From crow@kapu.hu  Tue Aug 21 13:06:57 2001
Return-Path: <crow@kapu.hu>
Received: from mail.kapu.hu (mail.kapu.hu [195.70.32.236])
	by hub.freebsd.org (Postfix) with ESMTP id 1DAD837B403
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 21 Aug 2001 13:06:56 -0700 (PDT)
	(envelope-from crow@kapu.hu)
Received: from cmt.city.tvnet.hu ([195.38.101.186] helo=darksun)
	by mail.kapu.hu with esmtp (Exim 3.31 #5)
	id 15ZHnf-00040A-00
	for FreeBSD-gnats-submit@freebsd.org; Tue, 21 Aug 2001 22:06:59 +0200
Message-Id: <998424471.1690.18.camel@DarkSun>
Date: 21 Aug 2001 22:07:51 +0200
From: Foldi Tamas <crow@kapu.hu>
To: FreeBSD-gnats-submit@freebsd.org
Subject: problems with kern.corefile handling

>Number:         29931
>Category:       kern
>Synopsis:       if expand_name() return with NULL, coredump() crashes the kernel
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    roam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 21 13:10:01 PDT 2001
>Closed-Date:    Mon Sep 24 09:17:08 PDT 2001
>Last-Modified:  Mon Sep 24 09:17:39 PDT 2001
>Originator:     Foldi Tamas
>Release:        FreeBSD 4.3-RELEASE i386
>Organization:
Nektor IT
>Environment:
System: FreeBSD mancika.kapusoft 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Sat Apr 21 10:54:49 GMT 2001 jkh@narf.osd.bsdi.com:/usr/src/sys/compile/GENERIC i386

Generic kernel. x86 architecture. 


>Description:

When the expand_name() generates too large core filename, it's return value
is NULL address. This NULL value is given to vn_open(), which causes kernel 
panic. In some cases (non default kern.corefile settings) users can freeze 
the system (of course, root always can). 
 

>How-To-Repeat:

#!/bin/sh

/sbin/sysctl -w kern.corefile=`perl -e 'print "%N" x 512'`

echo 'int main (){int *a;printf("segfaulting...\n");printf("%u",*a);}'>/tmp/seg.c

cd /tmp && make seg && /tmp/seg
cd -


>Fix:

--- kern_sig.c.orig     Thu Feb 22 06:15:04 2001
+++ kern_sig.c  Tue Aug 21 11:35:35 2001
@@ -1620,6 +1620,8 @@
                return 0;
        name = expand_name(p->p_comm, p->p_ucred->cr_uid, p->p_pid);
+       if (name == NULL)
+               return (EINVAL);
        NDINIT(&nd, LOOKUP, NOFOLLOW, UIO_SYSSPACE, name, p);
        error = vn_open(&nd, O_CREAT | FWRITE | O_NOFOLLOW, S_IRUSR | S_IWUSR);
        free(name, M_TEMP);



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->roam 
Responsible-Changed-By: dd 
Responsible-Changed-When: Thu Aug 23 14:21:23 PDT 2001 
Responsible-Changed-Why:  
Peter inquired about this on -arch, so it's his problem now :-). 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29931 

From: Dima Dorfman <dima@unixfreak.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc: arch@FreeBSD.org
Subject: Re: kern/29931: problems with kern.corefile handling 
Date: Thu, 23 Aug 2001 14:21:18 -0700

 Peter Pentchev <roam@ringlet.net> writes:
 > This looks genuine.  Any objections to committing it, and MFC'ing before
 > 4.4 comes out?
 
 I don't see any reason to rush the MFC.

From: Peter Pentchev <roam@ringlet.net>
To: Dima Dorfman <dima@unixfreak.org>
Cc: freebsd-gnats-submit@FreeBSD.org, arch@FreeBSD.org
Subject: Re: kern/29931: problems with kern.corefile handling
Date: Fri, 24 Aug 2001 00:29:24 +0300

 On Thu, Aug 23, 2001 at 02:21:18PM -0700, Dima Dorfman wrote:
 > Peter Pentchev <roam@ringlet.net> writes:
 > > This looks genuine.  Any objections to committing it, and MFC'ing before
 > > 4.4 comes out?
 > 
 > I don't see any reason to rush the MFC.
 
 Mmmm.. preventing foot-shooting?  A panicked kernel is a bit too harsh
 a punishment for a misconfigured kern.corefile, IMHO..
 Granted, this level of misconfiguration is not easy to attain ;)
 But it could always happen as a result of a cut-and-paste-o and
 corefiles kept in a central directory or something..
 
 G'luck,
 Peter
 
 -- 
 I am jealous of the first word in this sentence.

From: Dima Dorfman <dima@unixfreak.org>
To: Peter Pentchev <roam@ringlet.net>
Cc: freebsd-gnats-submit@FreeBSD.org, arch@FreeBSD.org
Subject: Re: kern/29931: problems with kern.corefile handling 
Date: Thu, 23 Aug 2001 14:46:03 -0700

 Peter Pentchev <roam@ringlet.net> writes:
 > On Thu, Aug 23, 2001 at 02:21:18PM -0700, Dima Dorfman wrote:
 > > Peter Pentchev <roam@ringlet.net> writes:
 > > > This looks genuine.  Any objections to committing it, and MFC'ing before
 > > > 4.4 comes out?
 > > 
 > > I don't see any reason to rush the MFC.
 > 
 > Mmmm.. preventing foot-shooting?  A panicked kernel is a bit too harsh
 > a punishment for a misconfigured kern.corefile, IMHO..
 > Granted, this level of misconfiguration is not easy to attain ;)
 > But it could always happen as a result of a cut-and-paste-o and
 > corefiles kept in a central directory or something..
 
 I didn't say it shouldn't be MFC'd at all, just that I think it
 shouldn't be MFC'd this late into a code freeze since it's hardly
 critical.  Anyway, that's for jkh and murray to decide.  There's
 nothing wrong with the patch that I can see.
State-Changed-From-To: open->suspended 
State-Changed-By: roam 
State-Changed-When: Fri Aug 24 08:49:50 PDT 2001 
State-Changed-Why:  
The patch was committed to -current, I'll MFC it in a month. 
Thanks for the problem report, the analysis and the patch! 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29931 
State-Changed-From-To: suspended->closed 
State-Changed-By: roam 
State-Changed-When: Mon Sep 24 09:17:08 PDT 2001 
State-Changed-Why:  
The patch was merged into 4.4-STABLE. 
Thanks for the problem report and the analysis! 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=29931 
>Unformatted:
