[Bug 260546] nfsv4_loadattr() can pass huge sizes to malloc()

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 19 Dec 2021 16:30:58 UTC

            Bug ID: 260546
           Summary: nfsv4_loadattr() can pass huge sizes to malloc()
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

In the NFSATTRBIT_OWNERGROUP code in nfsv4_loadattr():

                        NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
                        j = fxdr_unsigned(int, *tl);
                        if (j < 0) {
                                error =  NFSERR_BADXDR;
                                goto nfsmout;
                        attrsum += (NFSX_UNSIGNED + NFSM_RNDUP(j));
                        if (j > NFSV4_SMALLSTR){
                                cp = malloc(j + 1, M_NFSSTRING, M_WAITOK);

First, a big j can cause this code to allocate a few GB of memory,
enough to cause my modest test machine to run out.

Second, the "if (j < 0)" along with the "j + 1" means that if the RPC
message contains j = 0x7fffffff, malloc will be called with

  (size_t)(j+1) = (size_t)(0x80000000) 

which is 0xffffffff80000000 if size_t is unsigned and 64 bits. This
seems to cause malloc() to never return on my machine.

You are receiving this mail because:
You are the assignee for the bug.