nfs bug & df: Can I lock up my kernel and overflow this buffer?

Kris Kennaway kris at obsecurity.org
Mon May 9 21:33:24 PDT 2005


On Mon, May 09, 2005 at 11:14:51PM -0500, Billy Newsom wrote:
> Here's something pretty stupid about either the code in mount, df, or 
> both.  I'm on the verge of a denial of service if this lasts much 
> longer.

Why do you think so?

> When I mount an nfs device more than once, I get this 
> ridiculous output from df and mount:
> 
> #df
> Filesystem  1K-blocks    Used   Avail Capacity  Mounted on
> /dev/ad0s1a    253678  137554   95830    59%    /
> devfs               1       1       0   100%    /dev
> /dev/ad0s1e    253678      18  233366     0%    /tmp
> /dev/ad0s1f   7782878 3273986 3886262    46%    /usr
> /dev/ad0s1d    253678  125386  107998    54%    /var
> devfs               1       1       0   100%    /var/named/dev
> dell:/nfs     8883912 4104516 4779396    46%    /dellbak
> dell:/nfs     8883912 4104516 4779396    46%    /dellbak
> dell:/nfs     8883912 4104516 4779396    46%    /dellbak
> dell:/nfs     8883912 4104516 4779396    46%    /dellbak
> dell:/nfs     8883912 4104516 4779396    46%    /dellbak
> dell:/nfs     8883912 4104516 4779396    46%    /dellbak

Why's it ridiculous?  You mounted it more than once, so it appears
more than once in the list of mounted filesystems.

> * Look at the fsid for /dellbak below, using verbose output.  Pretty odd.

Why is it odd?  The fsid is by definition different for different
mounts.

Kris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20050509/649490f5/attachment.bin


More information about the freebsd-stable mailing list