Date: Sat, 27 Nov 2021 12:11:46 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 260076] bad slot in client SEQUENCE can crash NFS server Message-ID: <bug-260076-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260076 Bug ID: 260076 Summary: bad slot in client SEQUENCE can crash NFS server Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #229757 text/plain mime type: Created attachment 229757 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D229757&action= =3Dedit An NFS client that crashes the server with a bad slotid. nfsrvd_sequence() accepts the client's slotid without checking against 0..64: nd->nd_slotid =3D fxdr_unsigned(uint32_t, *tl++); This can cause a crash when nd_slotid is later used to index into sess_slots. I've attached a demo: # uname -a FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #107 main-n250904-c4c468281fb6-dirty: Sat Nov 27 06:21:53 EST 2021=20=20=20=20 rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv # cc fnfsd_6.c # ./a.out ... panic: Fatal page fault at 0xffffffc000317a82: 0x4000000000000000 --- exception 13, tval =3D 0x4000000000000000 m_free() at m_free+0x10 m_freem() at m_freem+0x22 nfsv4_seqsess_cacherep() at nfsv4_seqsess_cacherep+0x56 nfsrv_cache_session() at nfsrv_cache_session+0x114 nfssvc_program() at nfssvc_program+0x624 svc_run_internal() at svc_run_internal+0x808 svc_thread_start() at svc_thread_start+0xe fork_exit() at fork_exit+0x68 fork_trampoline() at fork_trampoline+0xa --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-260076-227>