[Bug 274268] panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274268] panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274268] panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274268] panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274268] panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274268] panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274268] panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274268] panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274268] panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274268] panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL"
Reply: bugzilla-noreply_a_freebsd.org: "[Bug 274268] panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 04 Oct 2023 17:14:05 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=274268

            Bug ID: 274268
           Summary: panic: vfs_lookup: encountered unexpected nul; string
                    when a symlink contains an embedded NUL
           Product: Base System
           Version: 15.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: asomers@FreeBSD.org

If VOP_READLINK returns a buffer containing an embedded NUL, then this panic
will result during lookup.  I can reproduce this panic with a buggy or
malicious fusefs server.  I can also fix it in fusefs, but a different file
system might be able to trigger it too.  For example, from inspection
ext3_readlink contains no protection against a this condition.  So it might be
better to fix it vfs_lookup.

#0  __curthread () at
/usr/home/somers/src/freebsd.org/src/sys/amd64/include/pcpu_aux.h:57
#1  doadump (textdump=textdump@entry=0) at
/usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:405
#2  0xffffffff804a401a in db_dump (dummy=<optimized out>, dummy2=<optimized
out>, dummy3=<optimized out>, dummy4=<optimized out>)
    at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:591
#3  0xffffffff804a3e1d in db_command (last_cmdp=<optimized out>,
cmd_table=<optimized out>, dopager=true) at
/usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:504
#4  0xffffffff804a3add in db_command_loop () at
/usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:551
#5  0xffffffff804a71b6 in db_trap (type=<optimized out>, code=<optimized out>)
at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_main.c:268
#6  0xffffffff80b9e4c3 in kdb_trap (type=type@entry=3, code=code@entry=0,
tf=tf@entry=0xfffffe02ff636880) at
/usr/home/somers/src/freebsd.org/src/sys/kern/subr_kdb.c:790
#7  0xffffffff8104d809 in trap (frame=0xfffffe02ff636880) at
/usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/trap.c:608
#8  <signal handler called>
#9  kdb_enter (why=<optimized out>, msg=<optimized out>) at
/usr/home/somers/src/freebsd.org/src/sys/kern/subr_kdb.c:556
#10 0xffffffff80b4f8e3 in vpanic (fmt=0xffffffff811b04a5 "%s: encountered
unexpected nul; string [%s]\n", ap=ap@entry=0xfffffe02ff636ab0)
    at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:958
#11 0xffffffff80b4f6c3 in panic (fmt=0xffffffff8196c800 <cnputs_mtx>
"J\250\024\201\377\377\377\377") at
/usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:894
#12 0xffffffff80c377f5 in vfs_lookup (ndp=ndp@entry=0xfffffe02ff636bd8) at
/usr/home/somers/src/freebsd.org/src/sys/kern/vfs_lookup.c:1093
#13 0xffffffff80c360ed in namei (ndp=ndp@entry=0xfffffe02ff636bd8) at
/usr/home/somers/src/freebsd.org/src/sys/kern/vfs_lookup.c:684
#14 0xffffffff80c567a0 in kern_statat (td=0xfffffe02f5069000, flag=<optimized
out>, fd=-100, path=0x8291804b9 <error: Cannot access memory at address
0x8291804b9>, 
    pathseg=pathseg@entry=UIO_USERSPACE, sbp=sbp@entry=0xfffffe02ff636d18) at
/usr/home/somers/src/freebsd.org/src/sys/kern/vfs_syscalls.c:2439
#15 0xffffffff80c56ea7 in sys_fstatat (td=0xffffffff8196c800 <cnputs_mtx>,
uap=0xfffffe02f5069400) at
/usr/home/somers/src/freebsd.org/src/sys/kern/vfs_syscalls.c:2417
#16 0xffffffff8104e67f in syscallenter (td=0xfffffe02f5069000) at
/usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/../../kern/subr_syscall.c:187

-- 
You are receiving this mail because:
You are the assignee for the bug.