From owner-freebsd-bugs@FreeBSD.ORG Mon Feb 18 15:56:57 2008 Return-Path: Delivered-To: FreeBSD-bugs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6D24916A420 for ; Mon, 18 Feb 2008 15:56:57 +0000 (UTC) (envelope-from admin@su29.net) Received: from aliska.alo.ru (aliska.alo.ru [80.251.131.12]) by mx1.freebsd.org (Postfix) with ESMTP id E8C3F13C4E5 for ; Mon, 18 Feb 2008 15:56:56 +0000 (UTC) (envelope-from admin@su29.net) Received: from aliska (aliska.alo.ru [80.251.131.12]) by aliska.alo.ru (Postfix) with SMTP id 49D8624CC80 for ; Mon, 18 Feb 2008 18:56:55 +0300 (MSK) Received: from ws.su29.net (ppp85-141-155-76.pppoe.mtu-net.ru [85.141.155.76]) by aliska.alo.ru (Postfix) with ESMTP id A181124CC11; Mon, 18 Feb 2008 18:56:54 +0300 (MSK) Message-ID: <47B9AAB3.4090407@su29.net> Date: Mon, 18 Feb 2008 18:56:35 +0300 From: "Alexander V. Chernikov" Organization: AlmazTelecom User-Agent: Thunderbird 2.0.0.9 (X11/20080210) MIME-Version: 1.0 To: Daniel Corrigan References: <47B90868.7000900@electron-tube.net> <291ddc4f0802180714g3d326626v9d9b767a61232cec@mail.gmail.com> In-Reply-To: <291ddc4f0802180714g3d326626v9d9b767a61232cec@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org, FreeBSD-bugs@freebsd.org, freebsd-stable@freebsd.org Subject: Re: How to take down a system to the point of requiring a newfs with one line of C (userland) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: admin@su29.net List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2008 15:56:57 -0000 Daniel Corrigan wrote: > Since this was released to a public mailing list, I can only assume some > less than nice user will attempt this. > The only top level file system I have that can be written to by normal users > is /tmp > > Should clear_tmp_enable="YES" in /etc/rc.conf prevent this from causing > harm? /etc/rc.d/cleartmp does /tmp clearing only at startup, after file systems are mounted. > > Dan > > On Feb 17, 2008 10:24 PM, Jim Bryant wrote: > >> One line summary: >> Too many files in a top-level UFS-2 filesystem directory will cause >> a panic on mount. >> >> Kern/Critical/High Priority/SW-Bug >> >> Which FreeBSD Release You Are Using: >> 6.3-STABLE >> >> Environment (output of "uname -a" on the problem machine): >> FreeBSD wahoo.sd67dfl.org 6.3-STABLE FreeBSD 6.3-STABLE #0: Sun Feb >> 10 21:13:39 CST 2008 >> jbryant@wahoo.sd67dfl.org:/usr/obj/usr/src/sys/WAHOO-SMP i386 >> >> Note: I just cvsupped earlier, and no changes have been put into >> cvsup that would fix this problem. >> >> Full Description: >> I was doing a reorganization of my filesystems, and since I do >> offline installs, I keep a local distfiles collection (or did until >> yesterday when this happened), and in the process, put all of the >> distfiles on their own filesystem to be mounted under >> /usr/ports/distfiles. >> >> All was fine until I rebooted. >> >> On rebooting, I got a page fault panic on mount of the new distfiles >> filesystem. >> >> i booted again, got it again, booted again this time into single-user, >> and did a fsck on the filesystem, and it only showed as being "dirty", >> but otherwise had no problems in the eyes of fsck. booted again, >> instant panic. >> >> i booted an older 6.2 CD and mounted the filesystem fine. i then put >> that filesystem the way it was by mkdir'ing a distfiles dir and mv'ing >> everything into it, but on reboot it still paniced on mount. >> >> only a newfs was able to enable the filesystem to be mounted. >> >> today i did further research, thinking it had to do with the number of >> files in the top-level filesystem directory, and found that to be true. >> the short c program in the next section (how to repeat the problem) >> contains this. >> >> a second test shows that, after a newfs, if this done in any >> subdirectory of that filesystem, the panic is averted, and all is well. >> apparently this bug only effects top-level directories of a UFS2 >> filesystem. >> >> I have not attempted this to a non-UFS2 filesystem. >> >> IMHO, a security advisory should be released, since any user with write >> access to ANY top level directory of ANY mounted filesystem (most >> systems have /tmp as a world writable top level filesystem directory) >> can create a panic situation requiring a newfs of the said filesystem. >> A malicious user with root access can do this to /. Either way, on >> boot, or any attempt to mount said filesystem on a running system, will >> cause a panic, which of course will cause an unbootable system on reboot. >> >> How to repeat the problem: >> Compile and run the following as instructed: >> >> #include >> #include >> >> int main(int argc, char **argv) { int i; char buf[1024]; bzero(buf, >> 1024); for(i = 0; i < 10000; i++) { sprintf(buf, "touch %s%05d\n", >> argv[1], i); system((const char *)buf);} return(0);} >> >> /* pass a top-level mountpoint directory name of a mounted filesystem, >> with a trailing slash to the above as argv[1], and run. >> >> This will create 10,000 zero-length files in the specified directory. >> >> umount that filesystem. >> >> perform a shitload of sync's to make sure everything outstanding is >> flushed to disk on all filesystems. >> >> mount the target filesystem (preferably from a vty or serial console to >> catch the messages when it panics, which it will as soon as the mount is >> attempted). >> */ >> >> Fix to the problem if known: >> newfs(8) >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org >> " >> > _______________________________________________ > freebsd-fs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-fs > To unsubscribe, send any mail to "freebsd-fs-unsubscribe@freebsd.org" > >