[Bug 263220] invalid fusefs error numbers can cause kernel crash

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 11 Apr 2022 13:55:25 UTC

            Bug ID: 263220
           Summary: invalid fusefs error numbers can cause kernel crash
           Product: Base System
           Version: Unspecified
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #233146 text/plain
         mime type:

Created attachment 233146
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=233146&action=edit
a fuse daemon that crashes the kernel by setting error=2

If a fuse daemon responds to a FUSE_LOOKUP with error set to 2,
fuse_device_write() negates this to -2, which is EJUSTRETURN. As a
result, vfs_lookup() will return 0 for success, but leave ni_vp NULL.
kern_statat() assumes that a zero return from namei() implies that
nd.ni_vp is valid, so it crashes in VOP_STAT(nd.ni_vp, ...).

I've included a demo:

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #187
main-n250915-a8123f770b1e-dirty: Mon Apr 11 07:07:40 EDT 2022    
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM  riscv
# pkg install fusefs-libs
# cc -I/usr/local/include/fuse -o futo0 futo0.c -L/usr/local/lib -lfuse
# ./futo0
running touch /mnt/z
panic: Fatal page fault at 0xffffffc00039f47a: 0x00000000000010
cpuid = 1
time = 1649684546
KDB: stack backtrace:
db_trace_self() at db_trace_self
db_trace_self_wrapper() at db_trace_self_wrapper+0x38
kdb_backtrace() at kdb_backtrace+0x2c
vpanic() at vpanic+0x16e
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1aa
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0x10
kern_statat() at kern_statat+0x10a
sys_fstatat() at sys_fstatat+0x1e
syscallenter() at syscallenter+0xf4
ecall_handler() at ecall_handler+0x18
do_trap_user() at do_trap_user+0xea
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- exception 8, tval = 0
KDB: enter: panic
[ thread pid 100 tid 100051 ]
Stopped at      breakpoint+0xa: c.ldsp  s0,0(sp)

You are receiving this mail because:
You are the assignee for the bug.