From owner-svn-src-all@freebsd.org Fri May 1 23:07:24 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E77F92B2488; Fri, 1 May 2020 23:07:23 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49DSZM5DYfz4Dm2; Fri, 1 May 2020 23:07:23 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 759BAFE30; Fri, 1 May 2020 23:07:23 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 041N7N3g057606; Fri, 1 May 2020 23:07:23 GMT (envelope-from rmacklem@FreeBSD.org) Received: (from rmacklem@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 041N7NVv057605; Fri, 1 May 2020 23:07:23 GMT (envelope-from rmacklem@FreeBSD.org) Message-Id: <202005012307.041N7NVv057605@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rmacklem set sender to rmacklem@FreeBSD.org using -f From: Rick Macklem Date: Fri, 1 May 2020 23:07:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r360556 - stable/11/sys/fs/nfsserver X-SVN-Group: stable-11 X-SVN-Commit-Author: rmacklem X-SVN-Commit-Paths: stable/11/sys/fs/nfsserver X-SVN-Commit-Revision: 360556 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 May 2020 23:07:24 -0000 Author: rmacklem Date: Fri May 1 23:07:23 2020 New Revision: 360556 URL: https://svnweb.freebsd.org/changeset/base/360556 Log: MFC: r360032 Add a sanity check for nes_numsecflavor to the NFS server. Ryan Moeller reported crashes in the NFS server that appear to be caused by stack corruption in nfsrv_compound(). It appears that the stack got corrupted just after a NFSv4.1 Lookup that crosses a server mount point. Although it is just a "theory" at this point, the most obvious way the stack could get corrupted would be if nfsvno_checkexp() somehow acquires an export with a bogus nes_numsecflavor value. This would cause the copying of the secflavors to run off the end of the array, which is allocated on the stack below where the corruption occurs. This sanity check is simple to do and would stop the stack corruption if the theory is correct. Otherwise, doing the sanity check seems to be a reasonable safety belt to add to the code. Modified: stable/11/sys/fs/nfsserver/nfs_nfsdport.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/fs/nfsserver/nfs_nfsdport.c ============================================================================== --- stable/11/sys/fs/nfsserver/nfs_nfsdport.c Fri May 1 22:37:09 2020 (r360555) +++ stable/11/sys/fs/nfsserver/nfs_nfsdport.c Fri May 1 23:07:23 2020 (r360556) @@ -2746,6 +2746,11 @@ nfsvno_checkexp(struct mount *mp, struct sockaddr *nam exp->nes_numsecflavor = 0; error = 0; } + } else if (exp->nes_numsecflavor < 1 || exp->nes_numsecflavor > + MAXSECFLAVORS) { + printf("nfsvno_checkexp: numsecflavors out of range\n"); + exp->nes_numsecflavor = 0; + error = EACCES; } else { /* Copy the security flavors. */ for (i = 0; i < exp->nes_numsecflavor; i++) @@ -2782,6 +2787,12 @@ nfsvno_fhtovp(struct mount *mp, fhandle_t *fhp, struct } else { vput(*vpp); } + } else if (exp->nes_numsecflavor < 1 || exp->nes_numsecflavor > + MAXSECFLAVORS) { + printf("nfsvno_fhtovp: numsecflavors out of range\n"); + exp->nes_numsecflavor = 0; + error = EACCES; + vput(*vpp); } else { /* Copy the security flavors. */ for (i = 0; i < exp->nes_numsecflavor; i++)