From owner-freebsd-security  Mon Jun 12 13: 9: 2 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16])
	by hub.freebsd.org (Postfix) with ESMTP id 6A9AE37B797
	for <security@FreeBSD.ORG>; Mon, 12 Jun 2000 13:08:56 -0700 (PDT)
	(envelope-from bde@zeta.org.au)
Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102])
	by mailman.zeta.org.au (8.8.7/8.8.7) with ESMTP id GAA26853;
	Tue, 13 Jun 2000 06:08:43 +1000
Date: Tue, 13 Jun 2000 06:08:42 +1000 (EST)
From: Bruce Evans <bde@zeta.org.au>
X-Sender: bde@besplex.bde.org
To: Marius Bendiksen <mbendiks@eunet.no>
Cc: security@FreeBSD.ORG
Subject: Re: msdosfs_vnops.c : msdosfs_rename()
In-Reply-To: <Pine.BSF.4.05.10006122110530.703-100000@login-1.eunet.no>
Message-ID: <Pine.BSF.4.21.0006130546390.868-100000@besplex.bde.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, 12 Jun 2000, Marius Bendiksen wrote:

> It would appear to me that, in the following section, there is the
> potential for a malicious user to cause a system panic. Could anyone
> confirm/disaffirm this?
> 
> 	if (fvp == NULL) {
> 		/*
> 		 * From name has disappeared
> 		 */
> 		if (doingdirectory)
> 			panic("rename: lost dir entry");

No, this can only happen if there is a filesystem bug.

> This is after rescanning the directory during a rename operation. Neither
> the directory, nor the entry, is locked at this point, according to the
> comments in the source.

It is supposed to be locked by setting IN_RENAME in ip->i_flag.  Note that
IN_RENAME is only set in the doingdirectory case.

I don't completely trust relookup(), however.  In theory, the filesystem
tree may be almost arbitrarily rearranged while relookup() sleeps, since 
relookup() doesn't hold many locks (in particular, it doesn't hold locks
on the directories being changed or their parents or grandparents until
it searches back down to them).  I once made this happen in practice by
forcing some long sleeps and doing the rearrangement in another process.
There seemed to be problems, but I wasn't sure and have forgotten the
details.

Bruce



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message