From nobody Sun Sep 8 19:09:41 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X1zzp5f9Kz5Vrv2 for ; Sun, 08 Sep 2024 19:09:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X1zzp1ymcz4v59 for ; Sun, 8 Sep 2024 19:09:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725822582; a=rsa-sha256; cv=none; b=aNJuXvPxd3KAezuRy3kpIiB84B00NgCunMbEk4m698A/PkvIWg1HPXUjnWPbjYdoXsd5O5 x97ySLRomd2s5mfWl927Pq8pZCC4kUKHGRtj2sEzm7UiON6bYO4AabzHVPXEoB4/96Ddq/ /stSyRdH/DDc31iIvGrSZyzx5Rp8Q/IMSiqfLaIM1exBx1eyYjCkULEp6Q/LdR90RfbqGV T04TprGuxwAtsb6i/pZRAawecHyUbTudQcSY5Lx/UVaIGL/wxdP7Fv/mEGtM54XdIal2iD qcTby4hPPxLTHph8TNMvSikDHaNiabHo+J9WgULn5/Gou0NGWQaqvqEA+f6tAA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725822582; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QOroyyHa0SGRNWTzQdRfDZFWSL/UZabT3LvdJSfJ9pU=; b=lpO7WwQgubYXwSaRUfopmRYxmAtpGTGusCt2aAy4H1SKm0/l92u6M3/GHi2FCZq5iJ2qVb 4GbQAhe2KowdQr8V/O3FeOTaWLS4JiIUi6BfXvvO67NTJJifUbubihaUwNNjC1hd++Zvop siwN3ruj296WfFdwmX4/Qz6tYByD5PgUHD8mT7ur4CqvFtX9HIWRVOjgcrI7gfD14DUgS4 jG5gIP7GX53LixXExQ3jUNpFvOsobnZjY4PZKhKOuWSLxNm1HVCNpVYNBhhKBDKsFgKY8r NvgECzZChbc9EK8V0sEeM3MoSZZmZcendmnHsyQqXN0P1TYIvVdicaXqmY+nKw== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4X1zzp0PdRzXX0 for ; Sun, 8 Sep 2024 19:09:42 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 488J9faf085219 for ; Sun, 8 Sep 2024 19:09:41 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 488J9fnh085218 for bugs@FreeBSD.org; Sun, 8 Sep 2024 19:09:41 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 281279] nfscl: panic: MSan: Uninitialized stack memory in nfscl_cberrmap Date: Sun, 08 Sep 2024 19:09:41 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: crash X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: asomers@FreeBSD.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@FreeBSD.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D281279 Alan Somers changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rmacklem@FreeBSD.org --- Comment #4 from Alan Somers --- I think I've found the source of the problem: Firstly, my environment is a 15.0 client and a 14.1 server. The client uses nfs 4.2 for /usr/home and I run nfsuserd on both client and server. I have= no NFS tunables set on the client. What happens is that: 1) When I run "whoami", my shell does an append write to /usr/home/somers/.local/share/fish/fish_history 2) ncl_writerpc allocate "struct nfsvattr nfsva" on the stack, on its first line, but does not initialize it. 3) The AppendWrite RPC returns from the server. Wireshark shows that the compound RPC includes SEQUENCE, PUTFH, GETATTR, VERIFY, WRITE, and GETATTR.= =20 But the attr masks for neither GETATTR contain Owner.=20=20 4) So nfsv4_loadattr returns without initializing nap->na_uid . Note that = if I insert logic to set na_uid to 666 in step 2, it is still equal to 666 here. 5) control returns two levels up the stack back to ncl_writerpc 6) which calls nfscl_loadattrcache. At line 522 that function calls NFSBCO= PY to actually copy the attributes into NFS's attribute cache, and at that poi= nt na_uid is still uninitialized. Later, the shell stat()s the fish_history file. That reads the uninitializ= ed na_uid attribute from NFS's attribute cache, triggering the MSAN panic abov= e. But what can we do about it? I have a patch that sets na_uid=3Dna_gid=3DVNO= VAL in nfsv4_loadattr. That makes the MSAN warnings go away. And yet, I'm not convinced that it's the correct solution. After all, I've never actually s= een the wrong uid or gid displayed by "ls", which suggests that it's getting set somehow, even if MSAN doesn't know it. --=20 You are receiving this mail because: You are the assignee for the bug.=