[Bug 260071] bad slotid in SEQUENCE reply can crash NFS v4 client
Date: Fri, 26 Nov 2021 20:26:59 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=260071 Bug ID: 260071 Summary: bad slotid in SEQUENCE reply can crash NFS v4 client Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #229750 text/plain mime type: Created attachment 229750 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=229750&action=edit A demo of an nfs v4 server crashing the client with a negative slotid. This code in newnfs_request() uses a slot number sent by the server to index into an array without bounds-checking: slot = fxdr_unsigned(int, *tl++); freeslot = slot; if (retseq != sep->nfsess_slotseq[slot]) printf("retseq diff 0x%x\n", retseq); I've attached a demo: # uname -a FreeBSD 14.0-CURRENT FreeBSD 14.0-CURRENT #103 main-n250903-2a29c1558e82-dirty: Fri Nov 26 13:54:28 EST 2021 rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv # cc fnfs_3.c # ./a.out ... panic: Fatal page fault at 0xffffffc000207f4c: 0xffffffce02bf4cc0 --- exception 13, tval = 0xffffffce02bf4cc0 newnfs_request() at newnfs_request+0x1002 nfsrpc_reclaimcomplete() at nfsrpc_reclaimcomplete+0x92 nfsrpc_setclient() at nfsrpc_setclient+0x630 nfscl_getcl() at nfscl_getcl+0x53e mountnfs() at mountnfs+0x722 nfs_mount() at nfs_mount+0x161e vfs_mount_sigdefer() at vfs_mount_sigdefer+0x20 vfs_domount_first() at vfs_domount_first+0x1d4 vfs_domount() at vfs_domount+0x21c vfs_donmount() at vfs_donmount+0x79c sys_nmount() at sys_nmount+0x66 do_trap_user() at do_trap_user+0x206 cpu_exception_handler_user() at cpu_exception_handler_user+0x72 -- You are receiving this mail because: You are the assignee for the bug.