From owner-freebsd-bugs@FreeBSD.ORG Mon Feb 18 15:28:38 2008 Return-Path: Delivered-To: FreeBSD-bugs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B715516A478 for ; Mon, 18 Feb 2008 15:28:38 +0000 (UTC) (envelope-from phisher1@gmail.com) Received: from qb-out-0506.google.com (qb-out-0506.google.com [72.14.204.234]) by mx1.freebsd.org (Postfix) with ESMTP id 2C59A13C45A for ; Mon, 18 Feb 2008 15:28:37 +0000 (UTC) (envelope-from phisher1@gmail.com) Received: by qb-out-0506.google.com with SMTP id o24so6989232qba.1 for ; Mon, 18 Feb 2008 07:28:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; bh=C1CPtFis2TVigXkW1JLW7KwnehKe6ffMD4EnW37XqqU=; b=DTj0KFzOweXJ8dyFSpL0mTA1swb4dBdUR+Zq7Xe4TPAq10bNEgfCKGZR+dkMkPK5GBSPuSZFX/vvteyaZmGBYAws5kiYwMuQRW/G6HOOtPVS/qZILjjIY9bVKdLQwPTX4sbJf07y8R33N2x47VFN3Yz0TtvaabEdyaqKyWGqLMk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=i0GtlivR/YwwY3zY4XVY43RfbVZG++mLScK1pNeT5NQCTnv/Cjd8/3gRkDEDJ2mkySrp/jE5zsmNHE5DPTE96RcEnxbxnOX7ese9xQZNpW+eiKEQLiEBauHNS7dtVZaqFqG6/0gTrHJOna0mte0c3vFGW/EPa50tENj8y0BXhSw= Received: by 10.114.37.1 with SMTP id k1mr2931815wak.6.1203347670178; Mon, 18 Feb 2008 07:14:30 -0800 (PST) Received: by 10.114.109.15 with HTTP; Mon, 18 Feb 2008 07:14:30 -0800 (PST) Message-ID: <291ddc4f0802180714g3d326626v9d9b767a61232cec@mail.gmail.com> Date: Mon, 18 Feb 2008 09:14:30 -0600 From: "Daniel Corrigan" To: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org In-Reply-To: <47B90868.7000900@electron-tube.net> MIME-Version: 1.0 References: <47B90868.7000900@electron-tube.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 15:28:38 -0000 Since this was released to a public mailing list, I can only assume some less than nice user will attempt this. The only top level file system I have that can be written to by normal users is /tmp Should clear_tmp_enable="YES" in /etc/rc.conf prevent this from causing harm? Dan On Feb 17, 2008 10:24 PM, Jim Bryant wrote: > One line summary: > Too many files in a top-level UFS-2 filesystem directory will cause > a panic on mount. > > Kern/Critical/High Priority/SW-Bug > > Which FreeBSD Release You Are Using: > 6.3-STABLE > > Environment (output of "uname -a" on the problem machine): > FreeBSD wahoo.sd67dfl.org 6.3-STABLE FreeBSD 6.3-STABLE #0: Sun Feb > 10 21:13:39 CST 2008 > jbryant@wahoo.sd67dfl.org:/usr/obj/usr/src/sys/WAHOO-SMP i386 > > Note: I just cvsupped earlier, and no changes have been put into > cvsup that would fix this problem. > > Full Description: > I was doing a reorganization of my filesystems, and since I do > offline installs, I keep a local distfiles collection (or did until > yesterday when this happened), and in the process, put all of the > distfiles on their own filesystem to be mounted under > /usr/ports/distfiles. > > All was fine until I rebooted. > > On rebooting, I got a page fault panic on mount of the new distfiles > filesystem. > > i booted again, got it again, booted again this time into single-user, > and did a fsck on the filesystem, and it only showed as being "dirty", > but otherwise had no problems in the eyes of fsck. booted again, > instant panic. > > i booted an older 6.2 CD and mounted the filesystem fine. i then put > that filesystem the way it was by mkdir'ing a distfiles dir and mv'ing > everything into it, but on reboot it still paniced on mount. > > only a newfs was able to enable the filesystem to be mounted. > > today i did further research, thinking it had to do with the number of > files in the top-level filesystem directory, and found that to be true. > the short c program in the next section (how to repeat the problem) > contains this. > > a second test shows that, after a newfs, if this done in any > subdirectory of that filesystem, the panic is averted, and all is well. > apparently this bug only effects top-level directories of a UFS2 > filesystem. > > I have not attempted this to a non-UFS2 filesystem. > > IMHO, a security advisory should be released, since any user with write > access to ANY top level directory of ANY mounted filesystem (most > systems have /tmp as a world writable top level filesystem directory) > can create a panic situation requiring a newfs of the said filesystem. > A malicious user with root access can do this to /. Either way, on > boot, or any attempt to mount said filesystem on a running system, will > cause a panic, which of course will cause an unbootable system on reboot. > > How to repeat the problem: > Compile and run the following as instructed: > > #include > #include > > int main(int argc, char **argv) { int i; char buf[1024]; bzero(buf, > 1024); for(i = 0; i < 10000; i++) { sprintf(buf, "touch %s%05d\n", > argv[1], i); system((const char *)buf);} return(0);} > > /* pass a top-level mountpoint directory name of a mounted filesystem, > with a trailing slash to the above as argv[1], and run. > > This will create 10,000 zero-length files in the specified directory. > > umount that filesystem. > > perform a shitload of sync's to make sure everything outstanding is > flushed to disk on all filesystems. > > mount the target filesystem (preferably from a vty or serial console to > catch the messages when it panics, which it will as soon as the mount is > attempted). > */ > > Fix to the problem if known: > newfs(8) > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " >