Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 1 May 2020 23:07:23 +0000 (UTC)
From:      Rick Macklem <rmacklem@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r360556 - stable/11/sys/fs/nfsserver
Message-ID:  <202005012307.041N7NVv057605@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: rmacklem
Date: Fri May  1 23:07:23 2020
New Revision: 360556
URL: https://svnweb.freebsd.org/changeset/base/360556

Log:
  MFC: r360032
  Add a sanity check for nes_numsecflavor to the NFS server.
  
  Ryan Moeller reported crashes in the NFS server that appear to be
  caused by stack corruption in nfsrv_compound(). It appears that
  the stack got corrupted just after a NFSv4.1 Lookup that crosses
  a server mount point.
  Although it is just a "theory" at this point, the most obvious way
  the stack could get corrupted would be if nfsvno_checkexp() somehow
  acquires an export with a bogus nes_numsecflavor value. This would
  cause the copying of the secflavors to run off the end of the array,
  which is allocated on the stack below where the corruption occurs.
  
  This sanity check is simple to do and would stop the stack corruption
  if the theory is correct. Otherwise, doing the sanity check seems to
  be a reasonable safety belt to add to the code.

Modified:
  stable/11/sys/fs/nfsserver/nfs_nfsdport.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/fs/nfsserver/nfs_nfsdport.c
==============================================================================
--- stable/11/sys/fs/nfsserver/nfs_nfsdport.c	Fri May  1 22:37:09 2020	(r360555)
+++ stable/11/sys/fs/nfsserver/nfs_nfsdport.c	Fri May  1 23:07:23 2020	(r360556)
@@ -2746,6 +2746,11 @@ nfsvno_checkexp(struct mount *mp, struct sockaddr *nam
 			exp->nes_numsecflavor = 0;
 			error = 0;
 		}
+	} else if (exp->nes_numsecflavor < 1 || exp->nes_numsecflavor >
+	    MAXSECFLAVORS) {
+		printf("nfsvno_checkexp: numsecflavors out of range\n");
+		exp->nes_numsecflavor = 0;
+		error = EACCES;
 	} else {
 		/* Copy the security flavors. */
 		for (i = 0; i < exp->nes_numsecflavor; i++)
@@ -2782,6 +2787,12 @@ nfsvno_fhtovp(struct mount *mp, fhandle_t *fhp, struct
 			} else {
 				vput(*vpp);
 			}
+		} else if (exp->nes_numsecflavor < 1 || exp->nes_numsecflavor >
+		    MAXSECFLAVORS) {
+			printf("nfsvno_fhtovp: numsecflavors out of range\n");
+			exp->nes_numsecflavor = 0;
+			error = EACCES;
+			vput(*vpp);
 		} else {
 			/* Copy the security flavors. */
 			for (i = 0; i < exp->nes_numsecflavor; i++)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005012307.041N7NVv057605>