[Bug 260076] bad slot in client SEQUENCE can crash NFS server

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 260076] bad slot in client SEQUENCE can crash NFS server"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 27 Nov 2021 12:11:46 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260076

            Bug ID: 260076
           Summary: bad slot in client SEQUENCE can crash NFS server
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #229757 text/plain
         mime type:

Created attachment 229757
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=229757&action=edit
An NFS client that crashes the server with a bad slotid.

nfsrvd_sequence() accepts the client's slotid without checking
against 0..64:

  nd->nd_slotid = fxdr_unsigned(uint32_t, *tl++);

This can cause a crash when nd_slotid is later used to index
into sess_slots.

I've attached a demo:

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #107
main-n250904-c4c468281fb6-dirty: Sat Nov 27 06:21:53 EST 2021    
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM  riscv
# cc fnfsd_6.c
# ./a.out
...
panic: Fatal page fault at 0xffffffc000317a82: 0x4000000000000000
--- exception 13, tval = 0x4000000000000000
m_free() at m_free+0x10
m_freem() at m_freem+0x22
nfsv4_seqsess_cacherep() at nfsv4_seqsess_cacherep+0x56
nfsrv_cache_session() at nfsrv_cache_session+0x114
nfssvc_program() at nfssvc_program+0x624
svc_run_internal() at svc_run_internal+0x808
svc_thread_start() at svc_thread_start+0xe
fork_exit() at fork_exit+0x68
fork_trampoline() at fork_trampoline+0xa

-- 
You are receiving this mail because:
You are the assignee for the bug.