[issue1885] Panic when mounting a jailed devfs with jail devfs.conf entries

fanch (via DragonFly issue tracker) sinknull at leaf.dragonflybsd.org
Sat Oct 23 11:15:20 PDT 2010


New submission from fanch <fanch at kekpar.net>:

In devfs_rules.c, struct "devfs_rule_ioctl" member "rule_type" is tested as an
integer, but is a bitmask. So when both DEVFS_RULE_NAME and DEVFS_RULE_JAIL are
set, the member "name" in newly created devfs_rule is set to NULL.

Later, devfs_rule_checkname() is called, and the kernel will panic in
devfs_resolve_name_path().

See diff for a partial correction (len==0 and invalid name or linkname pointers
need to be handled elsewhere).

By the way, /dev/rc.d/devfs seems to be called too early in the boot process:
it does nothing. But calling it later (manually) works.

----------
files: devfs_rules.c.diff
messages: 9161
nosy: fanch
priority: bug
status: unread
title: Panic when mounting a jailed devfs with jail devfs.conf entries

_____________________________________________________
DragonFly issue tracker <bugs at lists.dragonflybsd.org>
<http://bugs.dragonflybsd.org/issue1885>
_____________________________________________________Attachment:
devfs_rules.c.diff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bin00001.bin
Type: application/octet-stream
Size: 357 bytes
Desc: "Description: Binary data"
URL: <http://lists.dragonflybsd.org/pipermail/bugs/attachments/20101023/7c6b1f5b/attachment-0015.bin>


More information about the Bugs mailing list