>Number:         5271
>Category:       kern
>Synopsis:       access(2) call on union filesystems may cause kernel fault.
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr  9 07:05:00 1998
>Last-Modified:
>Originator:     MINOURA Makoto
>Organization:
MINOURA, Makoto <minoura@kw.netlaputa.ne.jp> or <minoura@kyogoku.com>
Nakahara-ku Kawasaki-Shi, JAPAN
>Release:        NetBSD-current supped at Apr. 8 16:18
>Environment:
System: NetBSD daisy 1.3E NetBSD 1.3E (DAISY) #48: Sat Apr 4 13:59:12 JST 1998 root@daisy:/usr/src/sys/arch/i386/compile/DAISY i386


>Description:

union_access() might refer a stray pointer.

||	struct union_mount *um = MOUNTTOUNIONMOUNT(vp->v_mount);
(union_vnops.c line 727)

Here, the vnode *vp does not always represents a file on a
union filesystem.


>How-To-Repeat:

(assuming the fileserver holds the NetBSD source tree, and
the local host does not have /usr/obj/sys/arch/i386/config/GENERIC,)

# mount -t nfs fileserver:/usr/src /usr/src
# mount -t union /usr/obj /usr/src
# test -r /sys/arch/i386/config/GENERIC
panic: kernel fault

>Fix:
*** /export/NetBSD-current/src/sys/miscfs/union/union_vnops.c	Tue Mar 17 21:10:57 1998
--- /sys/miscfs/union/union_vnops.c	Thu Apr  9 22:46:34 1998
***************
*** 712,717 ****
--- 712,718 ----
  	struct union_node *un = VTOUNION(ap->a_vp);
  	int error = EACCES;
  	struct vnode *vp;
+ 	struct union_mount *um = MOUNTTOUNIONMOUNT(ap->a_vp->v_mount);
  
  	if ((vp = un->un_uppervp) != NULLVP) {
  		FIXUP(un);
***************
*** 724,730 ****
  		ap->a_vp = vp;
  		error = VCALL(vp, VOFFSET(vop_access), ap);
  		if (error == 0) {
- 			struct union_mount *um = MOUNTTOUNIONMOUNT(vp->v_mount);
  
  			if (um->um_op == UNMNT_BELOW) {
  				ap->a_cred = um->um_cred;
>Audit-Trail:
>Unformatted: