From owner-freebsd-bugs@FreeBSD.ORG Mon Feb 18 04:30:01 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BF6C716A41A for ; Mon, 18 Feb 2008 04:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 950B713C45A for ; Mon, 18 Feb 2008 04:30:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m1I4U18G096825 for ; Mon, 18 Feb 2008 04:30:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m1I4U16W096824; Mon, 18 Feb 2008 04:30:01 GMT (envelope-from gnats) Resent-Date: Mon, 18 Feb 2008 04:30:01 GMT Resent-Message-Id: <200802180430.m1I4U16W096824@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Jim Bryant Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F32AA16A417 for ; Mon, 18 Feb 2008 04:25:58 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id D796B13C448 for ; Mon, 18 Feb 2008 04:25:58 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m1I4NVc8068248 for ; Mon, 18 Feb 2008 04:23:31 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.2/8.14.1/Submit) id m1I4NV7p068247; Mon, 18 Feb 2008 04:23:31 GMT (envelope-from nobody) Message-Id: <200802180423.m1I4NV7p068247@www.freebsd.org> Date: Mon, 18 Feb 2008 04:23:31 GMT From: Jim Bryant To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/120781: Too many files in a top-level UFS-2 filesystem directory will cause a panic on mount. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 04:30:01 -0000 >Number: 120781 >Category: kern >Synopsis: Too many files in a top-level UFS-2 filesystem directory will cause a panic on mount. >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 18 04:30:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Jim Bryant >Release: 6.3-STABLE >Organization: myself >Environment: FreeBSD wahoo.sd67dfl.org 6.3-STABLE FreeBSD 6.3-STABLE #0: Sun Feb 10 21:13:39 CST 2008 jbryant@wahoo.sd67dfl.org:/usr/obj/usr/src/sys/WAHOO-SMP i386 >Description: I was doing a reorganization of my filesystems, and since I do offline installs, I keep a local distfiles collection (or did until yesterday when this happened), and in the process, put all of the distfiles on their own filesystem to be mounted under /usr/ports/distfiles. All was fine until I rebooted. On rebooting, I got a page fault panic on mount of the new distfiles filesystem. i booted again, got it again, booted again this time into single-user, and did a fsck on the filesystem, and it only showed as being "dirty", but otherwise had no problems in the eyes of fsck. booted again, instant panic. i booted an older 6.2 CD and mounted the filesystem fine. i then put that filesystem the way it was by mkdir'ing a distfiles dir and mv'ing everything into it, but on reboot it still paniced on mount. only a newfs was able to enable the filesystem to be mounted. today i did further research, thinking it had to do with the number of files in the top-level filesystem directory, and found that to be true. the short c program in the next section (how to repeat the problem) contains this. a second test shows that, after a newfs, if this done in any subdirectory of that filesystem, the panic is averted, and all is well. apparently this bug only effects top-level directories of a UFS2 filesystem. I have not attempted this to a non-UFS2 filesystem. IMHO, a security advisory should be released, since any user with write access to ANY top level directory of ANY mounted filesystem (most systems have /tmp as a world writable top level filesystem directory) can create a panic situation requiring a newfs of the said filesystem. A malicious user with root access can do this to /. Either way, on boot, or any attempt to mount said filesystem on a running system, will cause a panic, which of course will cause an unbootable system on reboot. >How-To-Repeat: #include #include int main(int argc, char **argv) { int i; char buf[1024]; bzero(buf, 1024); for(i = 0; i < 10000; i++) { sprintf(buf, "touch %s%05d\n", argv[1], i); system((const char *)buf);} return(0);} /* pass a top-level mountpoint directory name of a mounted filesystem, with a trailing slash to the above as argv[1], and run. This will create 10,000 zero-length files in the specified directory. umount that filesystem. perform a shitload of sync's to make sure everything outstanding is flushed to disk on all filesystems. mount the target filesystem (preferably from a vty or serial console to catch the messages when it panics, which it will as soon as the mount is attempted). */ >Fix: newfs(8) >Release-Note: >Audit-Trail: >Unformatted: