From: Alexander Viro <viro@math.psu.edu>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] mv vs cp
Date: Mon, 8 Oct 2001 03:44:16 -0400 [thread overview]
Message-ID: <Pine.GSO.4.21.0110080329520.11189-100000@weyl.math.psu.edu> (raw)
In-Reply-To: <12744.1002525193@apnic.net>
[I suggest taking the thread off-list - further details of rename() races
in *BSD may be interesting, but they are off-topic for 9fans]
On Mon, 8 Oct 2001, George Michaelson wrote:
> Are you saying that this problem demonstrably exploited the race condition
> between cp/mv and rename as implemented in FreeBSD?
Yes. ufs_rename() is racy and yes, that race is wide enough to be
exploitable. BTDT.
> I really do mean the question as put:
>
> when was the last time anybody saw a successful exploit of this race condition
> or an unstable filesystem they can show came from it, exploit or accident?
>
> I have seen many problems with UFS/FFS, and Softupdates gave me the willeys
> but I have also not yet seen serious corruption of the on-disk state which
> lies directly with problems in the FS code itself. Side-effects of kernel
> crashes during meta-state updates, sure. But this sounds to me like FUD which
> in practice doesn't exist.
process 1: current directory in /tmp/a/a/a/a/a, does
rename("/tmp/b/b", "a");
process 2: current directory in /tmp/b/b/b/b/b, does
rename("/tmp/a/a", "b");
Normal outcome: first process to do rename() succeeds, second - fails
with ELOOP. With the right timing _both_ succeed, creating a loop and
detaching it from the rest of filesystem.
Notice that use of relative pathnames is critical here - otherwise
lookup in the second rename() will block on the lock acquired by the first
one. Code in /sys/ufs/ufs/ufs_vnops.c implicitly assumes that lookups
ending in descendants of directory will have to pass through that directory.
That assumption is obviously false - namei(9) can start in a descendant of
directory in question.
And no, it's not too narrow - window includes quite a bit of disk
IO. Figuring out details of turning that into full-blown attack (i.e.
what should be done to widen the window) are left as an exercise to anyone
who can RTFS - it's pretty straightforward.
next prev parent reply other threads:[~2001-10-08 7:44 UTC|newest]
Thread overview: 185+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-10-07 16:23 jmk
2001-10-08 4:28 ` Lucio De Re
2001-10-08 4:49 ` Alexander Viro
2001-10-08 6:10 ` George Michaelson
2001-10-08 6:34 ` Alexander Viro
2001-10-08 6:49 ` George Michaelson
2001-10-08 7:00 ` Lucio De Re
2001-10-08 7:13 ` George Michaelson
2001-10-08 7:44 ` Alexander Viro [this message]
2001-10-08 7:28 ` Alexander Viro
2001-10-08 6:54 ` Lucio De Re
2001-10-08 7:10 ` George Michaelson
2001-10-08 8:28 ` Lucio De Re
2001-10-08 9:51 ` Thomas Bushnell, BSG
2001-10-08 10:30 ` Alexander Viro
2001-10-09 9:03 ` Thomas Bushnell, BSG
2001-10-09 9:33 ` Alexander Viro
2001-10-09 15:58 ` Thomas Bushnell, BSG
2001-10-09 16:43 ` davel
2001-10-10 8:49 ` Ralph Corderoy
2001-10-10 8:49 ` Thomas Bushnell, BSG
2001-10-10 9:48 ` davel
2001-10-11 9:10 ` Thomas Bushnell, BSG
2001-10-11 10:54 ` davel
2001-10-12 9:19 ` Thomas Bushnell, BSG
2001-10-09 16:46 ` Alexander Viro
2001-10-10 8:50 ` Thomas Bushnell, BSG
2001-10-10 10:29 ` Alexander Viro
2001-10-10 1:05 ` erik quanstrom
2001-10-10 2:15 ` david presotto
2001-10-10 4:54 ` Skip Tavakkolian
2001-10-10 8:30 ` davel
2001-10-08 10:34 ` Boyd Roberts
2001-10-08 9:50 ` Douglas A. Gwyn
2001-10-08 11:13 ` Lucio De Re
2001-10-08 9:42 ` Thomas Bushnell, BSG
2001-10-08 17:43 ` [9fans] rewriting paths [was: mv vs cp] Richard Uhtenwoldt
-- strict thread matches above, loose matches on Subject: below --
2003-03-10 13:13 [9fans] E attribute in libsec/port/x509.c Claude BONFANTI
2003-03-11 17:41 ` Eric Grosse
2003-03-12 9:33 ` [9fans] hardware support for the fs kernel Conor Williams
2003-03-12 9:52 ` Geoff Collyer
2003-03-12 10:01 ` Lucio De Re
2003-03-12 10:12 ` Geoff Collyer
2003-03-12 10:28 ` Lucio De Re
2003-03-12 17:15 ` Russ Cox
2003-03-13 7:59 ` Lucio De Re
2003-03-13 15:45 ` Russ Cox
2003-03-14 5:06 ` Lucio De Re
2003-03-12 10:52 ` James A. Robinson
2003-03-12 11:11 ` Lucio De Re
2003-03-12 22:59 ` Geoff Collyer
2003-03-12 23:20 ` Jack Johnson
2002-09-21 2:01 [9fans] 9 in the news matt
2002-09-21 11:16 ` Lucio De Re
2002-09-21 15:21 ` Arnaud SAHUGUET
2002-09-21 15:57 ` Jack Johnson
2002-09-21 16:01 ` Ronald G Minnich
2002-09-21 21:55 ` Steve Kilbane
2002-10-01 12:45 ` matt
2002-10-03 1:47 ` [9fans] did a replica/pull, now "mk 'CONF='pc" fails? Eric Dorman
2002-03-27 20:12 [9fans] sam and ssh Geoff Collyer
2002-03-27 20:18 ` Lucio De Re
2002-03-27 20:31 ` Scott Schwartz
2002-03-10 23:59 [9fans] samuel Alex Danilo
2002-03-11 0:07 ` Alexander Viro
2002-03-11 7:44 ` Steve Kilbane
2002-03-11 0:45 ` Andrew Simmons
2002-03-11 10:10 ` Thomas Bushnell, BSG
2001-11-07 21:34 [9fans] Rant (was Re: Plan9 and Ada95?) anothy
2001-11-08 5:30 ` Lucio De Re
2001-11-08 5:43 ` George Michaelson
2001-11-08 7:07 ` Jim Choate
2001-11-08 7:40 ` Lucio De Re
2001-11-08 10:40 ` Thomas Bushnell, BSG
2001-11-08 20:15 ` Quinn Dunkan
2001-11-08 5:59 ` Andrey A Mirtchovski
2001-11-08 7:16 ` Steve Kilbane
2001-11-29 4:44 ` Boyd Roberts
2001-10-11 3:19 [9fans] mv vs cp anothy
2001-10-11 3:00 okamoto
2001-10-11 2:18 Russ Cox
2001-10-11 1:06 okamoto
2001-10-10 13:18 forsyth
2001-10-10 1:45 okamoto
2001-10-09 17:16 presotto
2001-10-09 16:59 rog
2001-10-09 16:39 forsyth
2001-10-10 8:49 ` Thomas Bushnell, BSG
2001-10-09 13:18 Plan 9 annoyances (was: Re: [9fans] mv vs cp) bwc
2001-10-10 8:57 ` Douglas A. Gwyn
2001-10-10 10:02 ` Browsers (was: Re: Plan 9 annoyances (was: Re: [9fans] mv vs cp)) Lucio De Re
2001-10-10 18:38 ` Steve Kilbane
2001-10-11 8:31 ` John Murdie
2001-10-11 17:26 ` Steve Kilbane
2001-10-12 6:31 ` [9fans] Re: Browsers Boyd Roberts
2001-10-09 12:25 [9fans] mv vs cp rob pike
2001-10-09 16:18 ` Thomas Bushnell, BSG
2001-10-09 12:05 forsyth
2001-10-09 1:46 okamoto
2001-10-09 5:46 ` Richard
2001-10-08 16:54 presotto
