https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260155
Bug ID: 260155
Summary: inadequate LAYOUTTYPE sanity check in nfsv4_loadattr()
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
Attachment #229829 text/plain
mime type:
Created attachment 229829
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=229829&action=edit
Crash an NFS server with a broken LAYOUTTYPE attribute.
In this nfsv4_loadattr() code:
case NFSATTRBIT_FSLAYOUTTYPE:
case NFSATTRBIT_LAYOUTTYPE:
NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
attrsum += NFSX_UNSIGNED;
i = fxdr_unsigned(int, *tl);
if (i > 0) {
NFSM_DISSECT(tl, u_int32_t *, i *
NFSX_UNSIGNED);
If the RPC contains an i that is positive and big enough that
i*NFSX_UNSIGNED is negative, the next attribute may experience a crash
due to nd_dpos being wild. nfsm_dissect() and nfsm_dissct() are only
able to prevent this if the siz is positive, not negative.
I've attached a demo:
# uname -a
FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #120
main-n250906-d95bc6b0bf4c-dirty: Wed Dec 1 06:52:50 EST 2021
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
# cc fnfsd_8.c
# ./a.out
...
panic: Fatal page fault at 0xffffffc000209adc: 0xffffffcf818ecbc0
--- exception 13, tval = 0xffffffcf818ecbc0
nfsv4_loadattr() at nfsv4_loadattr+0xef8
nfsrvd_verify() at nfsrvd_verify+0xb6
nfsrvd_dorpc() at nfsrvd_dorpc+0x147a
nfssvc_program() at nfssvc_program+0x5a8
svc_run_internal() at svc_run_internal+0x810
svc_run() at svc_run+0x1a2
nfsrvd_nfsd() at nfsrvd_nfsd+0x30c
nfssvc_nfsd() at nfssvc_nfsd+0x3ac
sys_nfssvc() at sys_nfssvc+0xd0
do_trap_user() at do_trap_user+0x220
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
--- exception 8, tval = 0x1c5816ef20
--
You are receiving this mail because:
You are the assignee for the bug.
