Synopsis: Security hole in umapfs NetBSD versions: NetBSD 1.3.3 and prior; NetBSD-current until 19990312 Thanks to: Manuel Bouyer Reported in NetBSD Security Advisory: SA1999-006 This patch fixes the umapfs problem described in the NetBSD-SA1999-006 security advisory. For it to apply, make sure you have NetBSD 1.3.3 kernel sources unpacked in /usr/src, then do: % cd /usr/src/sys % patch <19990311-umapfs % cd ../../arch/`uname -m`/conf % config GENERIC % cd ../compile/GENERIC % make depend && make % su root # mv /netbsd /netbsd.old # cp netbsd / # chmod 444 /netbsd # sync; reboot Index: miscfs/umapfs/umap_vfsops.c =================================================================== RCS file: /archive/cvs/cvsroot/NetBSD/src/sys/miscfs/umapfs/umap_vfsops.c,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 umap_vfsops.c --- umap_vfsops.c 1997/12/15 16:50:05 1.1.1.1 +++ umap_vfsops.c 1999/03/11 20:41:33 @@ -50,6 +50,7 @@ #include #include #include +#include #include #include #include @@ -85,6 +86,10 @@ struct umap_mount *amp; size_t size; int error; + + /* only for root */ + if ((error = suser(p->p_ucred, &p->p_acflag)) != 0) + return error; #ifdef UMAPFS_DIAGNOSTIC printf("umapfs_mount(mp = %p)\n", mp);