Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 7 Mar 2019 12:59:59 +0200
From:      Konstantin Belousov <kostikbel@gmail.com>
To:        Conrad Meyer <cem@FreeBSD.org>
Cc:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   Re: svn commit: r344857 - head/sys/fs/fuse
Message-ID:  <20190307105959.GJ2492@kib.kiev.ua>
In-Reply-To: <201903062256.x26Munf3054948@repo.freebsd.org>
References:  <201903062256.x26Munf3054948@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Mar 06, 2019 at 10:56:49PM +0000, Conrad Meyer wrote:
> Author: cem
> Date: Wed Mar  6 22:56:49 2019
> New Revision: 344857
> URL: https://svnweb.freebsd.org/changeset/base/344857
> 
> Log:
>   FUSE: Prevent trivial panic
>   
>   When open(2) was invoked against a FUSE filesystem with an unexpected flags
>   value (no O_RDONLY / O_RDWR / O_WRONLY), an assertion fired, causing panic.
Did you miss O_EXEC ?   O_RDONLY is defined as zero, and we interpret the
flags as having O_RDONLY if no other flags were passed.

VFS guarantees that one of the O_EXEC/FREAD/FWRITE flag is always
there.  If it does not, it is bug.  See the code at the start of
kern_openat().

>   
>   For now, prevent the panic by rejecting such VOP_OPENs with EINVAL.
>   
>   This is not considered the correct long term fix, but does prevent an
>   unprivileged denial-of-service.
>   
>   PR:		236329
>   Reported by:	asomers
>   Reviewed by:	asomers
>   Sponsored by:	Dell EMC Isilon
> 
> Modified:
>   head/sys/fs/fuse/fuse_vnops.c
> 
> Modified: head/sys/fs/fuse/fuse_vnops.c
> ==============================================================================
> --- head/sys/fs/fuse/fuse_vnops.c	Wed Mar  6 22:13:53 2019	(r344856)
> +++ head/sys/fs/fuse/fuse_vnops.c	Wed Mar  6 22:56:49 2019	(r344857)
> @@ -1174,6 +1174,9 @@ fuse_vnop_open(struct vop_open_args *ap)
>  	if (fuse_isdeadfs(vp)) {
>  		return ENXIO;
>  	}
> +	if ((mode & (FREAD | FWRITE)) == 0)
> +		return EINVAL;
> +
>  	fvdat = VTOFUD(vp);
>  
>  	if (vnode_isdir(vp)) {

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190307105959.GJ2492>