Date: Wed, 04 Oct 2023 17:14:05 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 274268] panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL Message-ID: <bug-274268-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274268 Bug ID: 274268 Summary: panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL Product: Base System Version: 15.0-CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: asomers@FreeBSD.org If VOP_READLINK returns a buffer containing an embedded NUL, then this panic will result during lookup. I can reproduce this panic with a buggy or malicious fusefs server. I can also fix it in fusefs, but a different file system might be able to trigger it too. For example, from inspection ext3_readlink contains no protection against a this condition. So it might= be better to fix it vfs_lookup. #0 __curthread () at /usr/home/somers/src/freebsd.org/src/sys/amd64/include/pcpu_aux.h:57 #1 doadump (textdump=3Dtextdump@entry=3D0) at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:405 #2 0xffffffff804a401a in db_dump (dummy=3D<optimized out>, dummy2=3D<optim= ized out>, dummy3=3D<optimized out>, dummy4=3D<optimized out>) at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:591 #3 0xffffffff804a3e1d in db_command (last_cmdp=3D<optimized out>, cmd_table=3D<optimized out>, dopager=3Dtrue) at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:504 #4 0xffffffff804a3add in db_command_loop () at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:551 #5 0xffffffff804a71b6 in db_trap (type=3D<optimized out>, code=3D<optimize= d out>) at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_main.c:268 #6 0xffffffff80b9e4c3 in kdb_trap (type=3Dtype@entry=3D3, code=3Dcode@entr= y=3D0, tf=3Dtf@entry=3D0xfffffe02ff636880) at /usr/home/somers/src/freebsd.org/src/sys/kern/subr_kdb.c:790 #7 0xffffffff8104d809 in trap (frame=3D0xfffffe02ff636880) at /usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/trap.c:608 #8 <signal handler called> #9 kdb_enter (why=3D<optimized out>, msg=3D<optimized out>) at /usr/home/somers/src/freebsd.org/src/sys/kern/subr_kdb.c:556 #10 0xffffffff80b4f8e3 in vpanic (fmt=3D0xffffffff811b04a5 "%s: encountered unexpected nul; string [%s]\n", ap=3Dap@entry=3D0xfffffe02ff636ab0) at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:958 #11 0xffffffff80b4f6c3 in panic (fmt=3D0xffffffff8196c800 <cnputs_mtx> "J\250\024\201\377\377\377\377") at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:894 #12 0xffffffff80c377f5 in vfs_lookup (ndp=3Dndp@entry=3D0xfffffe02ff636bd8)= at /usr/home/somers/src/freebsd.org/src/sys/kern/vfs_lookup.c:1093 #13 0xffffffff80c360ed in namei (ndp=3Dndp@entry=3D0xfffffe02ff636bd8) at /usr/home/somers/src/freebsd.org/src/sys/kern/vfs_lookup.c:684 #14 0xffffffff80c567a0 in kern_statat (td=3D0xfffffe02f5069000, flag=3D<opt= imized out>, fd=3D-100, path=3D0x8291804b9 <error: Cannot access memory at address 0x8291804b9>,=20 pathseg=3Dpathseg@entry=3DUIO_USERSPACE, sbp=3Dsbp@entry=3D0xfffffe02ff= 636d18) at /usr/home/somers/src/freebsd.org/src/sys/kern/vfs_syscalls.c:2439 #15 0xffffffff80c56ea7 in sys_fstatat (td=3D0xffffffff8196c800 <cnputs_mtx>, uap=3D0xfffffe02f5069400) at /usr/home/somers/src/freebsd.org/src/sys/kern/vfs_syscalls.c:2417 #16 0xffffffff8104e67f in syscallenter (td=3D0xfffffe02f5069000) at /usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/../../kern/subr_syscal= l.c:187 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-274268-227>