NetBSD Problem Report #44658
From campbell@mumble.net Tue Mar 1 15:36:33 2011
Return-Path: <campbell@mumble.net>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id 49E2B63B8CE
for <gnats-bugs@gnats.NetBSD.org>; Tue, 1 Mar 2011 15:36:33 +0000 (UTC)
Message-Id: <20110301153632.0C56098298@pluto.mumble.net>
Date: Tue, 1 Mar 2011 15:36:32 +0000 (UTC)
From: Taylor R Campbell <campbell+netbsd@mumble.net>
Reply-To: Taylor R Campbell <campbell+netbsd@mumble.net>
To: gnats-bugs@gnats.NetBSD.org
Subject: spurious chroot escape warning
X-Send-Pr-Version: 3.95
>Number: 44658
>Category: kern
>Synopsis: spurious chroot escape warning
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: dholland
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Mar 01 15:40:00 +0000 2011
>Closed-Date:
>Last-Modified: Wed Aug 10 05:44:12 +0000 2011
>Originator: Taylor R Campbell <campbell+netbsd@mumble.net>
>Release: NetBSD 5.99.47
>Organization:
>Environment:
System: NetBSD oberon.local 5.99.47 NetBSD 5.99.47 (RIAMONODEBUG) #31: Mon Feb 28 05:14:15 UTC 2011 riastradh@smalltalk.local:/home/riastradh/netbsd/current/obj/sys/arch/i386/compile/RIAMONODEBUG i386
Architecture: i386
Machine: i386
>Description:
I have been observing chroot escape warnings under the
following circumstances:
Process A is chrooted in /chroot0, and has a cwd of
/chroot0/chroot1/a/b.
Process B is chrooted in /chroot/chroot1, and rmdirs
/chroot0/chroot1/a/b and /chroot0/chroot1/a.
When process A chdirs to .., the kernel warns that it
has escaped its chroot.
I believe the nested chroot and the pair of processes is a red
herring, and that it is sufficient for process A to have a
chroot of /chroot and a cwd of /chroot/a/b and to rmdir
/chroot/a/b and chdir to .., but I haven't correctly tested
this hypothesis. The last time I tried, NetBSD helpfully
alerted me to PR kern/44657. Fortunately, bulk builds are
reasonably happy to pick up approximately where they left off.
>How-To-Repeat:
Carefully.
>Fix:
I believe the problem is that lookup_once in vfs_lookup.c calls
vn_isunder to decide whether to warn, and vn_isunder correctly
ascertains that the process's cwd is not under the process's
root, because it is not, in fact, under *any* root, having been
deleted. So if lookup_once suppressed the warning if the
directory has a link count under 2, or, more expensively (and
probably unnecessarily), checked vn_isunder(dp, rootvnode), I
think the spurious warning would go away.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->dholland
Responsible-Changed-By: dholland@NetBSD.org
Responsible-Changed-When: Tue, 01 Mar 2011 17:36:06 +0000
Responsible-Changed-Why:
mine (and interacts heavily with patches in the queue)
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/44658 CVS commit: src/sys/kern
Date: Tue, 9 Aug 2011 23:46:06 +0000
Module Name: src
Committed By: dholland
Date: Tue Aug 9 23:46:05 UTC 2011
Modified Files:
src/sys/kern: vfs_lookup.c
Log Message:
Fail namei immediately if searchdir is unlinked / has been rmdir'd.
Do this by checking if v_size == 0. Should fix PR 44658 (and PR 32661).
To generate a diff of this commit:
cvs rdiff -u -r1.186 -r1.187 src/sys/kern/vfs_lookup.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->feedback
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Wed, 10 Aug 2011 00:09:39 +0000
State-Changed-Why:
Should be fixed, please give it a try.
State-Changed-From-To: feedback->open
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Wed, 10 Aug 2011 05:44:12 +0000
State-Changed-Why:
Fix broke nullfs.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.