2001-10-08 16:11 anothy
2001-10-08 14:46 rob pike
2001-10-08 15:00 ` Alexander Viro
2001-10-08 15:14 ` Markus Friedl
2001-10-08 16:22 ` Lucio De Re
2001-10-08 13:03 rob pike
2001-10-08 14:40 ` Lucio De Re
2001-10-08 13:00 rob pike
2001-10-09 9:04 ` Douglas A. Gwyn
2001-10-09 11:43 ` George Michaelson
2001-10-10 8:57 ` Douglas A. Gwyn
2001-10-10 11:50 ` Borja Marcos
2001-10-10 11:53 ` Borja Marcos
2001-10-08 6:54 nigel
2001-10-08 5:05 jmk
2001-10-08 5:45 ` Mike Haertel
2001-10-08 6:27 ` Lucio De Re
2001-10-08 6:25 ` Lucio De Re
2001-10-08 9:50 ` Douglas A. Gwyn
2001-10-08 9:51 ` Thomas Bushnell, BSG
2001-10-08 15:37 ` Richard
2001-10-08 16:02 ` William Josephson
2001-10-07 21:20 nigel
2001-10-07 19:11 presotto
2001-10-08 7:33 ` Skip Tavakkolian
2001-10-07 18:53 presotto
2001-10-07 12:43 presotto
2001-10-07 13:01 ` Lucio De Re
2001-10-07 17:26 ` philw
2001-10-07 7:02 forsyth
2001-10-07 6:35 Russ Cox
2001-10-08 9:41 ` Thomas Bushnell, BSG
2001-10-07 6:29 Lucio De Re
2001-10-07 6:42 ` Quinn Dunkan
2001-10-07 9:17 ` Lucio De Re
2001-08-18 7:38 [9fans] Sam question nigel
2001-08-18 8:31 ` Steve Kilbane
2001-08-20 8:57 ` Luis Fernandes
2001-08-20 11:10 ` Boyd Roberts
2001-08-18 11:06 ` Boyd Roberts
2001-08-19 6:57 ` Lucio De Re
2001-08-19 10:54 ` Boyd Roberts
2001-08-19 11:13 ` Lucio De Re
2001-08-19 12:02 ` Boyd Roberts
2001-08-19 12:23 ` Lucio De Re
2001-08-19 16:17 ` Steve Kilbane
2001-08-19 20:57 ` Dan Cross
[not found] <lucio@proxima.alt.za>
2001-04-23 5:53 ` [9fans] PGP Lucio De Re
2001-04-23 6:01 ` Scott Schwartz
2001-04-23 16:13 ` Dan Cross
2002-03-27 18:14 ` [9fans] sam and ssh Lucio De Re
2002-03-27 19:08 ` Scott Schwartz
2002-03-28 1:28 ` Micah Stetson
2002-03-27 20:15 ` Lucio De Re
2002-03-27 20:22 ` Lucio De Re
2002-03-27 20:36 ` Lucio De Re
2002-03-27 20:41 ` Lucio De Re
2002-04-08 12:47 ` peter huang
2000-11-13 20:19 [9fans] AFS-client for Plan9 - ? anothy
2000-11-14 9:58 ` Wladimir Mutel
[not found] ` <mwg@alkar.net>
2000-11-14 22:33 ` Tom Duff
2000-11-14 22:41 ` Boyd Roberts
2000-11-14 22:41 ` Alexander Viro
2000-11-14 22:51 ` Boyd Roberts
[not found] ` <boyd@planete.net>
2000-11-14 23:02 ` Tom Duff
2000-11-20 10:55 ` Chris Locke
2000-11-20 10:56 ` Douglas A. Gwyn
2000-11-20 13:24 ` Boyd Roberts
[not found] ` <viro@math.psu.edu>
2000-11-14 23:00 ` Tom Duff
2000-11-14 23:15 ` Alexander Viro
2000-11-14 23:54 ` Tom Duff
2000-11-15 0:31 ` Alexander Viro
2000-11-15 0:38 ` Boyd Roberts
2000-11-01 20:47 [9fans] /n/smtp Russ Cox
2000-11-01 21:48 ` Boyd Roberts
2000-11-01 22:02 ` Boyd Roberts
2000-11-01 22:10 ` Scott Schwartz
2000-11-01 22:23 ` Boyd Roberts
2000-07-12 9:04 [9fans] file server problems ianb
2000-07-13 1:33 ` Eric Dorman
2000-07-13 2:28 ` Eric Dorman
2000-07-13 4:15 ` Lucio De Re
2000-07-13 4:33 ` Scott Schwartz
2000-07-13 12:19 ` Lucio De Re
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.GSO.4.21.0110080329520.11189-100000@weyl.math.psu.edu \
--to=viro@math.psu.edu \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).