently, and have other obligations tht will prevent me from setting up 6.x and 7.x test images for a few days. If people who can reproduce this problem could send kernel stack traces (etc) as a follow-up to the PR, that would be most helpful. Right now it's sparse on actual debugging data. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 17:27:35 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 21DC816A468; Mon, 18 Feb 2008 17:27:35 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id CB98F13C46A; Mon, 18 Feb 2008 17:27:34 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 7326646B66; Mon, 18 Feb 2008 12:27:34 -0500 (EST) Date: Mon, 18 Feb 2008 17:27:34 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Daniel Corrigan In-Reply-To: <291ddc4f0802180714g3d326626v9d9b767a61232cec@mail.gmail.com> Message-ID: <20080218172503.G49202@fledge.watson.org> References: <47B90868.7000900@electron-tube.net> <291ddc4f0802180714g3d326626v9d9b767a61232cec@mail.gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 17:27:35 -0000 On Mon, 18 Feb 2008, Daniel Corrigan wrote: > Since this was released to a public mailing list, I can only assume some > less than nice user will attempt this. The only top level file system I have > that can be written to by normal users is /tmp > > Should clear_tmp_enable="YES" in /etc/rc.conf prevent this from causing > harm? There are a few things that come to mind, depending on how reproduceable this is. If we think it's purely a property of the number of files in the root directory (I think this is an unlikely single cause -- it might have to do with the size of the directory, or such, which loosely corresponds to it), then you can limit the number of inodes in the file system at all. The example code in the report suggests 10,000 entries does the trick. You could create a /tmp limited to, say, 5000 entries. You can also use quotas to limit the number of inodes allocated by any one user but leave the file system unmodified, as while modifying the file system may be OK for /tmp, it's probably less OK for /home. Robert N M Watson Computer Laboratory University of Cambridge > > Dan > > On Feb 17, 2008 10:24 PM, Jim Bryant wrote: > >> One line summary: >> Too many files in a top-level UFS-2 filesystem directory will cause >> a panic on mount. >> >> Kern/Critical/High Priority/SW-Bug >> >> Which FreeBSD Release You Are Using: >> 6.3-STABLE >> >> Environment (output of "uname -a" on the problem machine): >> FreeBSD wahoo.sd67dfl.org 6.3-STABLE FreeBSD 6.3-STABLE #0: Sun Feb >> 10 21:13:39 CST 2008 >> jbryant@wahoo.sd67dfl.org:/usr/obj/usr/src/sys/WAHOO-SMP i386 >> >> Note: I just cvsupped earlier, and no changes have been put into >> cvsup that would fix this problem. >> >> Full Description: >> I was doing a reorganization of my filesystems, and since I do >> offline installs, I keep a local distfiles collection (or did until >> yesterday when this happened), and in the process, put all of the >> distfiles on their own filesystem to be mounted under >> /usr/ports/distfiles. >> >> All was fine until I rebooted. >> >> On rebooting, I got a page fault panic on mount of the new distfiles >> filesystem. >> >> i booted again, got it again, booted again this time into single-user, >> and did a fsck on the filesystem, and it only showed as being "dirty", >> but otherwise had no problems in the eyes of fsck. booted again, >> instant panic. >> >> i booted an older 6.2 CD and mounted the filesystem fine. i then put >> that filesystem the way it was by mkdir'ing a distfiles dir and mv'ing >> everything into it, but on reboot it still paniced on mount. >> >> only a newfs was able to enable the filesystem to be mounted. >> >> today i did further research, thinking it had to do with the number of >> files in the top-level filesystem directory, and found that to be true. >> the short c program in the next section (how to repeat the problem) >> contains this. >> >> a second test shows that, after a newfs, if this done in any >> subdirectory of that filesystem, the panic is averted, and all is well. >> apparently this bug only effects top-level directories of a UFS2 >> filesystem. >> >> I have not attempted this to a non-UFS2 filesystem. >> >> IMHO, a security advisory should be released, since any user with write >> access to ANY top level directory of ANY mounted filesystem (most >> systems have /tmp as a world writable top level filesystem directory) >> can create a panic situation requiring a newfs of the said filesystem. >> A malicious user with root access can do this to /. Either way, on >> boot, or any attempt to mount said filesystem on a running system, will >> cause a panic, which of course will