[Bug 236836] Kernel panic from calling mq_open("/.", ...) as root
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Mar 27 21:44:12 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236836
Bug ID: 236836
Summary: Kernel panic from calling mq_open("/.", ...) as root
Product: Base System
Version: 12.0-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: bugs at FreeBSD.org
Reporter: t.b.moltu at lyse.net
Created attachment 203197
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=203197&action=edit
Untested patch for rejecting "/." and "/.." with EACCES
After loading the mqueuefs module, calling mq_open() with "/.." or "/." as name
in a C program run by root crashes the system. I assume it's a panic but it
reboots too quickly to read the text. Doing this as non-root does nothing and
EACCES is produced.
mq_unlink("/.") as root successfully removes . from mqueuefs, and
mq_unlink("/..") as root removes both .. and .
Trying to unlink either as non-root just produces EACCES.
After this a non-root user can create queues with these names and use them as
any other queue.
Listing the directory where mqueuefs is mounted while . or .. exists as queues
also crashes the system.
I have not tested whether programs running inside jails can cause this crash or
also get EACCES.
I've created a patch which I think should fix this, but I haven't tested it at
all.
I wasn't sure whether to pick 12.0-RELEASE or 12.0-STABLE; uname -a says:
FreeBSD freebsd 12.0-RELEASE FreeBSD 12.0-RELEASE r341666 GENERIC amd64
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list