https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289700
Bug ID: 289700
Summary: unionfs: page fault in unionfs_find_node_status when
closing a file within a socket's receive buffer
Product: Base System
Version: 15.0-CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
Yesterday a user reported a panic in fusefs, bug 289686 . From inspection, it
appears that unionfs is vulnerable to the same panic. The steps to reproduce
the panic would be:
* A process opens a regular file on a unionfs file system
* That process sends the file descriptor through a unix domain socket, using
SCM_RIGHTS
* That process closes the original file descriptor
* Whatever process (which might be the same one) that owns the receiving side
of the unix domain socket closes it, without reading the file descriptor out
first.
* That will cause unp_dispose to attempt to close every file descriptor
residing in the socket's receive buffer.
* Several frames down the stack, that will call VOP_CLOSE with ap->a_td == NULL
* unionfs_close will pass ap->a_td to unionfs_find_node_status, without
checking it.
* unionfs_find_node_status will attempt to dereference it, without checking it
either.
Note that I haven't attempted to trigger the panic myself.
--
You are receiving this mail because:
You are the assignee for the bug.