cause an unbootable system on reboot. >> >> How to repeat the problem: >> Compile and run the following as instructed: >> >> #include >> #include >> >> int main(int argc, char **argv) { int i; char buf[1024]; bzero(buf, >> 1024); for(i = 0; i < 10000; i++) { sprintf(buf, "touch %s%05d\n", >> argv[1], i); system((const char *)buf);} return(0);} >> >> /* pass a top-level mountpoint directory name of a mounted filesystem, >> with a trailing slash to the above as argv[1], and run. >> >> This will create 10,000 zero-length files in the specified directory. >> >> umount that filesystem. >> >> perform a shitload of sync's to make sure everything outstanding is >> flushed to disk on all filesystems. >> >> mount the target filesystem (preferably from a vty or serial console to >> catch the messages when it panics, which it will as soon as the mount is >> attempted). >> */ >> >> Fix to the problem if known: >> newfs(8) >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org >> " >> > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 16:41:55 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E0DF316A41A for ; Mon, 18 Feb 2008 16:41:55 +0000 (UTC) (envelope-from sthaug@nethelp.no) Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.33]) by mx1.freebsd.org (Postfix) with SMTP id 2EC1C13C469 for ; Mon, 18 Feb 2008 16:41:54 +0000 (UTC) (envelope-from sthaug@nethelp.no) Received: (qmail 73968 invoked from network); 18 Feb 2008 16:15:13 -0000 Received: from bizet.nethelp.no (HELO localhost) (195.1.209.33) by bizet.nethelp.no with SMTP; 18 Feb 2008 16:15:13 -0000 Date: Mon, 18 Feb 2008 17:15:13 +0100 (CET) Message-Id: <20080218.171513.41723703.sthaug@nethelp.no> To: freebsd-security@freebsd.org, Mark Andrews From: sthaug@nethelp.no In-Reply-To: <200802181414.m1IEE8bd075081@drugs.dv.isc.org> References: <200802181414.m1IEE8bd075081@drugs.dv.isc.org> X-Mailer: Mew version 3.3 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 18 Feb 2008 17:39:09 +0000 Cc: Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 16:41:56 -0000 > Did you actually bother to read his report? > > While his example is used "/", if the report is correct then you > just need to replace "/" with the path of any file system mount > point that is world writable like say "/tmp". > > Do you have /tmp mounted like this? > /dev/ad0s4e 507630 162050 304970 35% /tmp Tried with 7.0-RC1 and the top level of a world writable file system. No apparent ill effect. Steinar Haug, Nethelp consulting, sthaug@nethelp.no From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 18:02:15 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AFBBA16A417 for ; Mon, 18 Feb 2008 18:02:15 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id 92C5313C45E for ; Mon, 18 Feb 2008 18:02:15 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id A3A1D5C5C; Mon, 18 Feb 2008 13:04:41 -0500 (EST) Date: Mon, 18 Feb 2008 13:04:41 -0500 From: Wesley Shields To: Peter Sanchez Message-ID: <20080218180441.GE14660@atarininja.org> References: <200802181414.m1IEE8bd075081@drugs.dv.isc.org> <20080218150748.GD90004@atarininja.org> <268BFF3D-3853-40D5-9D69-6FC876E07ABB@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <268BFF3D-3853-40D5-9D69-6FC876E07ABB@gmail.com> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-security@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 18:02:15 -0000 On Mon, Feb 18, 2008 at 09:25:29AM -0800, Peter Sanchez wrote: > > On Feb 18, 2008, at 7:07 AM, Wesley Shields wrote: >>> >> >> I tried this using /tmp/ as argv[1] and it didn't crash a 6.2 machine or >> a -current from a few weeks ago. Maybe the number of files has to be >> increased? I bumped it up to 100000 and tried on a 6.2 machine, but I >> ran out of inodes before I could induce a crash. :) >> >> Maybe I'm doing something wrong? > > I believe the panic doesn't occur until boot. Did you reboot the box after > writing the files to /tmp? > > Peter I did on a 6.2 machine with 10000 files in /tmp. I can reboot the -current machine later tonight if you think it will make a difference. -- WXS From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 17:52:01 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1285616A418 for ; Mon, 18 Feb 2008 17:52:01 +0000 (UTC) (envelope-from petersanchez@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.freebsd.org (Postfix) with ESMTP id 9913A13C459 for ; Mon, 18 Feb 2008 17:51:59 +0000 (UTC) (envelope-from petersanchez@gmail.com) Received: by ug-out-1314.google.com with SMTP id y2so1034727uge.37 for ; Mon, 18 Feb 2008 