[Bug 260272] short OPEN reply can crash NFS v4 client

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 08 Dec 2021 11:02:10 UTC

            Bug ID: 260272
           Summary: short OPEN reply can crash NFS v4 client
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #229975 text/plain
         mime type:

Created attachment 229975
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=229975&action=edit
Cause an NFS v4 client to crash due to a short OPEN reply.

In these lines in nfsrpc_createv4():

                (void) nfsrv_getattrbits(nd, &attrbits, NULL, NULL);
                NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);

If the RPC response being parsed is short, then nfsrv_getattrbits()'s
calls to NFSM_DISSECT can leave nd->nd_md == NULL, causing the
NFSM_DISSECT to crash.

I've attached a demo:

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #133
main-n250909-08e6880c1a5c-dirty: Wed Dec  8 05:41:49 EST 2021    
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM  riscv
# cc fnfs_7.c
# ./a.out
panic: Fatal page fault at 0xffffffc0001818e2: 0x00000000000010
--- exception 13, tval = 0x10
nfsm_dissect() at nfsm_dissect+0xa
nfsrpc_createv4() at nfsrpc_createv4+0x372
nfsrpc_create() at nfsrpc_create+0x1ae
nfs_create() at nfs_create+0x196
vop_sigdefer() at vop_sigdefer+0x26
nfs_vnodeops_bypass() at nfs_vnodeops_bypass+0x16
vn_open_cred() at vn_open_cred+0x20a
vn_open() at vn_open+0x32
kern_openat() at kern_openat+0x164
sys_openat() at sys_openat+0x32
syscallenter() at syscallenter+0xf4
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xea
cpu_exception_handler_user() at cpu_exception_handler_user+0x72

You are receiving this mail because:
You are the assignee for the bug.