From owner-freebsd-bugs Thu Nov 2 22:10:03 1995 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id WAA20051 for bugs-outgoing; Thu, 2 Nov 1995 22:10:03 -0800 Received: (from gnats@localhost) by freefall.freebsd.org (8.6.12/8.6.6) id WAA20043 ; Thu, 2 Nov 1995 22:10:01 -0800 Resent-Date: Thu, 2 Nov 1995 22:10:01 -0800 Resent-Message-Id: <199511030610.WAA20043@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, uhclem@fw.ast.com Received: from ast.com (irvine.ast.com [165.164.128.2]) by freefall.freebsd.org (8.6.12/8.6.6) with SMTP id WAA19707 for ; Thu, 2 Nov 1995 22:06:15 -0800 Received: from fw.ast.com by ast.com with SMTP id AA02511 (5.67b/IDA-1.5 for ); Thu, 2 Nov 1995 22:07:27 -0800 Received: from nemesis by fw.ast.com with uucp (Smail3.1.29.1 #4) id m0tBEym-00008HC; Thu, 2 Nov 95 23:47 CST Received: by nemesis.lonestar.org (Smail3.1.27.1 #19) id m0tBEwp-000J7oC; Thu, 2 Nov 95 23:45 WET Message-Id: Date: Thu, 2 Nov 95 23:45 WET From: uhclem%nemesis@fw.ast.com Reply-To: uhclem@fw.ast.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/810: Some I/O attempts to CD-ROMs hang at isoilk FDIV038 Sender: owner-bugs@freebsd.org Precedence: bulk >Number: 810 >Category: kern >Synopsis: Some I/O attempts to CD-ROMs hangs at isoilk FDIV038 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 2 22:10:00 PST 1995 >Last-Modified: >Originator: Frank Durda IV >Organization: >Release: FreeBSD 2.1.0-951026-SNAP >Environment: Freshly installed 2.1.0-951026-SNAP system with a CD-ROM drive (type doesn't seem to matter). >Description: If a normal (not root) user attempts an operation to a CD-ROM that fails (such as accidentally attempting to write to the drive), the next access of any type to the drive by any user will hang until reboot. This should be considered a denial-of-service security problem. >How-To-Repeat: As root mount a CD-ROM. I used the 2.0.5 Install CD. # mount -t cd9660 /dev/cd-of-your-choice /mnt # (This may have been done automatically when the system booted.) Now, login on a second terminal as a plain user: login: user1 Password: % pwd /usr/user1 % gunzip /mnt/packages/All/lynx-2.3.7.tgz (escapes may be used for filename completion) You get the non-helpful message: /mnt/packages/All/lynz-2.3.7.tgz: Operation not supported (Mental note: We need to add error codes for "Write Protected" and one for "Not Ready", instead of using "Not Configured" or "Not Supported" for these legitimate events.) Back to the issue at hand. % Now, realizing the error, type this: % cp /mnt/packages/All/ly The process is now hung. On the root screen, do a ps -alx and see: UID PID PPID CPU PRI NI VSZ RSS WCHAN STAT TT TIME COMMAND ... 1000 133 1 0 -14 0 488 360 isoilk Ds+ v2 0:01.47 -csh (csh) ... Naturally a kill -9 has no effect. A reboot is required. Any other process (including remote FTP) that attempts to touch ISO filesystems after this point also hangs. A related "attack" is to ftp the site remotely and attempt to PUT something in a directory on a CD-ROM. The system could probably be put in this hung state by a non-account-holder using anonymous FTP as well. Anonymous FTP sites with any of the accessible data on CD-ROMs should be aware of this issue. >Fix: Not known. This really should be fixed prior to 2.1 being released. >Audit-Trail: >Unformatted: