[Bug 236836] Kernel panic from calling mq_open("/.", ...) as root

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236836

            Bug ID: 236836
           Summary: Kernel panic from calling mq_open("/.", ...) as root
           Product: Base System
           Version: 12.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: t.b.moltu at lyse.net

Created attachment 203197
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=203197&action=edit
Untested patch for rejecting "/." and "/.." with EACCES

After loading the mqueuefs module, calling mq_open() with "/.." or "/." as name
in a C program run by root crashes the system. I assume it's a panic but it
reboots too quickly to read the text. Doing this as non-root does nothing and
EACCES is produced.

mq_unlink("/.") as root successfully removes . from mqueuefs, and
mq_unlink("/..") as root removes both .. and .
Trying to unlink either as non-root just produces EACCES.
After this a non-root user can create queues with these names and use them as
any other queue.
Listing the directory where mqueuefs is mounted while . or .. exists as queues
also crashes the system.

I have not tested whether programs running inside jails can cause this crash or
also get EACCES.

I've created a patch which I think should fix this, but I haven't tested it at
all.

I wasn't sure whether to pick 12.0-RELEASE or 12.0-STABLE; uname -a says:
FreeBSD freebsd 12.0-RELEASE FreeBSD 12.0-RELEASE r341666 GENERIC  amd64

-- 
You are receiving this mail because:
You are the assignee for the bug.