From nobody Wed Oct  4 17:14:05 2023
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S11WK4TJGz4wKfc
	for <bugs@mlmmj.nyi.freebsd.org>; Wed,  4 Oct 2023 17:14:05 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4S11WK2LLZz3N39
	for <bugs@FreeBSD.org>; Wed,  4 Oct 2023 17:14:05 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1696439645; a=rsa-sha256; cv=none;
	b=WA1TRrZW1lB6tjOw5Oa+2vDtj9FDKIpIbITzfxYArJ4HMMFAbuu2Oa5Ml8iuEUzuTazeld
	yPag1O2wFgFEcheiVduc6rWlgsIlCrPIH2Q9YliIimcwK4+ZR39HWbELrmgxs5IKupg7yl
	dQvdAIRg2hYJ9CrIiC8BwL74uqLG2xMyOF7nWzBH+VleMoE3lXOrPiXDEeL4yA5m8mUmkf
	B0D3//EOtghFRrLF8JMYI+H+fXizYhUwSuODklU5z3svQ1oKMGbsG3R86IPgL+gbryVkf7
	ex8dauP7eKdDaFZqRvr/4VpRoh9MH4eGUhWnNYOiuC88IHi45deb7SCusD1f3A==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1696439645;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=AyfrUJHZMXQRzylU/iA03kD0tcWO5hI2zPvq4Q9jCek=;
	b=BWsyggak558b620Fg2WvyyWQbEfP5g+UF5K5LG2ABrabRL1rd1QflcypY46MhZJYY8DS0f
	0dB+iHHv2rTcOuDjYYlbvl79nE2Only0QWkxt3muRcWE+VJCNQMRxwZ6SsnNyMaDFrNbod
	NlvJuRoXnnMoatqtYYC/l2szB2YJHNsrbr4ptYI1m7WQKzLJJtiaQcF/N2ZYMOklnT9/YG
	7CGF3Cl8hkw6QgJ71jICIH4qFYxH+PED5+9sxazeiOPylhM9XhQK3z7BHbhT+WOansaagi
	XUEOdR4cETB7LrVOSVmBzFlwW7ky61m/cKpOkBRG1su3r4jUnYgi64wOtOGkOg==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4S11WK1PPWzmbB
	for <bugs@FreeBSD.org>; Wed,  4 Oct 2023 17:14:05 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 394HE5cT012400
	for <bugs@FreeBSD.org>; Wed, 4 Oct 2023 17:14:05 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 394HE50J012399
	for bugs@FreeBSD.org; Wed, 4 Oct 2023 17:14:05 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 274268] panic: vfs_lookup: encountered unexpected nul; string
 when a symlink contains an embedded NUL
Date: Wed, 04 Oct 2023 17:14:05 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 15.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: asomers@FreeBSD.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-274268-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D274268

            Bug ID: 274268
           Summary: panic: vfs_lookup: encountered unexpected nul; string
                    when a symlink contains an embedded NUL
           Product: Base System
           Version: 15.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: asomers@FreeBSD.org

If VOP_READLINK returns a buffer containing an embedded NUL, then this panic
will result during lookup.  I can reproduce this panic with a buggy or
malicious fusefs server.  I can also fix it in fusefs, but a different file
system might be able to trigger it too.  For example, from inspection
ext3_readlink contains no protection against a this condition.  So it might=
 be
better to fix it vfs_lookup.

#0  __curthread () at
/usr/home/somers/src/freebsd.org/src/sys/amd64/include/pcpu_aux.h:57
#1  doadump (textdump=3Dtextdump@entry=3D0) at
/usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:405
#2  0xffffffff804a401a in db_dump (dummy=3D<optimized out>, dummy2=3D<optim=
ized
out>, dummy3=3D<optimized out>, dummy4=3D<optimized out>)
    at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:591
#3  0xffffffff804a3e1d in db_command (last_cmdp=3D<optimized out>,
cmd_table=3D<optimized out>, dopager=3Dtrue) at
/usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:504
#4  0xffffffff804a3add in db_command_loop () at
/usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:551
#5  0xffffffff804a71b6 in db_trap (type=3D<optimized out>, code=3D<optimize=
d out>)
at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_main.c:268
#6  0xffffffff80b9e4c3 in kdb_trap (type=3Dtype@entry=3D3, code=3Dcode@entr=
y=3D0,
tf=3Dtf@entry=3D0xfffffe02ff636880) at
/usr/home/somers/src/freebsd.org/src/sys/kern/subr_kdb.c:790
#7  0xffffffff8104d809 in trap (frame=3D0xfffffe02ff636880) at
/usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/trap.c:608
#8  <signal handler called>
#9  kdb_enter (why=3D<optimized out>, msg=3D<optimized out>) at
/usr/home/somers/src/freebsd.org/src/sys/kern/subr_kdb.c:556
#10 0xffffffff80b4f8e3 in vpanic (fmt=3D0xffffffff811b04a5 "%s: encountered
unexpected nul; string [%s]\n", ap=3Dap@entry=3D0xfffffe02ff636ab0)
    at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:958
#11 0xffffffff80b4f6c3 in panic (fmt=3D0xffffffff8196c800 <cnputs_mtx>
"J\250\024\201\377\377\377\377") at
/usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:894
#12 0xffffffff80c377f5 in vfs_lookup (ndp=3Dndp@entry=3D0xfffffe02ff636bd8)=
 at
/usr/home/somers/src/freebsd.org/src/sys/kern/vfs_lookup.c:1093
#13 0xffffffff80c360ed in namei (ndp=3Dndp@entry=3D0xfffffe02ff636bd8) at
/usr/home/somers/src/freebsd.org/src/sys/kern/vfs_lookup.c:684
#14 0xffffffff80c567a0 in kern_statat (td=3D0xfffffe02f5069000, flag=3D<opt=
imized
out>, fd=3D-100, path=3D0x8291804b9 <error: Cannot access memory at address
0x8291804b9>,=20
    pathseg=3Dpathseg@entry=3DUIO_USERSPACE, sbp=3Dsbp@entry=3D0xfffffe02ff=
636d18) at
/usr/home/somers/src/freebsd.org/src/sys/kern/vfs_syscalls.c:2439
#15 0xffffffff80c56ea7 in sys_fstatat (td=3D0xffffffff8196c800 <cnputs_mtx>,
uap=3D0xfffffe02f5069400) at
/usr/home/somers/src/freebsd.org/src/sys/kern/vfs_syscalls.c:2417
#16 0xffffffff8104e67f in syscallenter (td=3D0xfffffe02f5069000) at
/usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/../../kern/subr_syscal=
l.c:187

--=20
You are receiving this mail because:
You are the assignee for the bug.=