Date: Mon, 25 May 1998 00:23:42 -0700 (PDT) From: ovg@nusun.jinr.ru To: freebsd-gnats-submit@FreeBSD.ORG Subject: kern/6747: bad rpc call to nfs crashes system Message-ID: <199805250723.AAA11830@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 6747
>Category: kern
>Synopsis: bad rpc call to nfs crashes system
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon May 25 00:20:00 PDT 1998
>Last-Modified:
>Originator: Vladimir Olshevsky
>Organization:
Joint Institute for Nuclear Research
>Release: FreeBSD 2.2.6
>Environment:
FreeBSD nuraid.jinr.ru 2.2.6-RELEASE FreeBSD 2.2.6-RELEASE #1:
Fri May 22 19:00:11 MSD 1998
ovg@nuraid.jinr.ru:/usr/src/sys/compile/NURAID i386
>Description:
Issuing an rpc call to nfs with negative procedure number
crashes system. Here is a kgdb session:
nuraid#>gdb -k
(kgdb) symbol-file kernel.debug.3
Reading symbols from kernel.debug.3...done
(kgdb) exec-file kernel.3
(kgdb) core-file vmcore.3
IdlePTD 208000
current pcb at 1ec9ac
panic: page fault
#0 boot (howto=256) at ../../kern/kern_shutdown.c:266
266 dumppcb.pcb_cr3 = rcr3();
(kgdb) where
#0 boot (howto=256) at ../../kern/kern_shutdown.c:266
#1 0xf0110f92 in panic (fmt=0xf01bb3df "page fault")
at ../../kern/kern_shutdown.c:390
#2 0xf01bbf86 in trap_fatal (frame=0xefbffd10) at ../../i386/i386/trap.c:770
#3 0xf01bba74 in trap_pfault (frame=0xefbffd10, usermode=0)
at ../../i386/i386/trap.c:677
#4 0xf01bb717 in trap (frame={tf_es = 16, tf_ds = 16, tf_edi = -227143168,
tf_esi = -241365248, tf_ebp = -272630364, tf_isp = -272630472,
tf_ebx = -241365144, tf_edx = -241365248, tf_ecx = 2,
tf_eax = -1995291404, tf_trapno = 12, tf_err = 0, tf_eip = -266941659,
tf_cs = 8, tf_eflags = 66118, tf_esp = -227143168, tf_ss = -241365248})
at ../../i386/i386/trap.c:324
#5 0xf016cb25 in nfs_getreq (nd=0xf2761200, nfsd=0xf2537c00, has_header=1)
at ../../nfs/nfs_socket.c:1980
#6 0xf016c8dc in nfsrv_dorec (slp=0xf2500000, nfsd=0xf2537c00, ndp=0xefbffe34)
at ../../nfs/nfs_socket.c:1894
#7 0xf01715e6 in nfssvc_nfsd (nsd=0xefbffe8c, argp=0x1770c "", p=0xf252f600)
at ../../nfs/nfs_syscalls.c:520
#8 0xf01710e8 in nfssvc (p=0xf252f600, uap=0xefbfff94, retval=0xefbfff84)
at ../../nfs/nfs_syscalls.c:344
#9 0xf01bc1c3 in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 8,
tf_esi = 0, tf_ebp = -272638388, tf_isp = -272629788, tf_ebx = 1,
tf_edx = -272638564, tf_ecx = 0, tf_eax = 155, tf_trapno = 12,
tf_err = 7, tf_eip = 10805, tf_cs = 31, tf_eflags = 658,
tf_esp = -272638556, tf_ss = 39}) at ../../i386/i386/trap.c:918
#10 0x2a35 in ?? ()
#11 0x107e in ?? ()
(kgdb) up 5
#5 0xf016cb25 in nfs_getreq (nd=0xf2761200, nfsd=0xf2537c00, has_header=1)
at ../../nfs/nfs_socket.c:1980
1980 nd->nd_procnum = nfsv3_procid[nd->nd_procnum];
(kgdb) print nd->nd_procnum
$1 = -1995291404
(kgdb)
>How-To-Repeat:
Issue an rpc call to nfs with negative procedure
number ... Analyze crash dump
>Fix:
The problem is in comparison of signed variable with
maximum procedure number in nfs_socket.c:1972 - there is no
check on (invalid) negative value in nd->nd_procnum
To fix it, apply a following patch:
*** /sys/nfs/nfs_socket.c.orig Wed May 14 12:19:28 1997
--- /sys/nfs/nfs_socket.c Mon May 25 11:21:39 1998
***************
*** 1969,1977 ****
nd->nd_procnum = fxdr_unsigned(u_long, *tl++);
if (nd->nd_procnum == NFSPROC_NULL)
return (0);
! if (nd->nd_procnum >= NFS_NPROCS ||
! (!nqnfs && nd->nd_procnum >= NQNFSPROC_GETLEASE) ||
! (!nd->nd_flag && nd->nd_procnum > NFSV2PROC_STATFS)) {
nd->nd_repstat = EPROCUNAVAIL;
nd->nd_procnum = NFSPROC_NOOP;
return (0);
--- 1969,1977 ----
nd->nd_procnum = fxdr_unsigned(u_long, *tl++);
if (nd->nd_procnum == NFSPROC_NULL)
return (0);
! if ((unsigned)nd->nd_procnum >= NFS_NPROCS ||
! (!nqnfs && (unsigned)nd->nd_procnum >= NQNFSPROC_GETLEASE) ||
! (!nd->nd_flag && (unsigned)nd->nd_procnum > NFSV2PROC_STATFS)) {
nd->nd_repstat = EPROCUNAVAIL;
nd->nd_procnum = NFSPROC_NOOP;
return (0);
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805250723.AAA11830>