#157 User level code can use the O_NOOPEN flag

v1.9.1
closed-fixed
John Hughes
Filesystem (49)
5
2008-10-19
2008-05-15
John Hughes
No

Internaly OpenSSI has a cute open flag O_NOOPEN, which is used as part of the cross node migration process.

Nothing stops user level code from using O_NOOPEN, with hilarious results.

(The true evilness is that O_NOOPEN collides with O_CLOEXEC in newer kernels).

Unable to handle kernel NULL pointer dereference at virtual address 00000004
printing eip:
c01b9d62
*pde = 00000000
Oops: 0000 [#1]
SMP
Modules linked in: button ac battery dm_snapshot dm_mirror dm_mod loop i2c_piix4 i2c_core parport_pc parport floppy joydev ext3 jbd ne2k_pci 8390
CPU: 0
EIP: 0060:[<c01b9d62>] Not tainted VLI
EFLAGS: 00000246 (2.6.12-ssi-686-smp)
EIP is at sysfs_dir_close+0x52/0xf0
eax: 00000004 ebx: c13bfe18 ecx: 00000080 edx: c13be8c0
esi: c13bfe90 edi: 00000000 ebp: cce61ef8 esp: cce61ee0
ds: 007b es: 007b ss: 0068
Process a.out (pid: 67193, threadinfo=cce60000 task=cf392620)
Stack: c049978c 00000079 c13be8c0 cd194f60 cf801a40 c13bfe18 cce61f18 c017272c
c13bfe18 cd194f60 c13be8c0 cd194f60 00000000 cf6a1200 cce61f20 c0172619
cce61f3c c0170bd0 cd194f60 cf6a1200 00000001 00000003 cf6a1200 cce61f5c
Call Trace:
[<c01079ff>] show_stack+0x7f/0xa0
[<c0107ba4>] show_registers+0x164/0x230
[<c0107f54>] die+0xf4/0x1a0
[<c0120d6d>] do_page_fault+0x49d/0x699
[<c010761b>] error_code+0x4f/0x54
[<c017272c>] __fput+0x10c/0x150
[<c0172619>] fput+0x19/0x20
[<c0170bd0>] filp_close+0x50/0x90
[<c012bce5>] put_files_struct+0x65/0xd0
[<c012c438>] do_exit+0xf8/0x3b0
[<c012c769>] do_group_exit+0x39/0xc0
[<c012c805>] sys_exit_group+0x15/0x20
[<c0106a41>] syscall_call+0x7/0xb
Code: c0 b8 79 00 00 00 8d 73 78 89 44 24 04 e8 07 cd f6 ff f0 ff 4b 78 0f 88 17 05 00 00 b8 00 e0 ff ff 21 e0 8b 00 89 46 08 8d 47 04 <8b> 57 04 8b 48 04 89 11 89 4a 04 89 47 04 89 40 04 8b 45 f0 8b

Entering kdb (current=0xcf392620, pid 67193) on processor 0 Oops: Oops
due to oops @ 0xc01b9d62
eax = 0x00000004 ebx = 0xc13bfe18 ecx = 0x00000080 edx = 0xc13be8c0
esi = 0xc13bfe90 edi = 0x00000000 esp = 0xcce61ee0 eip = 0xc01b9d62
ebp = 0xcce61ef8 xss = 0x00000068 xcs = 0x00000060 eflags = 0x00000246
xds = 0x0000007b xes = 0x0000007b origeax = 0xffffffff &regs = 0xcce61eac

Related

Bugs: #1

Discussion

  • John Hughes
    John Hughes
    2008-05-15

    Crash your OpenSSI system for fun and profit

     
    Attachments
  • Roger Tsang
    Roger Tsang
    2008-09-28

    • milestone: 782904 --> v1.9.1
     
  • John Hughes
    John Hughes
    2008-10-19

    • assigned_to: nobody --> hughesj
    • status: open --> closed-fixed
     
  • John Hughes
    John Hughes
    2008-10-19

    Fixed in cvs