Bug 29931

Summary: if expand_name() return with NULL, coredump() crashes the kernel
Product: Base System Reporter: Tamas Foldi <crow>
Component: kernAssignee: Peter Pentchev <roam>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 4.3-RELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Tamas Foldi 2001-08-21 21:10:01 UTC 
When the expand_name() generates too large core filename, it's return value
is NULL address. This NULL value is given to vn_open(), which causes kernel 
panic. In some cases (non default kern.corefile settings) users can freeze 
the system (of course, root always can).

How-To-Repeat: 
#!/bin/sh

/sbin/sysctl -w kern.corefile=`perl -e 'print "%N" x 512'`

echo 'int main (){int *a;printf("segfaulting...\n");printf("%u",*a);}'>/tmp/seg.c

cd /tmp && make seg && /tmp/seg
cd -
Comment 1 dima 2001-08-23 22:21:18 UTC 
Peter Pentchev <roam@ringlet.net> writes:
> This looks genuine.  Any objections to committing it, and MFC'ing before
> 4.4 comes out?

I don't see any reason to rush the MFC.
Comment 2 dd freebsd_committer freebsd_triage 2001-08-23 22:21:23 UTC 
Responsible Changed
From-To: freebsd-bugs->roam

Peter inquired about this on -arch, so it's his problem now :-).
Comment 3 Peter Pentchev 2001-08-23 22:29:24 UTC 
On Thu, Aug 23, 2001 at 02:21:18PM -0700, Dima Dorfman wrote:
> Peter Pentchev <roam@ringlet.net> writes:
> > This looks genuine.  Any objections to committing it, and MFC'ing before
> > 4.4 comes out?
> 
> I don't see any reason to rush the MFC.

Mmmm.. preventing foot-shooting?  A panicked kernel is a bit too harsh
a punishment for a misconfigured kern.corefile, IMHO..
Granted, this level of misconfiguration is not easy to attain ;)
But it could always happen as a result of a cut-and-paste-o and
corefiles kept in a central directory or something..

G'luck,
Peter

-- 
I am jealous of the first word in this sentence.
Comment 4 dima 2001-08-23 22:46:03 UTC 
Peter Pentchev <roam@ringlet.net> writes:
> On Thu, Aug 23, 2001 at 02:21:18PM -0700, Dima Dorfman wrote:
> > Peter Pentchev <roam@ringlet.net> writes:
> > > This looks genuine.  Any objections to committing it, and MFC'ing before
> > > 4.4 comes out?
> > 
> > I don't see any reason to rush the MFC.
> 
> Mmmm.. preventing foot-shooting?  A panicked kernel is a bit too harsh
> a punishment for a misconfigured kern.corefile, IMHO..
> Granted, this level of misconfiguration is not easy to attain ;)
> But it could always happen as a result of a cut-and-paste-o and
> corefiles kept in a central directory or something..

I didn't say it shouldn't be MFC'd at all, just that I think it
shouldn't be MFC'd this late into a code freeze since it's hardly
critical.  Anyway, that's for jkh and murray to decide.  There's
nothing wrong with the patch that I can see.
Comment 5 Peter Pentchev freebsd_committer freebsd_triage 2001-08-24 16:49:50 UTC 
State Changed
From-To: open->suspended

The patch was committed to -current, I'll MFC it in a month. 
Thanks for the problem report, the analysis and the patch!
Comment 6 Peter Pentchev freebsd_committer freebsd_triage 2001-09-24 17:17:08 UTC 
State Changed
From-To: suspended->closed

The patch was merged into 4.4-STABLE. 
Thanks for the problem report and the analysis!