Bug in link()
utzoo!decvax!duke!unc!mcnc!idis!mi-cec!dvk
utzoo!decvax!duke!unc!mcnc!idis!mi-cec!dvk
Tue Aug 10 14:58:42 AEST 1982
Here's a fun one for all you folks in hack-land...
We have a program that tries to rename directories. (For those who care,
it is the "mv" program, but it could be anything). This program does the
standard "link to a new name, unlink the old name" to rename. Now if we
run this as root, all is fine, since *only* root can link to a directory.
If we run it as a regular user, the program fails. Now, just failing would
not be such a big deal, but, to our dismay, our directories got trashed.
Why? Because the link count got decremented each time someone tried to
rename "foo", until "foo" just disappeared! Rather than simply make our
program mode 4755, owned by root, we figured it would be more reasonable
to fix an obvious OS bug. In sys2/link(), there is code that reads as
follows:
==========================================================================
link() {
<mumble, mumble>
ip = namei(uchar, 0);
if (ip == NULL)
return;
if ((ip->i_mode & IFMT)==IFDIR && !suser())
goto out;
ip->i_nlink++;
ip->i_flag |= ICHG;
<mumble, mumble>
out:
if (u.u_error) {
ip->i_nlink--;
ip->i_flag |= ICHG;
}
iput(ip);
}
==========================================================================
The problem is that if "namei" detects an error, but does not return NULL,
then the link count, which was unincremented, is decremented anyway. We
don't know why "namei" sets u.u_error, but apparently it does. The simple
fix is to not decrement the link count, but instead branch directly to the
call to iput. Setting u.u_error to EPERM is a flourish we couldn't resist.
==========================================================================
link() {
<mumble, mumble>
ip = namei(uchar, 0);
if (ip == NULL)
return;
if ((ip->i_mode & IFMT)==IFDIR && !suser()) {
u.u_error = EPERM;
goto out1; /* Note new label name! */
}
<mumble, mumble>
out:
if (u.u_error) {
ip->i_nlink--;
ip->i_flag |= ICHG;
}
out1:
iput(ip);
}
==========================================================================
Happy hacking!
Daniel Klein and Tron McConnell, Mellon Institute, Pittsburgh
More information about the Net.bugs.v7
mailing list