Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 01 Dec 2021 15:14:36 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 260155] inadequate LAYOUTTYPE sanity check in nfsv4_loadattr()
Message-ID:  <bug-260155-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260155

            Bug ID: 260155
           Summary: inadequate LAYOUTTYPE sanity check in nfsv4_loadattr()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #229829 text/plain
         mime type:

Created attachment 229829
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D229829&action=
=3Dedit
Crash an NFS server with a broken LAYOUTTYPE attribute.

In this nfsv4_loadattr() code:

                case NFSATTRBIT_FSLAYOUTTYPE:
                case NFSATTRBIT_LAYOUTTYPE:
                        NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
                        attrsum +=3D NFSX_UNSIGNED;
                        i =3D fxdr_unsigned(int, *tl);
                        if (i > 0) {
                                NFSM_DISSECT(tl, u_int32_t *, i *
                                    NFSX_UNSIGNED);

If the RPC contains an i that is positive and big enough that
i*NFSX_UNSIGNED is negative, the next attribute may experience a crash
due to nd_dpos being wild. nfsm_dissect() and nfsm_dissct() are only
able to prevent this if the siz is positive, not negative.

I've attached a demo:

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #120
main-n250906-d95bc6b0bf4c-dirty: Wed Dec  1 06:52:50 EST 2021=20=20=20=20
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM  riscv
# cc fnfsd_8.c
# ./a.out
...
panic: Fatal page fault at 0xffffffc000209adc: 0xffffffcf818ecbc0
--- exception 13, tval =3D 0xffffffcf818ecbc0
nfsv4_loadattr() at nfsv4_loadattr+0xef8
nfsrvd_verify() at nfsrvd_verify+0xb6
nfsrvd_dorpc() at nfsrvd_dorpc+0x147a
nfssvc_program() at nfssvc_program+0x5a8
svc_run_internal() at svc_run_internal+0x810
svc_run() at svc_run+0x1a2
nfsrvd_nfsd() at nfsrvd_nfsd+0x30c
nfssvc_nfsd() at nfssvc_nfsd+0x3ac
sys_nfssvc() at sys_nfssvc+0xd0
do_trap_user() at do_trap_user+0x220
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- exception 8, tval =3D 0x1c5816ef20

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-260155-227>