From owner-freebsd-current Mon Jan 20 8: 2:50 2003 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AA8437B401; Mon, 20 Jan 2003 08:02:48 -0800 (PST) Received: from relay1.macomnet.ru (relay1.macomnet.ru [195.128.64.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7F0B43F5B; Mon, 20 Jan 2003 08:02:46 -0800 (PST) (envelope-from maxim@FreeBSD.org) Received: from news1.macomnet.ru (news1.macomnet.ru [195.128.64.14]) by relay1.macomnet.ru (8.11.6/8.11.6) with ESMTP id h0KG2Ve9280554; Mon, 20 Jan 2003 19:02:31 +0300 (MSK) Date: Mon, 20 Jan 2003 19:02:31 +0300 (MSK) From: Maxim Konovalov To: qhwt@myrealbox.com Cc: current@FreeBSD.org, "" , "" Subject: Re: panic trying to chroot(2) on a script(?) In-Reply-To: <20021003145236.GA633.qhwt@myrealbox.com> Message-ID: <20030120185431.H53795@news1.macomnet.ru> References: <20021003145236.GA633.qhwt@myrealbox.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [ CC: jhb and rwatson ] On 23:52+0900, Oct 3, 2002, qhwt@myrealbox.com wrote: > Hello. > Last night I was trying to start an anonymous ftp server on my > -current box for my local network. I made a mistake in vipw: > > ftp:*:44444:44444:Unprivileged user:/sbin/nologin:/home/mp3 > > i.e., wrote a path to a script where directory is needed, and directory > where path to shell is needed. Without noticing, I started ftpd in > standalone mode, and logged in as user ftp, when the box panicked: > > # /usr/libexec/ftpd -AD > # ftp -4 localhost > > On 4.7-RC1 box, this just spewed an error message in /var/log/messages > and didn't panic, and man 2 chroot doesn't state it should. > If there's something other than the backtrace(attached), let me know it. Yep, chroot("") panics -current. AFAIU the problem is in rev. 1.268 sys/kern/vfs_syscalls.c, we call vrele(9) in NDFREE(9) on already vrele-ed vnode (change_dir() cares about that). Here is my patch but I need someone with more experience in this area. Index: vfs_syscalls.c =================================================================== RCS file: /home/ncvs/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.305 diff -u -r1.305 vfs_syscalls.c --- vfs_syscalls.c 13 Jan 2003 00:28:55 -0000 1.305 +++ vfs_syscalls.c 20 Jan 2003 15:51:52 -0000 @@ -542,8 +542,10 @@ if ((error = change_dir(&nd, td)) != 0) goto error; #ifdef MAC - if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp))) + if ((error = mac_check_vnode_chroot(td->td_ucred, nd.ni_vp))) { + vput(vp); goto error; + } #endif FILEDESC_LOCK(fdp); if (chroot_allow_open_directories == 0 || @@ -567,7 +569,7 @@ FILEDESC_UNLOCK(fdp); error: mtx_unlock(&Giant); - NDFREE(&nd, 0); + NDFREE(&nd, NDF_ONLY_PNBUF); return (error); } %%% -- Maxim Konovalov, maxim@macomnet.ru, maxim@FreeBSD.org, +7 (095) 7969079 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message