[Unionfs] NULL pointer dereference if copyup_dentry() failed?

Tetsuo Handa penguin-kernel at I-love.SAKURA.ne.jp
Fri Jul 11 09:59:54 EDT 2008 

Hello.

I noticed that the below sequence triggers NULL pointer dereference
if copyup_dentry() failed by some reason (e.g. mandatory access control).
/ (which contains /tmp/ ) partition is an ext3 filesystem.

[root at tomoyo ~]# ls -l /tmp/1/ /tmp/2/
/tmp/1/:
total 0

/tmp/2/:
total 0
[root at tomoyo ~]# touch /tmp/2/foo
[root at tomoyo ~]# mount -t unionfs -o dirs=/tmp/1=rw:/tmp/2=ro none /mnt/
[root at tomoyo ~]# touch /mnt/foo

The below dmesg is obtained by "touch /mnt/foo"
with permission to open() /mnt/foo for writing
and without permission to call chmod()/chown(),
using unionfs-2.3.3_for_2.6.24.5 with the printk() patch applied.

----- start of patch for printk() -----

---
 commonfops.c |    5 +++++
 copyup.c     |    5 +++++
 inode.c      |    4 ++++
 3 files changed, 14 insertions(+)

--- unionfs.orig/commonfops.c
+++ unionfs/commonfops.c
@@ -597,6 +597,8 @@ int unionfs_open(struct inode *inode, st
 	int size;
 	int valid = 0;
 
+	printk(KERN_WARNING "Entering %s()\n", __func__);
+
 	unionfs_read_lock(inode->i_sb, UNIONFS_SMUTEX_PARENT);
 	unionfs_lock_dentry(dentry, UNIONFS_DMUTEX_CHILD);
 	if (dentry != dentry->d_parent)
@@ -674,6 +676,9 @@ out_nofree:
 		unionfs_unlock_dentry(dentry->d_parent);
 	unionfs_unlock_dentry(dentry);
 	unionfs_read_unlock(inode->i_sb);
+
+	printk(KERN_WARNING "Leaving %s() with %d\n", __func__, err);
+
 	return err;
 }
 
--- unionfs.orig/copyup.c
+++ unionfs/copyup.c
@@ -388,6 +388,8 @@ int copyup_dentry(struct inode *dir, str
 	mm_segment_t oldfs;
 	char *symbuf = NULL;
 
+	printk(KERN_WARNING "Entering %s()\n", __func__);
+
 	verify_locked(dentry);
 
 	old_bindex = bstart;
@@ -541,6 +543,9 @@ out_free:
 	unionfs_check_inode(dir);
 	unionfs_check_dentry(dentry);
 out:
+
+	printk(KERN_WARNING "Leaving %s() with %d\n", __func__, err);
+
 	return err;
 }
 
--- unionfs.orig/inode.c
+++ unionfs/inode.c
@@ -970,6 +970,8 @@ static int unionfs_setattr(struct dentry
 	int bstart, bend, bindex;
 	loff_t size;
 
+	printk(KERN_WARNING "Entering %s()\n", __func__);
+
 	unionfs_read_lock(dentry->d_sb, UNIONFS_SMUTEX_CHILD);
 	unionfs_lock_dentry(dentry, UNIONFS_DMUTEX_CHILD);
 
@@ -1070,6 +1072,8 @@ out:
 	unionfs_unlock_dentry(dentry);
 	unionfs_read_unlock(dentry->d_sb);
 
+	printk(KERN_WARNING "Leaving %s() with %d\n", __func__, err);
+
 	return err;
 }
 
----- end of patch for printk() -----

----- start of dmesg -----
Entering unionfs_open()
Leaving unionfs_open() with 0
Entering unionfs_setattr()
Entering copyup_dentry()
TOMOYO-ERROR: sys_chown() denied for /bin/touch
Leaving copyup_dentry() with -1
Leaving unionfs_setattr() with -1
PC:fs/unionfs/dentry.c:unionfs_d_revalidate:470
 CI1: dentry/inode=df601988:df6a707c istart=1 dstart=0
 CI3: dentry/inode=df601988:df6a707c dstart=0 dend=1
Entering unionfs_setattr()
BUG: unable to handle kernel NULL pointer dereference at virtual address 0000009c
printing eip: e08780ec *pde = 00000000
Oops: 0000 [#1] SMP
Modules linked in: ipv6 sbs sbshc battery backlight lp floppy ide_cd serio_raw cdrom rtc_cmos parport_pc rtc_core ac parport rtc_lib button pcnet32 mii pcspkr unionfs mptspi scsi_transport_spi mptscsih mptbase sd_mod scsi_mod ext3 jbd

Pid: 2354, comm: touch Not tainted (2.6.24.5-ccs #2)
EIP: 0060:[<e08780ec>] EFLAGS: 00010202 CPU: 0
EIP is at unionfs_setattr+0x324/0x35b [unionfs]
EAX: 00000000 EBX: 00000000 ECX: df601988 EDX: deed3910
ESI: df601848 EDI: 00000000 EBP: defbce9c ESP: defbce5c
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process touch (pid: 2354, ti=defbc000 task=dfb0e6b0 task.ti=defbc000)
Stack: e0883210 e0882d74 c1408e80 00000000 defbc000 df0a1c18 defbcf30 df601988
       df601848 df6a707c deecd040 00000070 defbcf30 00000000 00000000 defbcf30
       defbcecc c0486228 df601988 00000000 df6a707c c04281a4 defbcebc c05ceeac
Call Trace:
 [<c0405e68>] show_trace_log_lvl+0x1a/0x2f
 [<c0405f18>] show_stack_log_lvl+0x9b/0xa3
 [<c0405fc7>] show_registers+0xa7/0x178
 [<c04061a9>] die+0x111/0x1f3
 [<c05d1b2e>] do_page_fault+0x49f/0x57f
 [<c05d03ba>] error_code+0x72/0x78
 [<c0486228>] notify_change+0x1b4/0x1dc
 [<c048f8a5>] do_utimes+0x1c9/0x207
 [<c048f952>] sys_futimesat+0x6f/0x7c
 [<c048f97f>] sys_utimes+0x20/0x22
 [<c0404f06>] syscall_call+0x7/0xb
 =======================
Code: 8b 90 68 01 00 00 8b 4a 18 85 c9 74 0e 64 a1 00 a0 70 c0 3b 88 b4 01 00 00 74 25 8d 42 08 e8 b4 6d bc df eb 1b 8b 75 e0 8b 46 0c <8b> 80 9c 00 00 00 f6 40 30 01 0f 85 9f fd ff ff e9 57 fe ff ff
EIP: [<e08780ec>] unionfs_setattr+0x324/0x35b [unionfs] SS:ESP 0068:defbce5c
---[ end trace cd0cecf999db0cd7 ]---
----- end of dmesg -----

I guess something is wrong with error handling.

Regards.

More information about the unionfs mailing list