[8lgm]-Advisory-18.UNIX.SunOS-kernel.4-Dec-1994

PROGRAM:

SunOS 4.1.x kernel

VULNERABLE OS's:

SunOS 4.1.x

DESCRIPTION:

A problem was reported to bugtraq showing that unprivileged users can panic the SunOS 4.1.x kernel if an HSFS cdrom is mounted.

The purpose of this advisory is to provide a workaround for this problem. This patch has been successfully tested by a number of people.

IMPACT:

Any user can crash the system.

REPEAT BY:

Assuming /cdrom is an hsfs filesystem, execute the following program: 

		main()
		{
			pathconf("/cdrom", 0);
		}

Obviously do not do this, unless you have the authority to install the fix below.

DISCUSSION:

Two vnodeops in the hsfs_vnodeops struct appear to be left undefined. This fix points them to a real function which then fails the operation in the correct way.

WORKAROUND & FIX:

  1. Contact your vendor for a patch.

  2. In the meantime either install the workaround given below, or avoid using HSFS mounted filesystems. 

8<------------------------- cut here -------------------------
/*
 * 8lgm_hsfs.c -  SunOS 4.1.x HSFS bugfix.
 * Copyright (C) 1994 by [8LGM].
 *
 * To use:
 * 	cc -c -O -DKERNEL -D 8lgm_hsfs.c
 * 	modload 8lgm_hsfs.o
 */

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

extern	struct vnodeops hsfs_vnodeops;
struct	vdldrv vd;

int	(*old_hsfs_cntl)() = NULL;
int	(*old_hsfs_realvp)() = NULL;
int	loaded_8lgm_hsfs = 0;

int
hsfs_invalid()
{
	return (EINVAL);
}


int
load_8lgm_hsfsfix()
{
	int	x;

	x = splhigh();

	old_hsfs_cntl = hsfs_vnodeops.vn_cntl;
	old_hsfs_realvp = hsfs_vnodeops.vn_realvp;
	hsfs_vnodeops.vn_cntl = hsfs_invalid;
	hsfs_vnodeops.vn_realvp = hsfs_invalid;
	splx(x);
	return(0);
}


int
unload_8lgm_hsfsfix()
{
	int	x;

	x = splhigh();
	hsfs_vnodeops.vn_cntl = old_hsfs_cntl;
	hsfs_vnodeops.vn_realvp = old_hsfs_realvp;
	splx(x);
	return(0);
}


int
xxxinit(function_code, vdp, vdi, vds)
	unsigned int function_code;
	struct vddrv *vdp;
	addr_t vdi;
	struct vdstat *vds;
{
	bzero(&vd, sizeof(vd));
	vd.Drv_magic = VDMAGIC_PSEUDO;
	vd.Drv_name = "8lgm-hsfs";

	switch(function_code) {
		case VDLOAD:
			if (loaded_8lgm_hsfs) {
				log(LOG_INFO, "8lgm: hsfs fix module loaded\n");
				return(EEXIST);
			}
			vdp->vdd_vdtab = (struct vdlinkage*)&vd;
			load_8lgm_hsfsfix();
			loaded_8lgm_hsfs++;
			log(LOG_INFO, "8lgm: hsfs fix module loaded\n");
			return(0);
		case VDUNLOAD:
			return (unload(vdp, vdi));
		case VDSTAT:
			return(0);
		default:
			return(EIO);
	}
}


static int
unload(vdp, vdi)
	struct vddrv *vdp;
	struct vdioctl_unload *vdi;
{
	if (loaded_8lgm_hsfs == 0) {
		log(LOG_INFO, "8lgm: hsfs fix module not loaded!\n");
		return(0);
	}
	unload_8lgm_hsfsfix();
	loaded_8lgm_hsfs = 0;
	log(LOG_INFO, "8lgm: hsfs fix module unloaded\n");
	return(0);
}
8<------------------------- cut here -------------------------

FEEDBACK AND CONTACT INFORMATION:

	majordomo@8lgm.org	(Mailing list requests - try 'help'
				 for details)


	8lgm@8lgm.org		(Everything else)

8LGM FILESERVER:

All [8LGM] advisories may be obtained via the [8LGM] fileserver. For details, 'echo help | mail 8lgm-fileserver@8lgm.org'

8LGM WWW SERVER:

[8LGM]'s web server can be reached at http://www.8lgm.org. (online only) This contains details of all 8LGM advisories and other useful information.