Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 14 Dec 2021 10:54:05 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 260412] NFS v4 client crash if server sends a second CB_SEQUENCE with wild slotid
Message-ID:  <bug-260412-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260412

            Bug ID: 260412
           Summary: NFS v4 client crash if server sends a second
                    CB_SEQUENCE with wild slotid
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #230107 text/plain
         mime type:

Created attachment 230107
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D230107&action=
=3Dedit
Crash an NFS v4 client with two CB_SEQUENCEs and a wild slotid

If a callback message contains two CB_SEQUENCE operators, and the
first one is valid, but the second contains a wild slotid, then at the
end of nfscl_docb() gotseq_ok will be non-zero, and the wild slotid
will be passed to nfsv4_seqsess_cacherep(). The latter indexes an
array with slotid.

I've attached a demo:

# uname -a
FreeBSD junk.doesnotexist.org 14.0-CURRENT FreeBSD 14.0-CURRENT #147
main-n250911-3ff4b4101008-dirty: Tue Dec 14 05:47:56 EST 2021=20=20=20=20
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM  riscv
# cc fnfs_11.c
# ./a.out
...
panic: Fatal page fault at 0xffffffc0002104d0: 0xffffffe001428c28
--- exception 13, tval =3D 0xffffffe001428c28
nfsv4_seqsess_cacherep() at nfsv4_seqsess_cacherep+0x18
nfscl_docb() at nfscl_docb+0x3aa
nfscb_program() at nfscb_program+0xee
svc_run_internal() at svc_run_internal+0x810
svc_run() at svc_run+0x1a2
nfscbd_nfsd() at nfscbd_nfsd+0xce
nfssvc_nfscl() at nfssvc_nfscl+0x204
sys_nfssvc() at sys_nfssvc+0xd0
do_trap_user() at do_trap_user+0x220
cpu_exception_handler_user() at cpu_exception_handler_user+0x72

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-260412-227>