From nobody Fri Feb 24 15:37:32 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PNYtN38lWz3tcVB; Fri, 24 Feb 2023 15:37:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PNYtN2jmSz4K3n; Fri, 24 Feb 2023 15:37:32 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677253052; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=77a3VcrkbouA4RKJHag3f+IZ6Z5IqJa8GOqgvLDE6RA=; b=x4Uvgbtwf/xlHCxU4/WL7EK2tltmPXt12r4NcwUUYKdqz/8VVVFAyndg5XBV7vJ0dU+qis l/GatCOAE1SUOWjsVXrIfUtgsNJ4A8uvobz8LgU3nkx9TFEpk70A7kF0MnBUEGgxhZ3RXq B+uNyxKmeIZqKhFtObj4zUbalEeCEffiuEfu0EOGMyiDOCt1aATwmhQamSz7qQiY9pqgPm k6LCCE5hiUfcHL3F9p783cCEXQcI4K/6Z3lNzPmAsovRN53mCeg2YtAKVnaNO61YdBp/RY DEKivsQzQVkKfPlUcNI03M3VySDtFBUfpYgyKj0DSq//5D9q31fTGXxGJcbdrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677253052; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=77a3VcrkbouA4RKJHag3f+IZ6Z5IqJa8GOqgvLDE6RA=; b=xQbIk5G/3joi/X10mBGMrk4M38Kduq9BKNPtRCp2N4QYp1E2Pvih208FC8pvNv9ZRsJiRi nrk9jNK+lqHbTAXJ9wHOF8A0/4PE7oof0Nc6qZiJAH4k2PboojJr9ITuYxZ1zE2fFKHleW 9g8JP15AslE+2Y2dB/Zk14j3uJ9tEpQJGbxn8djcd9ZASWjMFlZocpuOeJfKdRtADQSYKc fz9D8cJuFWqT9jhGS+nm193aPwPWEzq1VUNiLINwEH2cPgsSeVFLmY4BY3GX8mBJ5bzh6N rznHC/XpOMk4rlR8qVF8EG1+vxOfFu/F38JfWd0M+humCQytdWQWX/ksN5ol6w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1677253052; a=rsa-sha256; cv=none; b=SFCdmSnUBkLwk6RspstD/WS4YBY0vX/iUKN9wkbaFczegvgiX/mNpLDCw7L343MLz7qSmO 18iBw316KiL9l/G8wmyq95HLhiBdbgtVtkJ4PXpKRzg/fkDzjGtSQO6d7rDaZgG7oBiGCd PVY+/xjA9YO1hxksvZ1XSAhGE4sE+Azn2wDdE7LHT1igZyV8GhonGvUX6beNMV46ZWFc0t 6qvYT0YjC8W1PH+N2vSUutnQmcVPtMzA12CQP3GG1oOgGGrcarQ5BjMvbYfsDQAFaJBkBW vmgilsJ7mruhtFdgwP7kZeC02oEPEyGfZdH5hgt9YfrWpVLKQY5sco/Jatz6vg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PNYtN1mL7zSmg; Fri, 24 Feb 2023 15:37:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 31OFbWM4034842; Fri, 24 Feb 2023 15:37:32 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 31OFbWAo034841; Fri, 24 Feb 2023 15:37:32 GMT (envelope-from git) Date: Fri, 24 Feb 2023 15:37:32 GMT Message-Id: <202302241537.31OFbWAo034841@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Rick Macklem Subject: git: 4036fcb8053a - main - nfsd: Fix a use after free when vnet prisons are deleted List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 4036fcb8053adf3ac54c8428eef0dd076dfc1718 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=4036fcb8053adf3ac54c8428eef0dd076dfc1718 commit 4036fcb8053adf3ac54c8428eef0dd076dfc1718 Author: Rick Macklem AuthorDate: 2023-02-24 15:36:28 +0000 Commit: Rick Macklem CommitDate: 2023-02-24 15:36:28 +0000 nfsd: Fix a use after free when vnet prisons are deleted The Kasan tests show the nfsrvd_cleancache() results in a modify after free. I think this occurs because the nfsrv_cleanup() function gets executed after nfs_cleanup() which free's the nfsstatsv1_p. This patch makes them use the same subsystem and sets SI_ORDER_FIRST for nfs_cleanup(), so that it will be called after nfsrv_cleanup() via VNET_SYSUNINIT(). The patch also sets nfsstatsv1_p NULL after free'ng it, so that a crash will result if it is used after free'ng. Tested by: markj Reviewed by: markj MFC after: 3 months Differential Revision: https://reviews.freebsd.org/D38750 --- sys/fs/nfs/nfs_commonport.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/sys/fs/nfs/nfs_commonport.c b/sys/fs/nfs/nfs_commonport.c index 212b498e6328..be5fc688b7eb 100644 --- a/sys/fs/nfs/nfs_commonport.c +++ b/sys/fs/nfs/nfs_commonport.c @@ -885,7 +885,7 @@ nfs_vnetinit(const void *unused __unused) mtx_init(&NFSD_VNET(nfsrv_nfsuserdsock).nr_mtx, "nfsuserd", NULL, MTX_DEF); } -VNET_SYSINIT(nfs_vnetinit, SI_SUB_VNET_DONE, SI_ORDER_ANY, +VNET_SYSINIT(nfs_vnetinit, SI_SUB_VNET_DONE, SI_ORDER_FIRST, nfs_vnetinit, NULL); static void @@ -893,12 +893,14 @@ nfs_cleanup(void *unused __unused) { mtx_destroy(&NFSD_VNET(nfsrv_nfsuserdsock).nr_mtx); - if (!IS_DEFAULT_VNET(curvnet)) + if (!IS_DEFAULT_VNET(curvnet)) { free(NFSD_VNET(nfsstatsv1_p), M_TEMP); + NFSD_VNET(nfsstatsv1_p) = NULL; + } /* Clean out the name<-->id cache. */ nfsrv_cleanusergroup(); } -VNET_SYSUNINIT(nfs_cleanup, SI_SUB_VNET_DONE, SI_ORDER_ANY, +VNET_SYSUNINIT(nfs_cleanup, SI_SUB_VNET_DONE, SI_ORDER_FIRST, nfs_cleanup, NULL); extern int (*nfsd_call_nfscommon)(struct thread *, struct nfssvc_args *);