Date: Thu, 02 Dec 2021 19:16:14 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 260176] nfsrvd_verify() passes sfp=NULL to nfsv4_loadattr(), which can crash Message-ID: <bug-260176-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260176 Bug ID: 260176 Summary: nfsrvd_verify() passes sfp=3DNULL to nfsv4_loadattr(), which can crash Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #229846 text/plain mime type: Created attachment 229846 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D229846&action= =3Dedit Crash an NFS v4 server with a VERIFY that mentions FILESAVAIL nfsrvd_verify() passes NULL for sfp to nfsv4_loadattr(), but if the client includes an attribute like FILESAVAIL that uses sfp, nfsv4_loadattr() will crash. I've attached a demo: # uname -a FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #122 main-n250906-d95bc6b0bf4c-dirty: Thu Dec 2 05:26:06 EST 2021=20=20=20=20 rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv # cc fnfsd_9.c # ./a.out ... panic: Fatal page fault at 0xffffffc00020a678: 0x00000000000028 --- exception 13, tval =3D 0x28 nfsv4_loadattr() at nfsv4_loadattr+0x1a94 nfsrvd_verify() at nfsrvd_verify+0xb6 nfsrvd_dorpc() at nfsrvd_dorpc+0x147a nfssvc_program() at nfssvc_program+0x5a8 svc_run_internal() at svc_run_internal+0x810 svc_run() at svc_run+0x1a2 nfsrvd_nfsd() at nfsrvd_nfsd+0x30c nfssvc_nfsd() at nfssvc_nfsd+0x3ac sys_nfssvc() at sys_nfssvc+0xd0 do_trap_user() at do_trap_user+0x220 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-260176-227>