From owner-freebsd-stable@FreeBSD.ORG Mon Feb 18 14:27:25 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E949516A41A; Mon, 18 Feb 2008 14:27:24 +0000 (UTC) (envelope-from filter@mail.radiokom.kr.ua) Received: from mail.radiokom.kr.ua (smtp.radiokom.kr.ua [193.17.174.11]) by mx1.freebsd.org (Postfix) with ESMTP id 5EF1113C4E3; Mon, 18 Feb 2008 14:27:23 +0000 (UTC) (envelope-from filter@mail.radiokom.kr.ua) Received: by mail.radiokom.kr.ua (Postfix, from userid 1003) id 721A41D0F3; Mon, 18 Feb 2008 16:27:22 +0200 (EET) X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on shayba.homenet.kr.ua X-Spam-Level: X-Spam-Status: No, score=0.0 required=6.0 tests=none autolearn=disabled version=3.1.8 Received: from mx2.freebsd.org (mx2.freebsd.org [69.147.83.53]) by mail.radiokom.kr.ua (Postfix) with ESMTP id 043AD1CE9C for ; Mon, 18 Feb 2008 16:27:17 +0200 (EET) Received: from hub.freebsd.org (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 5CC425E979; Mon, 18 Feb 2008 14:26:01 +0000 (UTC) (envelope-from owner-freebsd-security@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 188A416A4C9; Mon, 18 Feb 2008 14:25:59 +0000 (UTC) (envelope-from owner-freebsd-security@freebsd.org) Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9647C16A418; Mon, 18 Feb 2008 14:25:51 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id EB16813C467; Mon, 18 Feb 2008 14:25:49 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id F094046B62; Mon, 18 Feb 2008 09:25:48 -0500 (EST) Date: Mon, 18 Feb 2008 14:25:48 +0000 (GMT) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Jim Bryant In-Reply-To: <47B91080.9010109@electron-tube.net> Message-ID: <20080218142004.O49202@fledge.watson.org> References: <47B90868.7000900@electron-tube.net> <47B91080.9010109@electron-tube.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Sender: owner-freebsd-security@freebsd.org Errors-To: owner-freebsd-security@freebsd.org Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-stable@freebsd.org List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 14:27:25 -0000 On Sun, 17 Feb 2008, Jim Bryant wrote: > FYI: The system assigned kern/120781 to this bug report. > > IMHO, a security advisory should be issued ASAP. Thanks for the report, I'm sure your widely distributed e-mail will get someone looking at it quickly. In the future if you run into an issue you think might require a security advisory, consider e-mailing it privately to secteam@FreeBSD.org so that the release of patches can cooincide with publication of the problem. That said, this is probably more a candidate for an errata patch rather than a security advisory -- security advisories are normally limited to local/remote privilege escalation or serious remote denial of service. Local denial of service problems occur in all operating systems I'm aware of with such frequency that the world would be continuously innundated with advisories to the point of rendering advisories useless if we did them every time someone discovered a way users could crash the system. You need only watch the change logs of the various open source kernels for the words "fix panic", "don't dereference NULL pointer", "don't leak a lock...", etc, to get a sense of the quantity of locally exercisable system bugs, many of which can lead to reboots, hangs, or data loss, to see why. Hopefully this bug will get resolved shortly, and then we can evaluate if an errata notice is necessary. Robert N M Watson Computer Laboratory University of Cambridge > > Jim Bryant wrote: >> One line summary: >> Too many files in a top-level UFS-2 filesystem directory will cause a >> panic on mount. >> >> Kern/Critical/High Priority/SW-Bug >> >> Which FreeBSD Release You Are Using: >> 6.3-STABLE >> >> Environment (output of "uname -a" on the problem machine): >> FreeBSD wahoo.sd67dfl.org 6.3-STABLE FreeBSD 6.3-STABLE #0: Sun Feb 10 >> 21:13:39 CST 2008 >> jbryant@wahoo.sd67dfl.org:/usr/obj/usr/src/sys/WAHOO-SMP i386 >> >> Note: I just cvsupped earlier, and no changes have been put into cvsup >> that would fix this problem. >> >> Full Description: >> I was doing a reorganization of my filesystems, and since I do offline >> installs, I keep a local distfiles collection (or did until yesterday when >> this happened), and in the process, put all of the distfiles on their own >> filesystem to be mounted under /usr/ports/distfiles. >> >> All was fine until I rebooted. >> >> On rebooting, I got a page fault panic on mount of the new distfiles >> filesystem. >> >> i booted again, got it again, booted again this time into single-user, and >> did a fsck on the filesystem, and it only showed as being "dirty", but >> otherwise had no problems in the eyes of fsck. booted again, instant >> panic. >> >> i booted an older 6.2 CD and mounted the filesystem fine. i then put that >> filesystem the way it was by mkdir'ing a distfiles dir and mv'ing >> everything into it, but on reboot it still paniced on mount. >> >> only a newfs was able to enable the filesystem to be mounted. >> >> today i did further research, thinking it had to do with the number of >> files in the top-level filesystem directory, and found that to be true. >> the short c program in the next section (how to repeat the problem) >> contains this. >> >> a second test shows that, after a newfs, if this done in any subdirectory >> of that filesystem, the panic is averted, and all is well. apparently this >> bug only effects top-level directories of a UFS2 filesystem. >> >> I have not attempted this to a non-UFS2 filesystem. >> >> IMHO, a security advisory should be released, since any user with write >> access to ANY top level directory of ANY mounted filesystem (most systems >> have /tmp as a world writable top level filesystem directory) can create a >> panic situation requiring a newfs of the said filesystem. A malicious user >> with root access can do this to /. Either way, on boot, or any attempt to >> mount said filesystem on a running system, will cause a panic, which of >> course will cause an unbootable system on reboot. >> >> How to repeat the problem: >> Compile and run the following as instructed: >> >> #include >> #include >> >> int main(int argc, char **argv) { int i; char buf[1024]; bzero(buf, 1024); >> for(i = 0; i < 10000; i++) { sprintf(buf, "touch %s%05d\n", argv[1], i); >> system((const char *)buf);} return(0);} >> >> /* pass a top-level mountpoint directory name of a mounted filesystem, with >> a trailing slash to the above as argv[1], and run. >> >> This will create 10,000 zero-length files in the specified directory. >> >> umount that filesystem. >> >> perform a shitload of sync's to make sure everything outstanding is flushed >> to disk on all filesystems. >> >> mount the target filesystem (preferably from a vty or serial console to >> catch the messages when it panics, which it will as soon as the mount is >> attempted). >> */ >> >> Fix to the problem if known: >> newfs(8) >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"