Synopsis: Security hole in umapfs
NetBSD versions: NetBSD 1.3.3 and prior; NetBSD-current until 19990312
Thanks to: Manuel Bouyer
Reported in NetBSD Security Advisory: SA1999-006


This patch fixes the umapfs problem described in the NetBSD-SA1999-006
security advisory. For it to apply, make sure you have NetBSD 1.3.3 kernel 
sources unpacked in /usr/src, then do:
    % cd /usr/src/sys
    % patch <19990311-umapfs
    % cd ../../arch/`uname -m`/conf
    % config GENERIC
    % cd ../compile/GENERIC
    % make depend && make
    % su root
    # mv /netbsd /netbsd.old
    # cp netbsd /
    # chmod 444 /netbsd
    # sync; reboot


Index: miscfs/umapfs/umap_vfsops.c
===================================================================
RCS file: /archive/cvs/cvsroot/NetBSD/src/sys/miscfs/umapfs/umap_vfsops.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 umap_vfsops.c
--- umap_vfsops.c	1997/12/15 16:50:05	1.1.1.1
+++ umap_vfsops.c	1999/03/11 20:41:33
@@ -50,6 +50,7 @@
 #include <sys/types.h>
 #include <sys/vnode.h>
 #include <sys/mount.h>
+#include <sys/proc.h>
 #include <sys/namei.h>
 #include <sys/malloc.h>
 #include <miscfs/umapfs/umap.h>
@@ -85,6 +86,10 @@
 	struct umap_mount *amp;
 	size_t size;
 	int error;
+
+	/* only for root */
+	if ((error = suser(p->p_ucred, &p->p_acflag)) != 0)
+		return error;
 
 #ifdef UMAPFS_DIAGNOSTIC
 	printf("umapfs_mount(mp = %p)\n", mp);