[Bug 260272] short OPEN reply can crash NFS v4 client
Date: Wed, 08 Dec 2021 11:02:10 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260272
Bug ID: 260272
Summary: short OPEN reply can crash NFS v4 client
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: bugs@FreeBSD.org
Reporter: rtm@lcs.mit.edu
Attachment #229975 text/plain
mime type:
Created attachment 229975
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=229975&action=edit
Cause an NFS v4 client to crash due to a short OPEN reply.
In these lines in nfsrpc_createv4():
(void) nfsrv_getattrbits(nd, &attrbits, NULL, NULL);
NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
If the RPC response being parsed is short, then nfsrv_getattrbits()'s
calls to NFSM_DISSECT can leave nd->nd_md == NULL, causing the
NFSM_DISSECT to crash.
I've attached a demo:
# uname -a
FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #133
main-n250909-08e6880c1a5c-dirty: Wed Dec 8 05:41:49 EST 2021
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
# cc fnfs_7.c
# ./a.out
...
panic: Fatal page fault at 0xffffffc0001818e2: 0x00000000000010
--- exception 13, tval = 0x10
nfsm_dissect() at nfsm_dissect+0xa
nfsrpc_createv4() at nfsrpc_createv4+0x372
nfsrpc_create() at nfsrpc_create+0x1ae
nfs_create() at nfs_create+0x196
vop_sigdefer() at vop_sigdefer+0x26
nfs_vnodeops_bypass() at nfs_vnodeops_bypass+0x16
VOP_CREATE_APV() at VOP_CREATE_APV+0x3a
VOP_CREATE() at VOP_CREATE+0x2e
vn_open_cred() at vn_open_cred+0x20a
vn_open() at vn_open+0x32
kern_openat() at kern_openat+0x164
sys_openat() at sys_openat+0x32
syscallenter() at syscallenter+0xf4
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xea
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--
You are receiving this mail because:
You are the assignee for the bug.