From owner-freebsd-stable@FreeBSD.ORG Tue Mar 14 12:02:02 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EDD416A401; Tue, 14 Mar 2006 12:02:02 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from fw.zoral.com.ua (ll-227.216.82.212.sovam.net.ua [212.82.216.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7043143D46; Tue, 14 Mar 2006 12:02:01 +0000 (GMT) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by fw.zoral.com.ua (8.13.3/8.13.3) with ESMTP id k2EC1tEG008589 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 14 Mar 2006 14:01:55 +0200 (EET) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.13.4/8.13.4) with ESMTP id k2EC1scg017876; Tue, 14 Mar 2006 14:01:55 +0200 (EET) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.13.4/8.13.4/Submit) id k2EC1rIG017873; Tue, 14 Mar 2006 14:01:53 +0200 (EET) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Tue, 14 Mar 2006 14:01:53 +0200 From: Kostik Belousov To: David Xu Message-ID: <20060314120153.GL37572@deviant.kiev.zoral.com.ua> References: <200603111140.k2BBerFh096411@freefall.freebsd.org> <200603140744.34246.davidxu@freebsd.org> <4416705A.50708@nurfuerspam.de> <200603141641.32705.davidxu@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="kUBUi7JBpjcBtem/" Content-Disposition: inline In-Reply-To: <200603141641.32705.davidxu@freebsd.org> User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: ClamAV version 0.87.1, clamav-milter version 0.87 on fw.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=failed version=3.1.0 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on fw.zoral.com.ua Cc: freebsd-stable@freebsd.org, bug-followup@freebsd.org, Martin Subject: [patch] Re: kern/94278: Crash with FIFOs and ktrace X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Mar 2006 12:02:02 -0000 --kUBUi7JBpjcBtem/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 14, 2006 at 04:41:32PM +0800, David Xu wrote: > On Tuesday 14 March 2006 15:27, Martin wrote: > >=20 > > David Xu wrote: > >=20 > > > Can anyone add this to 6.1 todo list ? this definitely should be fixe= d=20 > before > > > 6.1R. > >=20 > > One of my friends also has found kern/94278: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3D94278 > >=20 > > There is no comment on it so far. This crash (without panic) > > is not less important, in my opinion. > >=20 > > Martin >=20 > Yeah, fifo refuses to work if the caller did not allocate a FILE structure > for it, but ktrace insists that it should work without a FILE, it believes > a vnode is enough for everything, I am really tired of such arch breakag= e. >=20 > David Xu In fact, the problem affects most places where kernel tries writing to the file, because usually code does not allocate file descriptor for write, but uses direct vnode access. I found approximately a dozen such places. BTW, the case for fhopen seems to be remotely exploitable. Long-term fix would be to correctly integrate fifo into VFS instead of overloading file op structure for vnodes. For now, please, try the following patch: Index: compat/linux/linux_misc.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/local/arch/ncvs/src/sys/compat/linux/linux_misc.c,v retrieving revision 1.172 diff -u -r1.172 linux_misc.c --- compat/linux/linux_misc.c 28 Dec 2005 07:08:54 -0000 1.172 +++ compat/linux/linux_misc.c 14 Mar 2006 11:45:57 -0000 @@ -310,6 +310,21 @@ * XXX: This should use vn_open() so that it is properly authorized, * and to reduce code redundancy all over the place here. */ + if (vp->v_type =3D=3D VLNK) { + error =3D EMLINK; + goto cleanup; + } + if (vp->v_type =3D=3D VSOCK) { + error =3D EOPNOTSUPP; + goto cleanup; + } + if (vp->v_type =3D=3D VFIFO) { + /* Due to way fifo works (by overloading f_ops), + * tricking kernel into write to the fifo leads to + * panic. Make a band-aid to filter the case. */ + error =3D EOPNOTSUPP; + goto cleanup; + } #ifdef MAC error =3D mac_check_vnode_open(td->td_ucred, vp, FREAD); if (error) Index: fs/fifofs/fifo_vnops.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/local/arch/ncvs/src/sys/fs/fifofs/fifo_vnops.c,v retrieving revision 1.132 diff -u -r1.132 fifo_vnops.c --- fs/fifofs/fifo_vnops.c 1 Oct 2005 20:15:41 -0000 1.132 +++ fs/fifofs/fifo_vnops.c 14 Mar 2006 11:46:07 -0000 @@ -168,6 +168,7 @@ int a_mode; struct ucred *a_cred; struct thread *a_td; + int a_fdidx; } */ *ap; { struct vnode *vp =3D ap->a_vp; Index: kern/vfs_syscalls.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/local/arch/ncvs/src/sys/kern/vfs_syscalls.c,v retrieving revision 1.411 diff -u -r1.411 vfs_syscalls.c --- kern/vfs_syscalls.c 4 Mar 2006 00:09:09 -0000 1.411 +++ kern/vfs_syscalls.c 14 Mar 2006 11:46:10 -0000 @@ -4101,6 +4101,13 @@ error =3D EOPNOTSUPP; goto bad; } + if (vp->v_type =3D=3D VFIFO) { + /* Due to way fifo works (by overloading f_ops), + * tricking kernel into write to the fifo leads to + * panic. Make a band-aid to filter the case. */ + error =3D EOPNOTSUPP; + goto bad; + } mode =3D 0; if (fmode & (FWRITE | O_TRUNC)) { if (vp->v_type =3D=3D VDIR) { Index: kern/vfs_vnops.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /usr/local/arch/ncvs/src/sys/kern/vfs_vnops.c,v retrieving revision 1.238 diff -u -r1.238 vfs_vnops.c --- kern/vfs_vnops.c 11 Mar 2006 17:14:05 -0000 1.238 +++ kern/vfs_vnops.c 14 Mar 2006 11:46:10 -0000 @@ -194,6 +194,13 @@ error =3D EOPNOTSUPP; goto bad; } + if ((vp->v_type =3D=3D VFIFO) && (fdidx < 0)) { + /* Due to way fifo works (by overloading f_ops), + * tricking kernel into write to the fifo leads to + * panic. Make a band-aid to filter the case. */ + error =3D EOPNOTSUPP; + goto bad; + } mode =3D 0; if (fmode & (FWRITE | O_TRUNC)) { if (vp->v_type =3D=3D VDIR) { --kUBUi7JBpjcBtem/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFEFrCwC3+MBN1Mb4gRAonRAKDgl2lTuQTIAlJk0hc6ZkGV2u57ugCfR5cp Z/F+c/Kwf++VHIHPhQ2PoHc= =Au9C -----END PGP SIGNATURE----- --kUBUi7JBpjcBtem/--