Bug in link()

utzoo!decvax!duke!unc!mcnc!idis!mi-cec!dvk utzoo!decvax!duke!unc!mcnc!idis!mi-cec!dvk
Tue Aug 10 14:58:42 AEST 1982 


Here's a fun one for all you folks in hack-land...

We have a program that tries to rename directories. (For those  who  care,
it  is  the "mv" program, but it could be anything). This program does the
standard "link to a new name, unlink the old name" to rename.  Now  if  we
run  this as root, all is fine, since *only* root can link to a directory.
If we run it as a regular user, the program fails. Now, just failing would
not  be  such a big deal, but, to our dismay, our directories got trashed.
Why? Because the link count got decremented each  time  someone  tried  to
rename  "foo",  until "foo" just disappeared!  Rather than simply make our
program mode 4755, owned by root, we figured it would be  more  reasonable
to  fix  an  obvious  OS  bug. In sys2/link(), there is code that reads as
follows:
==========================================================================

link() {
		<mumble, mumble>

	ip = namei(uchar, 0);
	if (ip == NULL)
		return;
	if ((ip->i_mode & IFMT)==IFDIR && !suser())
		goto out;
	ip->i_nlink++;
	ip->i_flag |= ICHG;

		<mumble, mumble>

out:
	if (u.u_error) {
		ip->i_nlink--;
		ip->i_flag |= ICHG;
		}
	iput(ip);
}
==========================================================================

The problem is that if "namei" detects an error, but does not return NULL,
then  the  link  count, which was unincremented, is decremented anyway. We
don't know why "namei" sets u.u_error, but apparently it does. The  simple
fix is to not decrement the link count, but instead branch directly to the
call to iput. Setting u.u_error to EPERM is a flourish we couldn't resist.

==========================================================================
link() {
		<mumble, mumble>

	ip = namei(uchar, 0);
	if (ip == NULL)
		return;
	if ((ip->i_mode & IFMT)==IFDIR && !suser()) {
		u.u_error = EPERM;
		goto out1;			/* Note new label name! */
		}

		<mumble, mumble>

out:
	if (u.u_error) {
		ip->i_nlink--;
		ip->i_flag |= ICHG;
		}
out1:
	iput(ip);
}
==========================================================================

		Happy hacking!

	Daniel Klein and Tron McConnell, Mellon Institute, Pittsburgh

More information about the Net.bugs.v7 mailing list