Date: Mon, 30 Jul 2001 02:03:31 -0700 From: Dima Dorfman <dima@unixfreak.org> To: Kris Kennaway <kris@obsecurity.org> Cc: current@FreeBSD.org, phk@FreeBSD.org Subject: Re: md/mdmfs bugs Message-ID: <20010730090336.2B9203E28@bazooka.unixfreak.org> In-Reply-To: <20010729185401.A642@xor.obsecurity.org>; from kris@obsecurity.org on "Sun, 29 Jul 2001 18:54:01 -0700"
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway <kris@obsecurity.org> writes:
> 1) For some reason, my mdmfs line in /etc/fstab always does a chmod
> 777 /tmp at mount-time
>
> /dev/md0 /tmp mfs rw,-s=65536 0 0
I can't reproduce this. You say it "does a chmod"; does that mean you
see it caling chmod(2) (see as in using truss(1), or the undocumented
-X option), or is the symptom that it "winds up with mode 777"? Also,
does it happen when you run mdmfs from the command line, and/or with
directories other than /tmp?
> 2) the -X debugging option to mdmfs isn't documented in the manpage
Oops, will fix.
> 3) The following sequence of commands will cause my -current box to blow up:
>
> Step 1: disklabel -r -w md1c auto
^
Disklabel wants the disk name, not the partition. This is still a
panic(8)/hang(8) implementation, but it doesn't derive you of any
functionality.
> where md1 isn't a valid configured md instance. This command spits
> out a driver_mistake console warning message
> Step 2: mdconfig -d -u md1
> Step 3: Watch the console spew messages in an infinite loop until the
> end of time (Step 3 is optional).
This is actually a bug in the disk minilayer. md(4) is just the most
convenient driver to exploit those bugs, which is why we don't see
stuff like this happening with ad/da.
Furthermore, this is actually an exception-handling bug, not a real
functionality problem. Notice how you call disklabel with "md1c" as
an argument, while disklabel wants the name of the *disk*, not the
partition! What ends up happening is that disklabel tries to access
"md1cc", which isn't valid.
However, when subr_disk.c::disk_clone() parses the name to clone, it
only parses it up to where it got all the information it wants (it
wants the unit, slice, and partition). This means that asking it to
clone "md1cKRIS" will work just fine (try it: ls -l /dev/md1cKRIS);
the major/minor will be the same as md1c. How should this be handled?
It can either strip off the extraneous parts, or it can do nothing.
Either of these will remove the cause of the infinite loop (step 3).
I've attached a patch that does the latter as a proof-of-concept.
All that said, I probably just scratched the surface, and likely got a
few points even doing that. I'm sure phk will find the "real" problem
when he wakes up :-).
Index: subr_disk.c
===================================================================
RCS file: /ref/cvsf/src/sys/kern/subr_disk.c,v
retrieving revision 1.41
diff -u -r1.41 subr_disk.c
--- subr_disk.c 2001/05/29 18:19:57 1.41
+++ subr_disk.c 2001/07/30 08:42:25
@@ -82,6 +82,10 @@
continue;
else
p = name[i] - 'a';
+ if (name[++i] != '\0') {
+ printf("WARNING: attempt to access %s\n", name);
+ return;
+ }
}
*dev = make_dev(pdev->si_devsw, dkmakeminor(u, s, p),
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010730090336.2B9203E28>