From owner-freebsd-security  Thu Jun 22 19:12:35 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mail-relay.eunet.no (mail-relay.eunet.no [193.71.71.242])
	by hub.freebsd.org (Postfix) with ESMTP id 2696D37B59E
	for <security@FreeBSD.ORG>; Thu, 22 Jun 2000 19:12:31 -0700 (PDT)
	(envelope-from mbendiks@eunet.no)
Received: from login-1.eunet.no (login-1.eunet.no [193.75.110.2])
	by mail-relay.eunet.no (8.9.3/8.9.3/GN) with ESMTP id EAA57962;
	Fri, 23 Jun 2000 04:12:29 +0200 (CEST)
	(envelope-from mbendiks@eunet.no)
Received: from localhost (mbendiks@localhost)
	by login-1.eunet.no (8.9.3/8.8.8) with ESMTP id EAA82637;
	Fri, 23 Jun 2000 04:12:29 +0200 (CEST)
	(envelope-from mbendiks@eunet.no)
X-Authentication-Warning: login-1.eunet.no: mbendiks owned process doing -bs
Date: Fri, 23 Jun 2000 04:12:29 +0200 (CEST)
From: Marius Bendiksen <mbendiks@eunet.no>
To: Bruce Evans <bde@zeta.org.au>
Cc: security@FreeBSD.ORG
Subject: Re: msdosfs_vnops.c : msdosfs_rename()
In-Reply-To: <Pine.BSF.4.21.0006130546390.868-100000@besplex.bde.org>
Message-ID: <Pine.BSF.4.05.10006230410590.82462-100000@login-1.eunet.no>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> It is supposed to be locked by setting IN_RENAME in ip->i_flag.  Note that
> IN_RENAME is only set in the doingdirectory case.

According to the comments, nothing is locked at all.

> I don't completely trust relookup(), however.  In theory, the filesystem
> tree may be almost arbitrarily rearranged while relookup() sleeps, since 
> relookup() doesn't hold many locks (in particular, it doesn't hold locks
> on the directories being changed or their parents or grandparents until
> it searches back down to them).  I once made this happen in practice by
> forcing some long sleeps and doing the rearrangement in another process.
> There seemed to be problems, but I wasn't sure and have forgotten the
> details.

This is what I am talking about. It is, from what I see, possible to cause
a problem by rearranging the directory (specifically, removing the source
name) during a relookup. This would then cause a panic.

Marius



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message