Created attachment 232940 [details] fake SMB server that provokes a page-fault in the kernel smb client's smb_t2_placedata() If an SMB reply message claims a tiny offset for the data, placing the data before the parameters, smb_t2_placedata() can page-fault on the zero return value from a failing m_split(). This can occur on both 13.0-RELEASE-p8 and a recent CURRENT. I've attached a demo that mounts a fake SMB server on /mnt; the server generates a bad SMB reply at one point. That reply has data offset=4 count=68, params offset=56 count=10. # uname -a FreeBSD xxx 13.0-RELEASE-p8 FreeBSD 13.0-RELEASE-p8 #0: Tue Mar 15 09:36:28 UTC 2022 root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 # cc saxs1.c # ./a.out ... client #18 89 client #19 89 Fatal trap 12: page fault while in kernel mode cpuid = 0; apic id = 00 fault virtual address = 0x18 fault code = supervisor write data, page not present instruction pointer = 0x20:0xffffffff8231aef4 stack pointer = 0x28:0xfffffe0063d87140 frame pointer = 0x28:0xfffffe0063d87250 code segment = base rx0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 721 (a.out) trap number = 12 panic: page fault cpuid = 0 time = 1649089759 KDB: stack backtrace: #0 0xffffffff80c57525 at kdb_backtrace+0x65 #1 0xffffffff80c09f01 at vpanic+0x181 #2 0xffffffff80c09d73 at panic+0x43 #3 0xffffffff8108b1a7 at trap_fatal+0x387 #4 0xffffffff8108b1ff at trap_pfault+0x4f #5 0xffffffff8108a85d at trap+0x27d #6 0xffffffff81061d98 at calltrap+0x8 #7 0xffffffff82325189 at smbfs_findnext+0xa09 #8 0xffffffff82325453 at smbfs_smb_lookup+0xb3 #9 0xffffffff823219d7 at smbfs_getattr+0x67 #10 0xffffffff8231f3d0 at smbfs_node_alloc+0x270 #11 0xffffffff8231f0dc at smbfs_nget+0x6c #12 0xffffffff8232122b at smbfs_lookup+0x4eb #13 0xffffffff80cd776c at lookup+0x68c #14 0xffffffff80cd6a87 at namei+0x487 #15 0xffffffff80cf78ae at kern_renameat+0xee #16 0xffffffff8108baac at amd64_syscall+0x10c #17 0xffffffff810626be at fast_syscall_common+0xf8
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=7c140ef034c33ab0b16b535f3d5f945dc8f71cb4 commit 7c140ef034c33ab0b16b535f3d5f945dc8f71cb4 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-04-06 18:25:37 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-04-06 18:32:09 +0000 smbfs: caution against use in the manpage It supports only the obsolete SMBv1 protocol, is known to be buggy, and likely has security vulnerabilities. It will either be updated or removed in the future, but for now at least describe the current state in the man page. PR: 263043 MFC after: 3 days Sponsored by: The FreeBSD Foundation share/man/man5/smbfs.5 | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=802da293bd5be064c2ecda76e5aa33e1a237bc1b commit 802da293bd5be064c2ecda76e5aa33e1a237bc1b Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-04-06 18:25:37 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-04-09 00:55:30 +0000 smbfs: caution against use in the manpage It supports only the obsolete SMBv1 protocol, is known to be buggy, and likely has security vulnerabilities. It will either be updated or removed in the future, but for now at least describe the current state in the man page. PR: 263043 MFC after: 3 days Sponsored by: The FreeBSD Foundation (cherry picked from commit 7c140ef034c33ab0b16b535f3d5f945dc8f71cb4) share/man/man5/smbfs.5 | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=c054fcae14d1883d7a6edce16b24cd328edd0079 commit c054fcae14d1883d7a6edce16b24cd328edd0079 Author: Ed Maste <emaste@FreeBSD.org> AuthorDate: 2022-04-06 18:25:37 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-04-09 00:56:01 +0000 smbfs: caution against use in the manpage It supports only the obsolete SMBv1 protocol, is known to be buggy, and likely has security vulnerabilities. It will either be updated or removed in the future, but for now at least describe the current state in the man page. PR: 263043 MFC after: 3 days Sponsored by: The FreeBSD Foundation (cherry picked from commit 7c140ef034c33ab0b16b535f3d5f945dc8f71cb4) share/man/man5/smbfs.5 | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-)
The issue has not been fixed - the commit merely adds a note to the man page that there are security issues in smb.