[Bug 289700] unionfs: page fault in unionfs_find_node_status when closing a file within a socket's receive buffer

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 289700] unionfs: page fault in unionfs_find_node_status when closing a file within a socket's receive buffer"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 19 Sep 2025 22:33:07 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289700

            Bug ID: 289700
           Summary: unionfs: page fault in unionfs_find_node_status when
                    closing a file within a socket's receive buffer
           Product: Base System
           Version: 15.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: asomers@FreeBSD.org

Yesterday a user reported a panic in fusefs, bug 289686 .  From inspection, it
appears that unionfs is vulnerable to the same panic.  The steps to reproduce
the panic would be:

* A process opens a regular file on a unionfs file system
* That process sends the file descriptor through a unix domain socket, using
SCM_RIGHTS
* That process closes the original file descriptor
* Whatever process (which might be the same one) that owns the receiving side
of the unix domain socket closes it, without reading the file descriptor out
first.
* That will cause unp_dispose to attempt to close every file descriptor
residing in the socket's receive buffer.
* Several frames down the stack, that will call VOP_CLOSE with ap->a_td == NULL
* unionfs_close will pass ap->a_td to unionfs_find_node_status, without
checking it.
* unionfs_find_node_status will attempt to dereference it, without checking it
either.

Note that I haven't attempted to trigger the panic myself.

-- 
You are receiving this mail because:
You are the assignee for the bug.