Bug 27250

Summary:

[unionfs] [patch] unionfs filesystem panics in large number of situations

Product:

Base System

Reporter:

vova <vova>

Component:

kern

Assignee:

Daichi GOTO <daichi>

Status:

Closed FIXED

Severity:

Affects Only Me

Priority:

Normal

Version:

4.2-STABLE

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
file.diff	none

Description vova 2001-05-10 18:10:01 UTC

  1. sometimes using mmap'ed files over mount union cause panic 
  2. possible panic when work with sockets/FIFO/dev's on unionfs
  3. panic when no enough rights on current directory when compiled with DIAGNOSTIC
  4. number of vnode leaks
  5. security hole in readdir() - it is possible to go out of the chroot()
     using readdir on unionfs (getdirentries+getdirentries+fchdir)

Fix: Patch was tested on 4.1.1-RELEASE, 4.2-RELEASE, 4.3-RELEASE
How-To-Repeat: 
  1. To repeat try to build staroffice port (/usr/ports/editors/staroffice52/) on unionfs.
  2. try to use AF_UNIX sockets over unionfs
  3. build unionfs wiht DIAGNOSTIC and try to do something in directory
     where you have no rights to write
  4. busy software on unionfs with load and observe vnode leak in systat -vm (numvnodes)
  5. when doing getdirentries on unionfs directory it first lists upper
     layer, then lower layer, beetween reading vnode of directory changd
     from upper to lower layer, so just after second getdirentries it is
     possible to do fchdir() on this descriptor to out of chroot().

Comment 1 vova 2001-05-11 17:24:07 UTC

This patch also fixes panic when try to do mount_union into already
mounted union partition

--
TSB Russian Express, Moscow
Vladimir B. Grebenschikov, vova@express.ru

Comment 2 Kris Kennaway freebsd_committer

2001-05-15 00:37:30 UTC

Responsible Changed
From-To: freebsd-bugs->bp

bp fixed nullfs in -current, so perhaps he will be interested to look at this too

Comment 3 Kris Kennaway 2001-05-15 10:11:05 UTC

On Tue, May 15, 2001 at 12:54:47PM +0400, Vladimir B. Grebenschikov wrote:
> Kris Kennaway writes:
>  > On Fri, May 11, 2001 at 09:30:03AM -0700, Vladimir B. Grebenschikov wrote:
>  > > The following reply was made to PR kern/27250; it has been noted by GNATS.
>  > > 
>  > > From: "Vladimir B. Grebenschikov" <vova@express.ru>
>  > > To: freebsd-gnats-submit@FreeBSD.org
>  > > Cc:  
>  > > Subject: Re: kern/27250: unionfs filesystem panics in large number of situations
>  > > Date: Fri, 11 May 2001 20:24:07 +0400 (MSD)
>  > > 
>  > >  This patch also fixes panic when try to do mount_union into already
>  > >  mounted union partition
>  > 
>  > Did you intend to attach another patch here, or was this a comment
>  > about your original PR submission?
>  
> It is more description for original PR submition, the patch is result
> of few months testings so I forgot metion this fix.


Okay, thanks for clarifying.

Kris

Comment 4 Boris Popov freebsd_committer

2001-05-15 11:02:48 UTC

State Changed
From-To: open->analyzed

Good work Vladimir! 
The patch needs some cleanup. I'll play with it on -current and 
MFC to -stable.

Comment 5 Mark Linimon freebsd_committer

2006-04-17 21:59:52 UTC

Responsible Changed
From-To: bp->freebsd-bugs

Reassign at assignee's request due to current lack of time to work on FreeBSD.

Comment 6 Craig Rodrigues freebsd_committer

2006-05-28 21:15:10 UTC

Responsible Changed
From-To: freebsd-bugs->daichi

daichi is showing interest in unionfs

Comment 7 Craig Rodrigues freebsd_committer

2007-02-21 05:20:38 UTC

State Changed
From-To: analyzed->closed

Patch applies to old unionfs implementation, and not to newer 
unionfs implementation in CURRENT and RELENG_6.