From owner-freebsd-bugs@FreeBSD.ORG Tue Jul 22 03:40:03 2008 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B52E61065681 for ; Tue, 22 Jul 2008 03:40:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 8DFA98FC16 for ; Tue, 22 Jul 2008 03:40:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m6M3e32n023372 for ; Tue, 22 Jul 2008 03:40:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m6M3e3wu023371; Tue, 22 Jul 2008 03:40:03 GMT (envelope-from gnats) Resent-Date: Tue, 22 Jul 2008 03:40:03 GMT Resent-Message-Id: <200807220340.m6M3e3wu023371@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Nathan Whitehorn Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1665D1065671 for ; Tue, 22 Jul 2008 03:31:09 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21]) by mx1.freebsd.org (Postfix) with ESMTP id EAD198FC1F for ; Tue, 22 Jul 2008 03:31:08 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m6M3V8lB055529 for ; Tue, 22 Jul 2008 03:31:08 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.14.2/8.14.1/Submit) id m6M3V8cD055528; Tue, 22 Jul 2008 03:31:08 GMT (envelope-from nobody) Message-Id: <200807220331.m6M3V8cD055528@www.freebsd.org> Date: Tue, 22 Jul 2008 03:31:08 GMT From: Nathan Whitehorn To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: kern/125849: nfs_decode_args() reads invalid memory when called from userspace X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jul 2008 03:40:03 -0000 >Number: 125849 >Category: kern >Synopsis: nfs_decode_args() reads invalid memory when called from userspace >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Jul 22 03:40:03 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Nathan Whitehorn >Release: 8.0-CURRENT >Organization: University of Wisconsin >Environment: FreeBSD ceto.tachypleus.net 8.0-CURRENT FreeBSD 8.0-CURRENT #729: Mon Jul 21 17:58:55 CDT 2008 root@trantor.tachypleus.net:/usr/obj/powerpc/usr/src/sys/CETO powerpc >Description: Starting with revision 1.206 of nfs_vfsops.c, the function nfs_decode_args() terminates by doing strlcpy(nmp->nm_hostname, argp->hostname, sizeof(nmp->nm_hostname) p = strchr(nmp->nm_hostname, ':'); if (p) *p = '\0'; When called from userspace by updating a mount (as happens when an NFS root is remounted read-only), argp->hostname is a pointer in the address space of the calling userspace code. Since the kernel doesn't do copyin(), it copies potentially invalid memory. On 64-bit PowerPC systems, this causes a kernel panic. since low memory is not generally mapped into kernel space. >How-To-Repeat: >Fix: I'm not sure what this code is for -- the commit message is about other code -- and removing it seems harmless. >Release-Note: >Audit-Trail: >Unformatted: