From owner-freebsd-bugs@FreeBSD.ORG Sat Oct 1 06:10:25 2005 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5776816A423 for ; Sat, 1 Oct 2005 06:10:25 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C401743D53 for ; Sat, 1 Oct 2005 06:10:24 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j916AOLh076937 for ; Sat, 1 Oct 2005 06:10:24 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j916AOSo076936; Sat, 1 Oct 2005 06:10:24 GMT (envelope-from gnats) Resent-Date: Sat, 1 Oct 2005 06:10:24 GMT Resent-Message-Id: <200510010610.j916AOSo076936@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Guram Dukashvili Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24D8216A420 for ; Sat, 1 Oct 2005 06:01:53 +0000 (GMT) (envelope-from korvin@post2.tehnomir.lipetsk.ru) Received: from falcon.lipetsk.ru (falcon.lipetsk.ru [195.34.224.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3917943D49 for ; Sat, 1 Oct 2005 06:01:51 +0000 (GMT) (envelope-from korvin@post2.tehnomir.lipetsk.ru) Received: from tehnomir.lipetsk.ru ([195.34.235.66]:52418 "EHLO post2.tehnomir.lipetsk.ru") by falcon.lipetsk.ru with ESMTP id S620363AbVJAGBu (ORCPT ); Sat, 1 Oct 2005 10:01:50 +0400 Received: from post2.tehnomir.lipetsk.ru (localhost.tehnomir.lipetsk.ru [127.0.0.1]) by post2.tehnomir.lipetsk.ru (8.13.4/8.13.3) with ESMTP id j915wY13031492 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sat, 1 Oct 2005 09:58:35 +0400 (MSD) (envelope-from korvin@post2.tehnomir.lipetsk.ru) Received: (from korvin@localhost) by post2.tehnomir.lipetsk.ru (8.13.4/8.13.3/Submit) id j915wYUv031491; Sat, 1 Oct 2005 09:58:34 +0400 (MSD) (envelope-from korvin) Message-Id: <200510010558.j915wYUv031491@post2.tehnomir.lipetsk.ru> Date: Sat, 1 Oct 2005 09:58:34 +0400 (MSD) From: Guram Dukashvili To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: kern/86775: system reboot without syncing X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Guram Dukashvili List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2005 06:10:25 -0000 >Number: 86775 >Category: kern >Synopsis: system reboot without syncing >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Oct 01 06:10:19 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Guram Dukashvili >Release: FreeBSD 5.4-STABLE i386 >Organization: >Environment: System: FreeBSD post2.tehnomir.lipetsk.ru 5.4-STABLE FreeBSD 5.4-STABLE #0: Thu Sep 29 14:09:36 MSD 2005 root@post2.tehnomir.lipetsk.ru:/usr/obj/usr/src/sys/MCOM i386 >Description: kevent syscall with aio filter invoke system reboot without sync under regular user and may be security issue >How-To-Repeat: #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include class KQueue { public: ~KQueue(); KQueue(); KQueue & testRegularFiles(); protected: private: int kqueue_; }; KQueue::~KQueue() { if( close(kqueue_) != 0 ){ perror(NULL); abort(); } } KQueue::KQueue() { kqueue_ = kqueue(); if( kqueue_ == -1 ){ perror(NULL); abort(); } } KQueue & KQueue::testRegularFiles() { struct kevent kev; int f; f = open("qwert",O_RDWR | O_CREAT/* | O_NONBLOCK*/); if( f == -1 ){ perror(NULL); abort(); } if( fcntl(f,F_SETFL,fcntl(f,F_GETFL,0) | O_NONBLOCK) != 0 ){ perror(NULL); abort(); } char b[1 * 1024 * 1024]; struct aiocb iocb; memset(&iocb,0,sizeof(iocb)); iocb.aio_fildes = f; iocb.aio_nbytes = sizeof(b); iocb.aio_buf = b; iocb.aio_offset = 0; iocb.aio_sigevent.sigev_notify_kqueue = kqueue_; iocb.aio_sigevent.sigev_notify = SIGEV_KEVENT; if( aio_write(&iocb) != 0 ){ perror(NULL); abort(); } int kcount; struct timespec timeout = { 0, 0 }, * pto = NULL; for(;;){ kcount = kevent(kqueue_,NULL,0,&kev,1,NULL); if( kcount == -1 ){ perror(NULL); abort(); } if( kcount == 0 ) break; if( kev.flags & EV_ERROR ){ errno = kev.data; perror(NULL); abort(); } if( kev.flags & EV_EOF ){ if( (errno = kev.fflags) != 0 ){ perror(NULL); abort(); } } if( kev.filter == EVFILT_READ ){ fprintf(stderr,"EVFILT_READ\n"); } if( kev.filter == EVFILT_WRITE ){ fprintf(stderr,"EVFILT_READ\n"); } if( kev.filter == EVFILT_AIO ){ fprintf(stderr,"EVFILT_AIO\n"); kev.ident = (uintptr_t) &iocb; kev.filter = EVFILT_AIO; // this flags invoke reboot kev.flags |= EV_CLEAR; // reboot after this call if( kevent(kqueue_,&kev,1,NULL,0,NULL) == -1 ){ perror(NULL); abort(); } } pto = &timeout; } if( close(f) != 0 ){ perror(NULL); abort(); } return *this; } int main(int argc,char ** argv) { KQueue kqueue; kqueue.testRegularFiles(); return 0; } >Fix: >Release-Note: >Audit-Trail: >Unformatted: