Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 07 Feb 2019 23:35:02 +0000
From:      bugzilla-noreply@freebsd.org
To:        fs@FreeBSD.org
Subject:   [Bug 235582] rpc_svc_gss / nfsd kernel panic
Message-ID:  <bug-235582-3630-pTyo7iFLoD@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-235582-3630@https.bugs.freebsd.org/bugzilla/>
References:  <bug-235582-3630@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D235582

--- Comment #2 from Peter Eriksson <peter.x.eriksson@liu.se> ---
This is a huge wild chance, but I was looking at the assembler code for the
svc_rpc_gss function at around the offset (0x8f2 =3D 2290) and it looks like
this:

0xffffffff8286d4bc <svc_rpc_gss+2268>:  callq  0xffffffff8286bc50
<rpc_gss_oid_to_mech>
0xffffffff8286d4c1 <svc_rpc_gss+2273>:  mov    0x78(%r14),%rsi
0xffffffff8286d4c5 <svc_rpc_gss+2277>:  lea    -0x38(%rbp),%rdi
0xffffffff8286d4c9 <svc_rpc_gss+2281>:  lea    -0x70(%rbp),%rdx
0xffffffff8286d4cd <svc_rpc_gss+2285>:  callq  0xffffffff828678b0
<gss_export_name>
0xffffffff8286d4d2 <svc_rpc_gss+2290>:  test   %eax,%eax
0xffffffff8286d4d4 <svc_rpc_gss+2292>:  je     0xffffffff8286d932
<svc_rpc_gss+3410>

Looking at the source code in the svc_rpcsec_gss.c file this _might_ corres=
pond
to code in svc_rpc_gss_accept_sec_context() at around line 941:

            client->cl_rawcred.version =3D RPCSEC_GSS_VERSION;
                rpc_gss_oid_to_mech(mech, &client->cl_rawcred.mechanism);
                maj_stat =3D gss_export_name(&min_stat, client->cl_cname,
                    &export_name);
                if (maj_stat !=3D GSS_S_COMPLETE) {
                        rpc_gss_log_status("gss_export_name", client->cl_me=
ch,
                            maj_stat, min_stat);
                        return (FALSE);
                }
                client->cl_rawcred.client_principal =3D
                        mem_alloc(sizeof(*client->cl_rawcred.client_princip=
al)
                            + export_name.length);
                client->cl_rawcred.client_principal->len =3D export_name.le=
ngth;
                memcpy(client->cl_rawcred.client_principal->name,
                    export_name.value, export_name.length);

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-235582-3630-pTyo7iFLoD>