Date: Wed, 27 Mar 2019 21:44:09 +0000
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 236836] Kernel panic from calling mq_open("/.", ...) as root
Message-ID: <bug-236836-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D236836 Bug ID: 236836 Summary: Kernel panic from calling mq_open("/.", ...) as root Product: Base System Version: 12.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: t.b.moltu@lyse.net Created attachment 203197 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D203197&action= =3Dedit Untested patch for rejecting "/." and "/.." with EACCES After loading the mqueuefs module, calling mq_open() with "/.." or "/." as = name in a C program run by root crashes the system. I assume it's a panic but it reboots too quickly to read the text. Doing this as non-root does nothing a= nd EACCES is produced. mq_unlink("/.") as root successfully removes . from mqueuefs, and mq_unlink("/..") as root removes both .. and . Trying to unlink either as non-root just produces EACCES. After this a non-root user can create queues with these names and use them = as any other queue. Listing the directory where mqueuefs is mounted while . or .. exists as que= ues also crashes the system. I have not tested whether programs running inside jails can cause this cras= h or also get EACCES. I've created a patch which I think should fix this, but I haven't tested it= at all. I wasn't sure whether to pick 12.0-RELEASE or 12.0-STABLE; uname -a says: FreeBSD freebsd 12.0-RELEASE FreeBSD 12.0-RELEASE r341666 GENERIC amd64 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-236836-227>