From owner-svn-src-head@freebsd.org  Fri Apr 17 02:21:47 2020
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1C3992CE7F1;
 Fri, 17 Apr 2020 02:21:47 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 493KbZ56wbz4Q2L;
 Fri, 17 Apr 2020 02:21:46 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9A82A1B0A6;
 Fri, 17 Apr 2020 02:21:46 +0000 (UTC)
 (envelope-from rmacklem@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 03H2Lkw3022947;
 Fri, 17 Apr 2020 02:21:46 GMT (envelope-from rmacklem@FreeBSD.org)
Received: (from rmacklem@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 03H2Lkat022946;
 Fri, 17 Apr 2020 02:21:46 GMT (envelope-from rmacklem@FreeBSD.org)
Message-Id: <202004170221.03H2Lkat022946@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to
 rmacklem@FreeBSD.org using -f
From: Rick Macklem <rmacklem@FreeBSD.org>
Date: Fri, 17 Apr 2020 02:21:46 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r360032 - head/sys/fs/nfsserver
X-SVN-Group: head
X-SVN-Commit-Author: rmacklem
X-SVN-Commit-Paths: head/sys/fs/nfsserver
X-SVN-Commit-Revision: 360032
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2020 02:21:47 -0000

Author: rmacklem
Date: Fri Apr 17 02:21:46 2020
New Revision: 360032
URL: https://svnweb.freebsd.org/changeset/base/360032

Log:
  Add a sanity check for nes_numsecflavor to the NFS server.
  
  Ryan Moeller reported crashes in the NFS server that appear to be
  caused by stack corruption in nfsrv_compound(). It appears that
  the stack got corrupted just after a NFSv4.1 Lookup that crosses
  a server mount point.
  Although it is just a "theory" at this point, the most obvious way
  the stack could get corrupted would be if nfsvno_checkexp() somehow
  acquires an export with a bogus nes_numsecflavor value. This would
  cause the copying of the secflavors to run off the end of the array,
  which is allocated on the stack below where the corruption occurs.
  
  This sanity check is simple to do and would stop the stack corruption
  if the theory is correct. Otherwise, doing the sanity check seems to
  be a reasonable safety belt to add to the code.
  
  Reported by:	freqlabs
  MFC after:	2 weeks

Modified:
  head/sys/fs/nfsserver/nfs_nfsdport.c

Modified: head/sys/fs/nfsserver/nfs_nfsdport.c
==============================================================================
--- head/sys/fs/nfsserver/nfs_nfsdport.c	Fri Apr 17 02:09:31 2020	(r360031)
+++ head/sys/fs/nfsserver/nfs_nfsdport.c	Fri Apr 17 02:21:46 2020	(r360032)
@@ -3066,6 +3066,11 @@ nfsvno_checkexp(struct mount *mp, struct sockaddr *nam
 			exp->nes_numsecflavor = 0;
 			error = 0;
 		}
+	} else if (exp->nes_numsecflavor < 1 || exp->nes_numsecflavor >
+	    MAXSECFLAVORS) {
+		printf("nfsvno_checkexp: numsecflavors out of range\n");
+		exp->nes_numsecflavor = 0;
+		error = EACCES;
 	} else {
 		/* Copy the security flavors. */
 		for (i = 0; i < exp->nes_numsecflavor; i++)
@@ -3102,6 +3107,12 @@ nfsvno_fhtovp(struct mount *mp, fhandle_t *fhp, struct
 			} else {
 				vput(*vpp);
 			}
+		} else if (exp->nes_numsecflavor < 1 || exp->nes_numsecflavor >
+		    MAXSECFLAVORS) {
+			printf("nfsvno_fhtovp: numsecflavors out of range\n");
+			exp->nes_numsecflavor = 0;
+			error = EACCES;
+			vput(*vpp);
 		} else {
 			/* Copy the security flavors. */
 			for (i = 0; i < exp->nes_numsecflavor; i++)