09:51:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:cc:message-id:from:to:in-reply-to:content-type:content-transfer-encoding:mime-version:subject:date:references:x-mailer; bh=9ygrHuLoW3xHeMB8TTzZOPYLGyBk/R9mSE7awh0BQk8=; b=ZyqSBW62c23BMwxC+gEFRExQ5rN/GhRdUjeHVmbxwJgGWohACPPXpIC5NUP7FNJUArQpPB0Ybb9szJzog+QbB8L0Pef7Pqd76yx38/fvvTuKAaoeLV4BJEZ2YxE95NGqB+AlNqISvmG98eAvr4vTc+y+wHw8M15V0M/HqJ8xh5I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type:content-transfer-encoding:mime-version:subject:date:references:x-mailer; b=MclD9trkwCFQoXKhmQe4zGZdEQlbFXqYpGvfpiJXq4wLabWA/hyviaebNuZmtPVg/HWtllSHTs7uthjawO7cm98SwSp/81b93IqPgUgqHouNJF7ysHUZXSYRr2tKaLe/KWyEYGpVkzgl0/3s6pnxhk7ZpZ44vlyh792ugdUgjX8= Received: by 10.142.229.4 with SMTP id b4mr4520615wfh.118.1203355537092; Mon, 18 Feb 2008 09:25:37 -0800 (PST) Received: from ?192.168.1.4? ( [76.169.98.169]) by mx.google.com with ESMTPS id 30sm16214304wfc.6.2008.02.18.09.25.36 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 18 Feb 2008 09:25:36 -0800 (PST) Message-Id: <268BFF3D-3853-40D5-9D69-6FC876E07ABB@gmail.com> From: Peter Sanchez To: Wesley Shields In-Reply-To: <20080218150748.GD90004@atarininja.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Mon, 18 Feb 2008 09:25:29 -0800 References: <200802181414.m1IEE8bd075081@drugs.dv.isc.org> <20080218150748.GD90004@atarininja.org> X-Mailer: Apple Mail (2.919.2) X-Mailman-Approved-At: Mon, 18 Feb 2008 18:03:50 +0000 Cc: freebsd-security@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 17:52:01 -0000 On Feb 18, 2008, at 7:07 AM, Wesley Shields wrote: >> > > I tried this using /tmp/ as argv[1] and it didn't crash a 6.2 > machine or > a -current from a few weeks ago. Maybe the number of files has to be > increased? I bumped it up to 100000 and tried on a 6.2 machine, but I > ran out of inodes before I could induce a crash. :) > > Maybe I'm doing something wrong? I believe the panic doesn't occur until boot. Did you reboot the box after writing the files to /tmp? Peter > > > -- WXS > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 18:04:10 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D743F16A419 for ; Mon, 18 Feb 2008 18:04:10 +0000 (UTC) (envelope-from petersanchez@gmail.com) Received: from el-out-1112.google.com (el-out-1112.google.com [209.85.162.177]) by mx1.freebsd.org (Postfix) with ESMTP id 90D2913C45E for ; Mon, 18 Feb 2008 18:04:10 +0000 (UTC) (envelope-from petersanchez@gmail.com) Received: by el-out-1112.google.com with SMTP id r27so876597ele.3 for ; Mon, 18 Feb 2008 10:04:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:cc:message-id:from:to:in-reply-to:content-type:content-transfer-encoding:mime-version:subject:date:references:x-mailer:sender; bh=9ygrHuLoW3xHeMB8TTzZOPYLGyBk/R9mSE7awh0BQk8=; b=A+JMIQjBQ0nzULgWVSX3Lnzi5bcaNfOq15dh17vGfnrH+QcnzT9hcsa9RWuJaqEpLeKBISdRFKqSsKM0RGz3sFCL6IFbUiEGYO8lXusoUDAP7yvS1ONygI7yjuYc1r69fgO5AJAb3Vg73nJC4+PHN2rd0PPtJk5HFkAG10TArkY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type:content-transfer-encoding:mime-version:subject:date:references:x-mailer:sender; b=aFi8uMwLreIpHcIw1a2WUYE7F8qHYFl+37oMUnbqFfUu/5ptgfYBZGLrA2yiwCbU3a+glN1hUswtQeVQ2U4s7PzUBjfKoNzrJqWlUqvhf2EMGTfSGm8MRaHWzmuIg5SHJoilBVnaE/61d0/spjREdBugO2htG4x5b57RGJJAqxg= Received: by 10.142.103.6 with SMTP id a6mr4561619wfc.109.1203357848450; Mon, 18 Feb 2008 10:04:08 -0800 (PST) Received: from ?192.168.1.4? ( [76.169.98.169]) by mx.google.com with ESMTPS id 31sm16223977wff.7.2008.02.18.10.04.07 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 18 Feb 2008 10:04:08 -0800 (PST) Message-Id: <34D50D96-A2EB-4377-BA9B-1B89177AC836@packet-addiction.org> From: Peter Sanchez To: Wesley Shields In-Reply-To: <20080218150748.GD90004@atarininja.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Mon, 18 Feb 2008 10:04:01 -0800 References: <200802181414.m1IEE8bd075081@drugs.dv.isc.org> <20080218150748.GD90004@atarininja.org> X-Mailer: Apple Mail (2.919.2) Sender: Peter Sanchez Cc: freebsd-security@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 18:04:10 -0000 On Feb 18, 2008, at 7:07 AM, Wesley Shields wrote: >> > > I tried this using /tmp/ as argv[1] and it didn't crash a 6.2 > machine or > a -current from a few weeks ago. Maybe the number of files has to be > increased? I bumped it up to 100000 and tried on a 6.2 machine, but I > ran out of inodes before I could induce a crash. :) > > Maybe I'm doing something wrong? I believe the panic doesn't occur until boot. Did you reboot the box after writing the files to /tmp? Peter > > > -- WXS > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 18:13:33 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E0C416A477; Mon, 18 Feb 2008 18:13:33 +0000 (UTC) (envelope-from lambert@lambertfam.org) Received: from sysmon.tcworks.net (sysmon.tcworks.net [65.66.76.4]) by mx1.freebsd.org (Postfix) with ESMTP id 6580713C45B; Mon, 18 Feb 2008 18:13:33 +0000 (UTC) (envelope-from lambert@lambertfam.org) Received: from sysmon.tcworks.net (localhost [127.0.0.1]) by sysmon.tcworks.net (8.13.1/8.13.1) with ESMTP id m1IHYeTD001189; Mon, 18 Feb 2008 11:34:40 -0600 (CST) (envelope-from lambert@lambertfam.org) Received: (from lambert@localhost) by sysmon.tcworks.net (8.13.1/8.13.1/Submit) id m1IHYe95001188; Mon, 18 Feb 2008 11:34:40 -0600 (CST) (envelope-from lambert@lambertfam.org) X-Authentication-Warning: sysmon.tcworks.net: lambert set sender to lambert@lambertfam.org using -f Date: Mon, 18 Feb 2008 11:34:40 -0600 From: Scott Lambert To: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org Message-ID: <20080218173439.GA40800@sysmon.tcworks.net> Mail-Followup-To: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org References: <47B90868.7000900@electron-tube.net> <291ddc4f0802180714g3d326626v9d9b767a61232cec@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <291ddc4f0802180714g3d326626v9d9b767a61232cec@mail.gmail.com> User-Agent: Mutt/1.4.2.2i Cc: Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 18:13:33 -0000 On Mon, Feb 18, 2008 at 09:14:30AM -0600, Daniel Corrigan wrote: > Since this was released to a public mailing list, I can only assume > some less than nice user will attempt this. The only top level file > system I have that can be written to by normal users is /tmp > > Should clear_tmp_enable="YES" in /etc/rc.conf prevent this from > causing harm? Probably not. But an inode quota might, if your users can deal with having less than 10000 inodes - (what is supposed to be in the root of such file systems). It would at least make it more difficult for one rogue user to hurt you. Perhaps an /usr/local/etc/rc.d script could look for problems such as this in the stop process. Or one could simply remount the /tmp disk to /data and make a symlink from /tmp to /data/tmp. It seems like there should be several possible workarounds. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 18:22:24 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B74F16A420 for ; Mon, 18 Feb 2008 18:22:24 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id DD36413C465 for ; Mon, 18 Feb 2008 18:22:23 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d02.q.ppp-pool.de [89.53.125.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 26BC1128844; Mon, 18 Feb 2008 19:22:14 +0100 (CET) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 28EA43F43C; Mon, 18 Feb 2008 19:20:19 +0100 (CET) Message-ID: <47B9CCC3.9060203@vwsoft.com> Date: Mon, 18 Feb 2008 19:21:55 +0100 From: Volker User-Agent: Thunderbird 2.0.0.9 (X11/20080125) MIME-Version: 1.0 To: Wesley Shields References: <200802181414.m1IEE8bd075081@drugs.dv.isc.org> <20080218150748.GD90004@atarininja.org> <268BFF3D-3853-40D5-9D69-6FC876E07ABB@gmail.com> <20080218180441.GE14660@atarininja.org> In-Reply-To: <20080218180441.GE14660@atarininja.org> X-Enigmail-Version: 0.95.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit MailScanner-NULL-Check: 1203963628.75731@F0OzFYv+CfOs+ngc1EDGgQ X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: Peter Sanchez , freebsd-security@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 18:22:24 -0000 On 02/18/08 19:04, Wesley Shields wrote: > On Mon, Feb 18, 2008 at 09:25:29AM -0800, Peter Sanchez wrote: >> On Feb 18, 2008, at 7:07 AM, Wesley Shields wrote: >>> I tried this using /tmp/ as argv[1] and it didn't crash a 6.2 machine or >>> a -current from a few weeks ago. Maybe the number of files has to be >>> increased? I bumped it up to 100000 and tried on a 6.2 machine, but I >>> ran out of inodes before I could induce a crash. :) >>> >>> Maybe I'm doing something wrong? >> I believe the panic doesn't occur until boot. Did you reboot the box after >> writing the files to /tmp? >> >> Peter > > I did on a 6.2 machine with 10000 files in /tmp. I can reboot the > -current machine later tonight if you think it will make a difference. According to the problem report, it should panic while mounting the fs. umount and re-mount /tmp and see, if you can make it panic (a reboot shouldn't be necessary here). If you're able to do so, please send in a complete panic message and backtrace - if possible, please! From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 18:37:20 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 846C116A468 for ; Mon, 18 Feb 2008 18:37:20 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158]) by mx1.freebsd.org (Postfix) with ESMTP id 19CD713C45E for ; Mon, 18 Feb 2008 18:37:20 +0000 (UTC) (envelope-from wxs@atarininja.org) Received: by syn.atarininja.org (Postfix, from userid 1001) id 0A71A5C5C; Mon, 