From nobody Thu May 18 23:12:12 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QMm2h5ln9z4C7X2; Thu, 18 May 2023 23:12:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QMm2h2qKHz49G6; Thu, 18 May 2023 23:12:12 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1684451532; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Vkk4Ml/9sXcjPJV3BqkdoMLh2FsCrY44H+zNJRs39rI=; b=ml/tL/XnR4iB3696ebaMzRwNyexPUFplg3V7oHvADHv4EnN4Z4+OkktUlApDGn5zlKiELU GiY48o6U68ug8mwcxs4e5U2TlM9446Fs7aXVJYt2sN6IJI51/ORTbx1fV/HmuUquY45878 ZQuKWBe6tc054n9mq3m7ZFNYfBmTiFG/BpIuBjZcXdUCOKkl0+rI54pqpd85kOR8zDrsLl ldFEsfhRS+WvvxusILnuSYBlykwTux6u4cW5+T9wrdVj4dE/obl6b9ksJLlSr1W3tnrVs/ t8NT6NTS0jxY2pKltq1YbpYgC3XEqQAo+NnjzA18PuRHYYWFodU/l5lZFj1qWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1684451532; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Vkk4Ml/9sXcjPJV3BqkdoMLh2FsCrY44H+zNJRs39rI=; b=moRGu1khz1Da4ILF6KoHfsUKUp/0xCr9Bq9NIrn2UQpEb6aoCFi+JydXdqEJTffgvdP/U+ GQHR5/3x7SQXRA3sdRJhglbB1AvPPmsks9yOk+LpxoGFFQhgkS/X8D+116z4FR2ilT9b/g wiC0srBn71O12ltr9cWkj1rr093bm553/Uhd9+sxWzxDGBLxbBmIgyjSVYMWhn/fzdWNwY ntMVWBXcYLCZpkWlEwFWvuYyzip6F954fBOwBhb2tNsVx1nfXKyk7jhUGPIOxIr83D2d9z u9aDZONSHVhch8TyODJpgxi/1qaB423Hs5uMDVVHhEI+xIsSJ5ovSEdMbkmCPg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1684451532; a=rsa-sha256; cv=none; b=qE2NBs4qR9lECUWCU5T71Z9Sjmk83u1+1SQ8BwS/X14EpMQwnn4PBikANOQH5ybzVaakqJ Z9zPYRtTA+rAJu/mtFw90CE1wO1c91TMvxN7IpStcaKtzOXsMJj2jpL2w8qsgTXJ2HKcyw I4Xo0FCy1qBtJoRbSCdYDy8Zi2+5ob/HY+2BL0R0ERuCbr3xl0BkSwNy7XVo8nKkH0lxFj 4rtYEtcSLpj5xlEP7vOxQ+7qw7hKllmoNjpi8/7efJmwDENsYCET5efi2YuqBbsC75VFPz fKax1/JSCarga60OkZFkswCsX9gdT32EpTus3plRjuWLrXdBjEPSvvu6eBNz5A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QMm2h1vKFz14l7; Thu, 18 May 2023 23:12:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 34INCCNj028440; Thu, 18 May 2023 23:12:12 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 34INCCOe028439; Thu, 18 May 2023 23:12:12 GMT (envelope-from git) Date: Thu, 18 May 2023 23:12:12 GMT Message-Id: <202305182312.34INCCOe028439@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Rick Macklem Subject: git: c71535c29df0 - stable/13 - nfsd: Fix a use after free when vnet prisons are deleted List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: c71535c29df0ed25b879b42b0ffe2fd5386fa94e Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=c71535c29df0ed25b879b42b0ffe2fd5386fa94e commit c71535c29df0ed25b879b42b0ffe2fd5386fa94e Author: Rick Macklem AuthorDate: 2023-02-24 15:36:28 +0000 Commit: Rick Macklem CommitDate: 2023-05-18 23:10:58 +0000 nfsd: Fix a use after free when vnet prisons are deleted The Kasan tests show the nfsrvd_cleancache() results in a modify after free. I think this occurs because the nfsrv_cleanup() function gets executed after nfs_cleanup() which free's the nfsstatsv1_p. This patch makes them use the same subsystem and sets SI_ORDER_FIRST for nfs_cleanup(), so that it will be called after nfsrv_cleanup() via VNET_SYSUNINIT(). The patch also sets nfsstatsv1_p NULL after free'ng it, so that a crash will result if it is used after free'ng. (cherry picked from commit 4036fcb8053adf3ac54c8428eef0dd076dfc1718) --- sys/fs/nfs/nfs_commonport.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/sys/fs/nfs/nfs_commonport.c b/sys/fs/nfs/nfs_commonport.c index e78edff964f9..7f64b3e978a3 100644 --- a/sys/fs/nfs/nfs_commonport.c +++ b/sys/fs/nfs/nfs_commonport.c @@ -886,7 +886,7 @@ nfs_vnetinit(const void *unused __unused) mtx_init(&NFSD_VNET(nfsrv_nfsuserdsock).nr_mtx, "nfsuserd", NULL, MTX_DEF); } -VNET_SYSINIT(nfs_vnetinit, SI_SUB_VNET_DONE, SI_ORDER_ANY, +VNET_SYSINIT(nfs_vnetinit, SI_SUB_VNET_DONE, SI_ORDER_FIRST, nfs_vnetinit, NULL); static void @@ -894,12 +894,14 @@ nfs_cleanup(void *unused __unused) { mtx_destroy(&NFSD_VNET(nfsrv_nfsuserdsock).nr_mtx); - if (!IS_DEFAULT_VNET(curvnet)) + if (!IS_DEFAULT_VNET(curvnet)) { free(NFSD_VNET(nfsstatsv1_p), M_TEMP); + NFSD_VNET(nfsstatsv1_p) = NULL; + } /* Clean out the name<-->id cache. */ nfsrv_cleanusergroup(); } -VNET_SYSUNINIT(nfs_cleanup, SI_SUB_VNET_DONE, SI_ORDER_ANY, +VNET_SYSUNINIT(nfs_cleanup, SI_SUB_VNET_DONE, SI_ORDER_FIRST, nfs_cleanup, NULL); extern int (*nfsd_call_nfscommon)(struct thread *, struct nfssvc_args *);