Date: Thu, 25 Apr 1996 05:51:48 +1000 From: Bruce Evans <bde@zeta.org.au> To: fty@mcnc.org, sos@FreeBSD.org Cc: current@FreeBSD.org, freebsd-current@FreeBSD.org Subject: Re: minor syscons bogon Message-ID: <199604241951.FAA19518@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help
>The fix may not be correct if it does in fact break /dev/console. But >the scenario IS A BUG. The kernel should not allow an open/write to an >unconfigured device with obviously bad results. > >> if (!init_done) > >> return(NULL); > >> ! if (unit > MAXCONS || unit < 0) > >> return(NULL); > >> if (unit == MAXCONS) > >> return CONSOLE_TTY; > >> --- 305,311 ---- > >> > >> if (!init_done) > >> return(NULL); > >> ! if (unit >= MAXCONS || unit < 0) > >> return(NULL); > >> if (unit == MAXCONS) > >> return CONSOLE_TTY; Note that (unit == MAXCONS) case is handled 2 lines after the patched line, and this handling is always a no-op if the patch is applied. Thus the patch is at best incomplete. There are certainly some bugs here. If /dev/ttyvn exists for n = MAXCONS, then /dev/ttyvn is more or less an alias for /dev/console. This causes security holes if /dev/ttyvn has weaker ownership or permissions than /dev/console. Opening and closing /dev/ttyvn messes up last-close stuff for /dev/console (e.g., last-closing /dev/ttyvn nukes the console tty's pgrp and session pointers). The problem is easy to work around: don't create /dev/ttyvn for n = MAXCONS. I consider requiring this to be acceptable, although the bug is in the kernel. Root should be very careful about the ownerships, permissions and existence of all devices. There are many similar kernel bugs, because many drivers don't fully decode the minor number. E.g., the vn driver with slices disabled only decodes 5 unit bits, so there are 2^27 aliases for each device, 13 of which are created by `sh MAKEDEV vn0'. Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199604241951.FAA19518>