18 Feb 2008 13:39:46 -0500 (EST) Date: Mon, 18 Feb 2008 13:39:46 -0500 From: Wesley Shields To: Volker Message-ID: <20080218183946.GH14660@atarininja.org> References: <200802181414.m1IEE8bd075081@drugs.dv.isc.org> <20080218150748.GD90004@atarininja.org> <268BFF3D-3853-40D5-9D69-6FC876E07ABB@gmail.com> <20080218180441.GE14660@atarininja.org> <47B9CCC3.9060203@vwsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47B9CCC3.9060203@vwsoft.com> User-Agent: Mutt/1.5.17 (2007-11-01) Cc: Peter Sanchez , freebsd-security@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 18:37:20 -0000 On Mon, Feb 18, 2008 at 07:21:55PM +0100, Volker wrote: > On 02/18/08 19:04, Wesley Shields wrote: > > On Mon, Feb 18, 2008 at 09:25:29AM -0800, Peter Sanchez wrote: > >> On Feb 18, 2008, at 7:07 AM, Wesley Shields wrote: > >>> I tried this using /tmp/ as argv[1] and it didn't crash a 6.2 machine or > >>> a -current from a few weeks ago. Maybe the number of files has to be > >>> increased? I bumped it up to 100000 and tried on a 6.2 machine, but I > >>> ran out of inodes before I could induce a crash. :) > >>> > >>> Maybe I'm doing something wrong? > >> I believe the panic doesn't occur until boot. Did you reboot the box after > >> writing the files to /tmp? > >> > >> Peter > > > > I did on a 6.2 machine with 10000 files in /tmp. I can reboot the > > -current machine later tonight if you think it will make a difference. > > According to the problem report, it should panic while mounting the fs. > umount and re-mount /tmp and see, if you can make it panic (a reboot > shouldn't be necessary here). I did exactly that and it did not panic on both a 6.2 and -current machine. Just to be sure, I did reboot a 6.2 machine with 10000 0-byte files in /tmp and it didn't panic. -- WXS From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 20:23:53 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 499BD16A41A; Mon, 18 Feb 2008 20:23:53 +0000 (UTC) (envelope-from kris@FreeBSD.org) Received: from weak.local (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 1081D13C467; Mon, 18 Feb 2008 20:23:47 +0000 (UTC) (envelope-from kris@FreeBSD.org) Message-ID: <47B9E951.7040208@FreeBSD.org> Date: Mon, 18 Feb 2008 21:23:45 +0100 From: Kris Kennaway User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: Wesley Shields References: <200802181414.m1IEE8bd075081@drugs.dv.isc.org> <20080218150748.GD90004@atarininja.org> <268BFF3D-3853-40D5-9D69-6FC876E07ABB@gmail.com> <20080218180441.GE14660@atarininja.org> <47B9CCC3.9060203@vwsoft.com> <20080218183946.GH14660@atarininja.org> In-Reply-To: <20080218183946.GH14660@atarininja.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Volker , Peter Sanchez , freebsd-security@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 20:23:53 -0000 Wesley Shields wrote: > On Mon, Feb 18, 2008 at 07:21:55PM +0100, Volker wrote: >> On 02/18/08 19:04, Wesley Shields wrote: >>> On Mon, Feb 18, 2008 at 09:25:29AM -0800, Peter Sanchez wrote: >>>> On Feb 18, 2008, at 7:07 AM, Wesley Shields wrote: >>>>> I tried this using /tmp/ as argv[1] and it didn't crash a 6.2 machine or >>>>> a -current from a few weeks ago. Maybe the number of files has to be >>>>> increased? I bumped it up to 100000 and tried on a 6.2 machine, but I >>>>> ran out of inodes before I could induce a crash. :) >>>>> >>>>> Maybe I'm doing something wrong? >>>> I believe the panic doesn't occur until boot. Did you reboot the box after >>>> writing the files to /tmp? >>>> >>>> Peter >>> I did on a 6.2 machine with 10000 files in /tmp. I can reboot the >>> -current machine later tonight if you think it will make a difference. >> According to the problem report, it should panic while mounting the fs. >> umount and re-mount /tmp and see, if you can make it panic (a reboot >> shouldn't be necessary here). > > I did exactly that and it did not panic on both a 6.2 and -current > machine. > > Just to be sure, I did reboot a 6.2 machine with 10000 0-byte files in > /tmp and it didn't panic. I'm also unable to reproduce this on an 8.0 machine. The original poster needs to follow up with the panic backtrace so we can attempt to understand his problem. Kris From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 20:35:50 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0C57F16A468; Mon, 18 Feb 2008 20:35:50 +0000 (UTC) (envelope-from kris@FreeBSD.org) Received: from weak.local (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6A87D13C468; Mon, 18 Feb 2008 20:35:43 +0000 (UTC) (envelope-from kris@FreeBSD.org) Message-ID: <47B9EC1D.6060606@FreeBSD.org> Date: Mon, 18 Feb 2008 21:35:41 +0100 From: Kris Kennaway User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: Eugene Grosbein References: <47B90868.7000900@electron-tube.net> <86odae5rgr.fsf@ds4.des.no> <863arq5q14.fsf@ds4.des.no> <20080218135948.GB62360@svzserv.kemerovo.su> In-Reply-To: <20080218135948.GB62360@svzserv.kemerovo.su> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-fs@freebsd.org, des@des.no, Jim Bryant , freebsd-stable@freebsd.org, freebsd-security@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 20:35:50 -0000 Eugene Grosbein wrote: > On Mon, Feb 18, 2008 at 02:53:59PM +0100, Dag-Erling Sm??rgrav wrote: > >> Two bugs: > > [skip] > > That's all very funny, but what about a panic? > > It it true that it's possible for non-root to bring a file system > to not-mountable state? The issue appears to be more subtle than claimed, because no-one else reports being able to reproduce it yet. Kris From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 20:52:53 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94C2416A419 for ; Mon, 18 Feb 2008 20:52:53 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 5E9CC13C4D9 for ; Mon, 18 Feb 2008 20:52:53 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m1IKqlhs066139; Mon, 18 Feb 2008 15:52:47 -0500 (EST) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m1IKqkFF004605 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 18 Feb 2008 15:52:46 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200802182052.m1IKqkFF004605@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 18 Feb 2008 15:53:09 -0500 To: Jim Bryant From: Mike Tancsa In-Reply-To: <47B90868.7000900@electron-tube.net> References: <47B90868.7000900@electron-tube.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 20:52:53 -0000 At 11:24 PM 2/17/2008, Jim Bryant wrote: >One line summary: > Too many files in a top-level UFS-2 filesystem directory will > cause a panic on mount. >How to repeat the problem: > Compile and run the following as instructed: > >umount that filesystem. Hi, I tried this on RELENG_7 and RELENG_6 and was not able to panic the box 0[releng7]# ls -l | wc 20098 200972 1377211 0[releng7]# df -i Filesystem 1K-blocks Used Avail Capacity iused ifree %iused Mounted on /dev/ad6s1a 1012974 284464 647474 31% 3308 138002 2% / devfs 1 1 0 100% 0 0 100% /dev /dev/ad6s1d 5077038 1221890 3448986 26% 20243 639211 3% /tmp /dev/ad6s1e 25385516 15683412 7671264 67% 370099 2927179 11% /usr /dev/ad6s1f 40139596 847342 36081088 2% 1001 5203989 0% /var 0[releng7]# and releng_6 0[nanobsd]# ./a.out /tmp/k 0[nanobsd]# ./a.out /tmp/kl 0[nanobsd]# ls -l /tmp/ | wc 20248 182229 1327842 0[nanobsd]# df -i Filesystem 1K-blocks Used Avail Capacity iused ifree %iused Mounted on /dev/twed0s1a 1012974 109076 822862 12% 2099 139211 1% / devfs 1 1 0 100% 0 0 100% /dev /dev/twed0s1d 4058062 3264732 468686 87% 23045 518649 4% /tmp /dev/twed0s1f 82042376 57488474 17990512 76% 2014718 8607232 19% /usr /dev/twed0s1e 20308398 5173252 13510476 28% 1813 2636009 0% /var 0[nanobsd]# After running the program and creating all the files, I just did a reboot and all worked just fine post reboot. Did you fill up the partition or run out of inodes perhaps ? ---Mike From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 21:12:04 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 105E616A46C for ; Mon, 18 Feb 2008 21:12:04 +0000 (UTC) (envelope-from technet@datadream.co.uk) Received: from mail.datadream.co.uk (mail.datadream.co.uk [82.152.56.113]) by mx1.freebsd.org (Postfix) with ESMTP id 8ADF813C4F4 for ; Mon, 18 Feb 2008 21:12:03 +0000 (UTC) (envelope-from technet@datadream.co.uk) Received: from localhost (mail.datadream.co.uk [192.168.115.2]) by mail.datadream.co.uk (Postfix) with ESMTP id F09F784E45 for ; Mon, 18 Feb 2008 20:56:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at datadream.co.uk Received: from mail.datadream.co.uk ([192.168.115.2]) by localhost (mail.datadream.co.uk [192.168.115.2]) (amavisd-new, port 10024) with ESMTP id atxksAmUiGbM for ; Mon, 18 Feb 2008 20:56:02 +0000 (UTC) Received: from q1.datadream.co.uk (q1.datadream.co.uk [192.168.115.170]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mona@datadream.co.uk) by mail.datadream.co.uk (Postfix) with ESMTP id 1EE6684648 for ; Mon, 18 Feb 2008 20:56:02 +0000 (UTC) Message-ID: <47B9F0E1.5030506@datadream.co.uk> Date: Mon, 18 Feb 2008 20:56:01 +0000 From: Technical Department User-Agent: Thunderbird 2.0.0.9 (X11/20080216) MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <47B90868.7000900@electron-tube.net> <200802182052.m1IKqkFF004605@lava.sentex.ca> In-Reply-To: <200802182052.m1IKqkFF004605@lava.sentex.ca> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 21:12:04 -0000 I have tried on 6.3p1 Release and 6.2p10 