NetBSD Problem Report #44658
From firstname.lastname@example.org Tue Mar 1 15:36:33 2011
Received: from mail.netbsd.org (mail.netbsd.org [184.108.40.206])
by www.NetBSD.org (Postfix) with ESMTP id 49E2B63B8CE
for <gnats-bugs@gnats.NetBSD.org>; Tue, 1 Mar 2011 15:36:33 +0000 (UTC)
Date: Tue, 1 Mar 2011 15:36:32 +0000 (UTC)
From: Taylor R Campbell <email@example.com>
Reply-To: Taylor R Campbell <firstname.lastname@example.org>
Subject: spurious chroot escape warning
>Synopsis: spurious chroot escape warning
>Arrival-Date: Tue Mar 01 15:40:00 +0000 2011
>Last-Modified: Wed Aug 10 05:44:12 +0000 2011
>Originator: Taylor R Campbell <email@example.com>
>Release: NetBSD 5.99.47
System: NetBSD oberon.local 5.99.47 NetBSD 5.99.47 (RIAMONODEBUG) #31: Mon Feb 28 05:14:15 UTC 2011 firstname.lastname@example.org:/home/riastradh/netbsd/current/obj/sys/arch/i386/compile/RIAMONODEBUG i386
I have been observing chroot escape warnings under the
Process A is chrooted in /chroot0, and has a cwd of
Process B is chrooted in /chroot/chroot1, and rmdirs
/chroot0/chroot1/a/b and /chroot0/chroot1/a.
When process A chdirs to .., the kernel warns that it
has escaped its chroot.
I believe the nested chroot and the pair of processes is a red
herring, and that it is sufficient for process A to have a
chroot of /chroot and a cwd of /chroot/a/b and to rmdir
/chroot/a/b and chdir to .., but I haven't correctly tested
this hypothesis. The last time I tried, NetBSD helpfully
alerted me to PR kern/44657. Fortunately, bulk builds are
reasonably happy to pick up approximately where they left off.
I believe the problem is that lookup_once in vfs_lookup.c calls
vn_isunder to decide whether to warn, and vn_isunder correctly
ascertains that the process's cwd is not under the process's
root, because it is not, in fact, under *any* root, having been
deleted. So if lookup_once suppressed the warning if the
directory has a link count under 2, or, more expensively (and
probably unnecessarily), checked vn_isunder(dp, rootvnode), I
think the spurious warning would go away.
Responsible-Changed-When: Tue, 01 Mar 2011 17:36:06 +0000
mine (and interacts heavily with patches in the queue)
From: "David A. Holland" <email@example.com>
Subject: PR/44658 CVS commit: src/sys/kern
Date: Tue, 9 Aug 2011 23:46:06 +0000
Module Name: src
Committed By: dholland
Date: Tue Aug 9 23:46:05 UTC 2011
Fail namei immediately if searchdir is unlinked / has been rmdir'd.
Do this by checking if v_size == 0. Should fix PR 44658 (and PR 32661).
To generate a diff of this commit:
cvs rdiff -u -r1.186 -r1.187 src/sys/kern/vfs_lookup.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-When: Wed, 10 Aug 2011 00:09:39 +0000
Should be fixed, please give it a try.
State-Changed-When: Wed, 10 Aug 2011 05:44:12 +0000
Fix broke nullfs.
$NetBSD: query-full-pr,v 1.36 2007/11/24 03:27:39 kano Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.