On Wednesday, January 21, 2015 12:27:26 AM Sabrina Dubroca wrote:
2015-01-20, 23:17:25 +0000, Al Viro wrote:
> On Tue, Jan 20, 2015 at 10:50:41PM +0000, Al Viro wrote:
> > doesn't look at _anything_ other than name->name other than for
> > audit_inode(). And name->name is apparently the same.
> >
> > It looks like something ends up buggering name->name in process, but
> > then
> > the damn thing appears to be normal after return from
> > filename_lookup()...
>
> If my reconstruction of what's going on is correct, the call chain here
> is do_path_lookup() <- kern_path() <- lookup_bdev() <-
> blkdev_get_by_path()
> <- mount_bdev() <- some_type.mount() <- mount_fs()
> <- vfs_kern_mount() <- do_new_mount() <- do_mount() <- sys_mount()
> <- do_mount_root() <- mount_block_root() <- mount_root(). Which is
> obscenely long, BTW, but that's a separate story...
>
> Could you slap
>
> struct stat buf;
> int n = sys_newstat(name, &buf);
> printk(KERN_ERR "stat(\"%s\") -> %d\n", name, n);
> n = sys_newstat("/dev", &buf);
> printk(KERN_ERR "stat(\"dev\") -> %d\n", n);
>
> in the beginning of mount_block_root() (init/do_mounts.c) and see what it
> prints?
I get
stat("/dev/root") -> -2
stat("dev") -> -2
with the patch applied (+panic)
and:
stat("/dev/root") -> 0
stat("dev") -> 0
with the old version of do_path_lookup.
Wait a minute ... at this early stage of boot, I'm pretty sure we don't have a
valid current->audit_context since we haven't fork'd anything. If the audit
context was non-NULL garbage that might explain the panic ...
--
paul moore
security @ redhat