Release - ran out of inodes - system fine. Mike Tancsa wrote: > At 11:24 PM 2/17/2008, Jim Bryant wrote: >> One line summary: >> Too many files in a top-level UFS-2 filesystem directory will cause >> a panic on mount. >> How to repeat the problem: >> Compile and run the following as instructed: >> >> umount that filesystem. > > Hi, > > I tried this on RELENG_7 and RELENG_6 and was not able to panic the box > > 0[releng7]# ls -l | wc > 20098 200972 1377211 > 0[releng7]# df -i > Filesystem 1K-blocks Used Avail Capacity iused ifree %iused > Mounted on > /dev/ad6s1a 1012974 284464 647474 31% 3308 138002 2% / > devfs 1 1 0 100% 0 0 100% /dev > /dev/ad6s1d 5077038 1221890 3448986 26% 20243 639211 3% /tmp > /dev/ad6s1e 25385516 15683412 7671264 67% 370099 2927179 11% /usr > /dev/ad6s1f 40139596 847342 36081088 2% 1001 5203989 0% /var > 0[releng7]# > > and releng_6 > 0[nanobsd]# ./a.out /tmp/k > 0[nanobsd]# ./a.out /tmp/kl > 0[nanobsd]# ls -l /tmp/ | wc > 20248 182229 1327842 > 0[nanobsd]# df -i > Filesystem 1K-blocks Used Avail Capacity iused ifree %iused > Mounted on > /dev/twed0s1a 1012974 109076 822862 12% 2099 139211 1% / > devfs 1 1 0 100% 0 0 100% > /dev > /dev/twed0s1d 4058062 3264732 468686 87% 23045 518649 4% > /tmp > /dev/twed0s1f 82042376 57488474 17990512 76% 2014718 8607232 19% > /usr > /dev/twed0s1e 20308398 5173252 13510476 28% 1813 2636009 0% > /var > 0[nanobsd]# > > After running the program and creating all the files, I just did a > reboot and all worked just fine post reboot. > > Did you fill up the partition or run out of inodes perhaps ? > > ---Mike > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Feb 18 21:51:12 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 66B8C16A419 for ; Mon, 18 Feb 2008 21:51:12 +0000 (UTC) (envelope-from petersanchez@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.234]) by mx1.freebsd.org (Postfix) with ESMTP id 0EC6B13C46B for ; Mon, 18 Feb 2008 21:51:11 +0000 (UTC) (envelope-from petersanchez@gmail.com) Received: by wr-out-0506.google.com with SMTP id 68so1336989wri.3 for ; Mon, 18 Feb 2008 13:51:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:cc:message-id:from:to:in-reply-to:content-type:content-transfer-encoding:mime-version:subject:date:references:x-mailer:sender; bh=43lPMpYZxlKz+fH3f8q1j/HQICB4Wh9UNDs3JQSNK/w=; b=aj4GgcvLfbH7dvFcuwKjgudeZ0F+yhv6j1h8QzJYFz39idB1USmKuhJFY0jzhWSMofPbEOygtcqzqASjSNSWFDKMxkPDEsGORGJcuIe6JQxgLEXB4Z1Reh2PfED72XQgSQ0x+YqL8dKDv5pUQwp5TloguOqyZUhU6B/0RKcj96I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type:content-transfer-encoding:mime-version:subject:date:references:x-mailer:sender; b=ZcWlAmSwuTCnhdEnaK4F8tv4WJgh8+JffWaZeXIDFgYzzhppjzAxnMjYDBOEtF4mAD9C5F6wVtnoVpuQbINjhi9uRmSgjlFDyfZzXSr6GJGurz/bHXBXX4wMZm5FvwK6nTMfxVRw0/Nh1zJnqUi+mh5vohO5AvuWIQGZf1YLYiI= Received: by 10.142.141.21 with SMTP id o21mr4773661wfd.102.1203371470254; Mon, 18 Feb 2008 13:51:10 -0800 (PST) Received: from ?192.168.1.4? ( [76.169.98.169]) by mx.google.com with ESMTPS id 22sm16597852wfd.4.2008.02.18.13.51.09 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 18 Feb 2008 13:51:09 -0800 (PST) Message-Id: From: Peter Sanchez To: Technical Department In-Reply-To: <47B9F0E1.5030506@datadream.co.uk> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Mon, 18 Feb 2008 13:51:03 -0800 References: <47B90868.7000900@electron-tube.net> <200802182052.m1IKqkFF004605@lava.sentex.ca> <47B9F0E1.5030506@datadream.co.uk> X-Mailer: Apple Mail (2.919.2) Sender: Peter Sanchez Cc: freebsd-security@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 21:51:12 -0000 On Feb 18, 2008, at 12:56 PM, Technical Department wrote: > I have tried on 6.3p1 Release and 6.2p10 Release - ran out of inodes > - system fine. Tried on 6.2-S and 6.3-S and I didn't get a system panic. Peter > > > Mike Tancsa wrote: >> At 11:24 PM 2/17/2008, Jim Bryant wrote: >>> One line summary: >>> Too many files in a top-level UFS-2 filesystem directory will >>> cause a panic on mount. >>> How to repeat the problem: >>> Compile and run the following as instructed: >>> >>> umount that filesystem. >> Hi, >> I tried this on RELENG_7 and RELENG_6 and was not able to panic the >> box >> 0[releng7]# ls -l | wc >> 20098 200972 1377211 >> 0[releng7]# df -i >> Filesystem 1K-blocks Used Avail Capacity iused ifree >> %iused Mounted on >> /dev/ad6s1a 1012974 284464 647474 31% 3308 138002 >> 2% / >> devfs 1 1 0 100% 0 0 >> 100% /dev >> /dev/ad6s1d 5077038 1221890 3448986 26% 20243 639211 >> 3% /tmp >> /dev/ad6s1e 25385516 15683412 7671264 67% 370099 2927179 >> 11% /usr >> /dev/ad6s1f 40139596 847342 36081088 2% 1001 5203989 >> 0% /var >> 0[releng7]# >> and releng_6 >> 0[nanobsd]# ./a.out /tmp/k >> 0[nanobsd]# ./a.out /tmp/kl >> 0[nanobsd]# ls -l /tmp/ | wc >> 20248 182229 1327842 >> 0[nanobsd]# df -i >> Filesystem 1K-blocks Used Avail Capacity iused ifree >> %iused Mounted on >> /dev/twed0s1a 1012974 109076 822862 12% 2099 139211 >> 1% / >> devfs 1 1 0 100% 0 0 >> 100% /dev >> /dev/twed0s1d 4058062 3264732 468686 87% 23045 518649 >> 4% /tmp >> /dev/twed0s1f 82042376 57488474 17990512 76% 2014718 8607232 >> 19% /usr >> /dev/twed0s1e 20308398 5173252 13510476 28% 1813 2636009 >> 0% /var >> 0[nanobsd]# >> After running the program and creating all the files, I just did a >> reboot and all worked just fine post reboot. >> Did you fill up the partition or run out of inodes perhaps ? >> ---Mike >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org >> " > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " From owner-freebsd-security@FreeBSD.ORG Tue Feb 19 02:18:00 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7F4B916A419 for ; Tue, 19 Feb 2008 02:18:00 +0000 (UTC) (envelope-from gaijin.k@gmail.com) Received: from ag-out-0708.google.com (ag-out-0708.google.com [72.14.246.245]) by mx1.freebsd.org (Postfix) with ESMTP id 370A113C45E for ; Tue, 19 Feb 2008 02:18:00 +0000 (UTC) (envelope-from gaijin.k@gmail.com) Received: by ag-out-0708.google.com with SMTP id 5so2994796agb.7 for ; Mon, 18 Feb 2008 18:18:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding; bh=LDOCXQnUVv9TPPuAOG+kRE2uARyM7BS0dSu+BU3+kvY=; b=bKsKPeSEPPYwJsfjy5Df4wPwj0HEZakKNdC2I8mD/ppQZkDXgUjYfxvZsS5j2kzgXhW2/4q6416UEG7zYuu47Opa04oEB7wW3GyvGJKbVaev2p3ACP/r9qjJ75G3Ww1/lUKojjZ66GYBKIhbxCpr7jpPV1BWhrUUwwY82wEcHN8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:in-reply-to:references:content-type:date:message-id:mime-version:x-mailer:content-transfer-encoding; b=vQdWNSdN6kMh5cNfzLm4zD2M31jF2GoW6GhsqfWO/C9f5oyge8NBhDZNSKCGFZAelGCILlQxI3bEtAMjJwP/r52bh0xStsz0uo1DIbZqlr2Rw8HWqud8WTHfxrg79IImKyqi7kZ5gJgJnTmyhm9x0lUIGYwe0I0G7iga87BIxD0= Received: by 10.100.210.9 with SMTP id i9mr12949610ang.40.1203386502590; Mon, 18 Feb 2008 18:01:42 -0800 (PST) Received: from ?10.0.3.231? ( [70.111.176.151]) by mx.google.com with ESMTPS id d29sm12618930and.28.2008.02.18.18.01.39 (version=SSLv3 cipher=RC4-MD5); Mon, 18 Feb 2008 18:01:41 -0800 (PST) From: "Alexandre \"Sunny\" Kovalenko" To: Robert Watson In-Reply-To: <20080218171841.O49202@fledge.watson.org> References: <47B90868.7000900@electron-tube.net> <47B91080.9010109@electron-tube.net> <20080218142004.O49202@fledge.watson.org> <20080218171841.O49202@fledge.watson.org> Content-Type: text/plain; charset=utf-8 Date: Mon, 18 Feb 2008 21:01:13 -0500 Message-Id: <1203386473.19985.14.camel@RabbitsDen> Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Tue, 19 Feb 2008 02:36:18 +0000 Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, Jim Bryant , freebsd-stable@freebsd.org, FreeBSD-bugs@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2008 02:18:00 -0000 On Mon, 2008-02-18 at 17:21 +0000, Robert Watson wrote: > On Mon, 18 Feb 2008, Robert Watson wrote: > > > Hopefully this bug will get resolved shortly, and then we can evaluate if an > > errata notice is necessary. > > FYI, I have been unable, thus far, to reproduce it with 150,000 entries in the > root of a test file system on an 8.x kernel. I'm not set up to test 6.x and > 7.x currently, and have other obligations tht will prevent me from setting up > 6.x and 7.x test images for a few days. FWIW: I can not reproduce this on the 7.0-RC2: twinhead# umount /usr/ports/distfiles twinhead# sync twinhead# sync twinhead# sync twinhead# sync twinhead# mount /usr/ports/distfiles twinhead# df -k Filesystem 1024-blocks Used Avail Capacity Mounted on /dev/da0s1a 8119416 4714312 2755552 63% / devfs 1 1 0 100% /dev /dev/da0s3d 7054514 1032194 5457960 16% /home /dev/stripe/shared 103288206 66041510 28983640 69% /SHARED /dev/stripe/S0 378425950 116115180 232036694 33% /STORAGE procfs 4 4 0 100% /proc /dev/ad4s2 47298314 4314412 39200038 10% /usr/ports/distfiles twinhead# cd /usr/ports/distfiles twinhead# ls | egrep "^[0-9]" | wc -l 10000 twinhead# ls | wc -l 10673 twinhead# uname -a FreeBSD twinhead.rabbitslawn.verizon.net 7.0-RC2 FreeBSD 7.0-RC2 #0: Sat Feb 16 08:44:12 EST 2008 root@twinhead.rabbitslawn.verizon.net:/usr/obj/usr/src/sys/TWINHEAD i386 If this makes any difference, this is SMP machine running SMP kernel. > > If people who can reproduce this problem could send kernel stack traces (etc) > as a follow-up to the PR, that would be most helpful. Right now it's sparse > on actual debugging data. > > Robert N M Watson > Computer Laboratory > University of Cambridge > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Alexandre "Sunny" Kovalenko (Олександр Коваленко)