>Number:         474
>Category:       port-i386
>Synopsis:       panic when userland executable messes with /tmp
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin (GNATS administrator)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 13 10:05:04 1994
>Originator:     Andrew Wheadon
>Organization:
>Release:        
>Environment:
System: NetBSD wipux2.wifo.uni-mannheim.de 1.0_BETA NetBSD 1.0_BETA (TEST) #0: Sun Sep 11 15:32:13 MET DST 1994 toor@wipux2.wifo.uni-mannheim.de:/src/src/sys/arch/i386/compile/TEST i386


>Description:
	There seems to be a problem in the mfs-layer which causes
	a panic when for example pine messes with an mfs-mounted /tmp 
	and one then tries to create a file in /tmp.
>How-To-Repeat:
	mount /tmp as an mfs: (/etc/fstab)
		/dev/sd0b /tmp mfs rw,-s=48000 0 0
	Compile pine (./build bsi) (probs: sys_errlist and prototype 
                                    sstrcasecmp is wrong)
        install with no special perms. Run as a normal user on a
        mail folder with a few mails in. (I did it with 2,3 and 6)
        read the mail with pine.
		While running pine will create a file on /tmp of about
		4 GB in size (according to ls -l /tmp) this takes less
		than a second and nothing seems to really be written.
	quit pine.
	Do an ls -l /tmp and the file is gone.
	Create a file on /tmp with 'cat >/tmp/t' and the kernel 
	panics on panic-ffs_vfree-ffs_blkpref-ffs_blkpref-ffs_alloc-
		ffs_balloc-ffs_write-vn_write-write-syscall(number 4)

	This bug is at least 2 months old but at the time I thought
	it was just me. I've meanwhile tried it on a normal /tmp and
	there it doesn't fail.--- So it seems to be a bug in the mfs-code
	and since I'm a normal user and the binary has no special
	permissions it seems that anybody who wishes to can crash the
	machine. Just copy over a pine-binary and run it...
	
>Fix:
	Don't use pine. || Don't use mount_mfs. ;-)

>Audit-Trail:
>Unformatted: