https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260076
Bug ID: 260076
Summary: bad slot in client SEQUENCE can crash NFS server
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Some People
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
Attachment #229757 text/plain
mime type:
Created attachment 229757
--> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=229757&action=edit
An NFS client that crashes the server with a bad slotid.
nfsrvd_sequence() accepts the client's slotid without checking
against 0..64:
nd->nd_slotid = fxdr_unsigned(uint32_t, *tl++);
This can cause a crash when nd_slotid is later used to index
into sess_slots.
I've attached a demo:
# uname -a
FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #107
main-n250904-c4c468281fb6-dirty: Sat Nov 27 06:21:53 EST 2021
rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
# cc fnfsd_6.c
# ./a.out
...
panic: Fatal page fault at 0xffffffc000317a82: 0x4000000000000000
--- exception 13, tval = 0x4000000000000000
m_free() at m_free+0x10
m_freem() at m_freem+0x22
nfsv4_seqsess_cacherep() at nfsv4_seqsess_cacherep+0x56
nfsrv_cache_session() at nfsrv_cache_session+0x114
nfssvc_program() at nfssvc_program+0x624
svc_run_internal() at svc_run_internal+0x808
svc_thread_start() at svc_thread_start+0xe
fork_exit() at fork_exit+0x68
fork_trampoline() at fork_trampoline+0xa
--
You are receiving this mail because:
You are the assignee for the bug.
