lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080809092441.GA5111@martell.zuzino.mipt.ru>
Date:	Sat, 9 Aug 2008 13:24:41 +0400
From:	Alexey Dobriyan <adobriyan@...il.com>
To:	Nix <nix@...eri.org.uk>
Cc:	linux-kernel@...r.kernel.org, alan@...rguk.ukuu.org.uk,
	petero2@...ia.com, jens.axboe@...cle.com
Subject: pktcdvd: BKL pushdown fallout (was Re: writable packet CD mounting
	in 2.6.26.x?)

On Fri, Aug 08, 2008 at 07:14:37AM +0400, Alexey Dobriyan wrote:
> On Wed, Aug 06, 2008 at 08:12:49PM +0100, Nix wrote:
> > It seems to be impossible to mount packet-written CD-RWs writably in
> > 2.6.26.x, even as root. Things worked in 2.6.25.x.
> > 
> > hades:/tmp# ls -l /dev/pktcdvd
> > total 0
> > brw-rw-rw- 1 root root  254,  0 2008-08-05 00:45 cdrw
> > crw-r--r-- 1 root root   10, 63 2008-08-05 00:44 control
> > brw-rw-rw- 1 root cdrom 254,  0 2008-08-05 00:45 pktcdvd0
> > 
> > 
> > hades:/tmp# mount -o rw /dev/pktcdvd/cdrw /mnt/pcdrw
> > mount: block device /dev/pktcdvd/cdrw is write-protected, mounting read-only
> > 
> > hades:/tmp# mount -o rw /dev/pktcdvd/pktcdvd0 /mnt/pcdrw
> > mount: block device /dev/pktcdvd/pktcdvd0 is write-protected, mounting read-only
> > 
> > The strace says that we get -EROFS always, now:
> > 
> > mount("/dev/pktcdvd/cdrw", "/mnt/pcdrw", "udf"..., MS_NOSUID|MS_NODEV|MS_NOEXEC|0x200000, NULL) = -1 EROFS (Read-only file system)
> > 
> > 
> > Anyone got any ideas? There are no suspicious-looking changes in
> > pktcdvd.c itself, so maybe this lies deeper in the block layer. Or
> > perhaps I'm mounting it wrong in some obscure way.
> 
> Reproduced. There must be some kick-ass code in pktcdvd driver. :^)
> 
> 
> # mount -t udf -o rw /dev/pktcdvd/0  tmp/
> mount: block device /dev/pktcdvd/0 is write-protected, mounting read-only
> 								^^^^^^^^^
> Segmentation fault
> 
> 
> Linux version 2.6.27-rc2 (ad@...0) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP PREEMPT Wed Aug 6 14:43:05 MSD 2008
> pktcdvd: writer pktcdvd0 mapped to sr0


> BUG: unable to handle kernel NULL pointer dereference at 0000000c

	file = NULL

> IP: [<f8b6d639>] :pktcdvd:pkt_ioctl+0x19/0xd0
> *pde = 00000000 
> Oops: 0000 [#1] PREEMPT SMP 
> Modules linked in: udf crc_itu_t isofs zlib_inflate pktcdvd usbhid fan sbp2 loop uvcvideo compat_ioctl32 videodev v4l1_compat pcmcia sr_mod cdrom snd_hda_intel snd_pcm tifm_7xx1 yenta_socket snd_timer tifm_core i2c_i801 psmouse ehci_hcd rsrc_nonstatic pcmcia_core snd ohci1394 uhci_hcd ata_piix soundcore serio_raw usbcore i2c_core ieee1394 r8169 snd_page_alloc battery ac thermal button evdev [last unloaded: pktcdvd]
> 
> Pid: 22816, comm: mount Tainted: G        W (2.6.27-rc2 #1)
> EIP: 0060:[<f8b6d639>] EFLAGS: 00210282 CPU: 0
> EIP is at pkt_ioctl+0x19/0xd0 [pktcdvd]
> EAX: 00000000 EBX: f8b6d620 ECX: c32dfda0 EDX: 00005310
> ESI: 00005310 EDI: 00000000 EBP: c32dfda0 ESP: c32dfc54
>  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> Process mount (pid: 22816, ti=c32df000 task=f70d6520 task.ti=c32df000)
> Stack: 0000ffff f8b6d620 f73cf400 00000000 f7420aec c01d147f 00000001 f7420a80 
>        fffffdfd 00005310 f7420aec c01d17cf 00005310 c32dfda0 c32dfcb4 010e2000 
>        00010101 00000000 00000000 f73cf400 ffffffff ffff00bb 0000ffff 00000000 
> Call Trace:
>  [<f8b6d620>] pkt_ioctl+0x0/0xd0 [pktcdvd]
>  [<c01d147f>] blkdev_driver_ioctl+0x2f/0x80
>  [<c01d17cf>] blkdev_ioctl+0x2ff/0x830
>  [<c0196f05>] set_blocksize+0x85/0x90
>  [<f8b70979>] pkt_open+0x59/0x4e0 [pktcdvd]
>  [<c01d2267>] exact_lock+0x7/0x10
>  [<c022edb8>] kobj_lookup+0x158/0x170
>  [<c01dc563>] string+0x23/0xa0
>  [<c01dca3b>] vsnprintf+0x45b/0x5e0
>  [<c01db519>] strsep+0x19/0x30
>  [<f8bb551c>] udf_parse_options+0x6c/0x2f0 [udf]
>  [<c0197d3e>] ioctl_by_bdev+0x2e/0x50
>  [<f8bb1dea>] udf_get_last_session+0x1a/0x40 [udf]
>  [<f8bb7c19>] udf_fill_super+0x849/0x910 [udf]
>  [<c01a97fe>] disk_name+0x3e/0xc0
>  [<c0173511>] get_sb_bdev+0x101/0x130
>  [<c0157dac>] kstrdup+0x3c/0x70
>  [<f8bb5441>] udf_get_sb+0x21/0x30 [udf]
>  [<f8bb73d0>] udf_fill_super+0x0/0x910 [udf]
>  [<c0173063>] vfs_kern_mount+0x43/0x90
>  [<c017310d>] do_kern_mount+0x3d/0xe0
>  [<c0188de1>] do_new_mount+0x81/0xc0
>  [<c0188f97>] do_mount+0x177/0x1d0
>  [<c0186c33>] copy_mount_options+0x43/0x150
>  [<c0179933>] getname+0xb3/0xe0
>  [<c0189067>] sys_mount+0x77/0xc0

Not suprisingly, indeed.

	udf_get_last_session
	ioctl_by_bdev(bdev, CDROMMULTISESSION,
	ioctl with file = NULL

pkt_ioctl is ->unlocked_ioctl, so can't tolerate NULL file.

Introduced in 5b6155ee70e9c4d2ad7e6f514c8eee06e2711c3a aka BKL pushdown.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