274268 – panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL

Bug 274268 - panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL

Summary: panic: vfs_lookup: encountered unexpected nul; string when a symlink contains...

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	15.0-CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-bugs (Nobody)

URL:	https://reviews.freebsd.org/D42081
Keywords:	crash

Depends on:
Blocks:	14.0r
	Show dependency tree / graph

Reported:	2023-10-04 17:14 UTC by Alan Somers
Modified:	2023-10-15 13:20 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	asomers: mfc-stable14+ asomers: mfc-stable13+ asomers: mfc-stable12-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alan Somers freebsd_committer

2023-10-04 17:14:05 UTC

If VOP_READLINK returns a buffer containing an embedded NUL, then this panic will result during lookup.  I can reproduce this panic with a buggy or malicious fusefs server.  I can also fix it in fusefs, but a different file system might be able to trigger it too.  For example, from inspection ext3_readlink contains no protection against a this condition.  So it might be better to fix it vfs_lookup.

#0  __curthread () at /usr/home/somers/src/freebsd.org/src/sys/amd64/include/pcpu_aux.h:57
#1  doadump (textdump=textdump@entry=0) at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:405
#2  0xffffffff804a401a in db_dump (dummy=<optimized out>, dummy2=<optimized out>, dummy3=<optimized out>, dummy4=<optimized out>)
    at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:591
#3  0xffffffff804a3e1d in db_command (last_cmdp=<optimized out>, cmd_table=<optimized out>, dopager=true) at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:504
#4  0xffffffff804a3add in db_command_loop () at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:551
#5  0xffffffff804a71b6 in db_trap (type=<optimized out>, code=<optimized out>) at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_main.c:268
#6  0xffffffff80b9e4c3 in kdb_trap (type=type@entry=3, code=code@entry=0, tf=tf@entry=0xfffffe02ff636880) at /usr/home/somers/src/freebsd.org/src/sys/kern/subr_kdb.c:790
#7  0xffffffff8104d809 in trap (frame=0xfffffe02ff636880) at /usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/trap.c:608
#8  <signal handler called>
#9  kdb_enter (why=<optimized out>, msg=<optimized out>) at /usr/home/somers/src/freebsd.org/src/sys/kern/subr_kdb.c:556
#10 0xffffffff80b4f8e3 in vpanic (fmt=0xffffffff811b04a5 "%s: encountered unexpected nul; string [%s]\n", ap=ap@entry=0xfffffe02ff636ab0)
    at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:958
#11 0xffffffff80b4f6c3 in panic (fmt=0xffffffff8196c800 <cnputs_mtx> "J\250\024\201\377\377\377\377") at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:894
#12 0xffffffff80c377f5 in vfs_lookup (ndp=ndp@entry=0xfffffe02ff636bd8) at /usr/home/somers/src/freebsd.org/src/sys/kern/vfs_lookup.c:1093
#13 0xffffffff80c360ed in namei (ndp=ndp@entry=0xfffffe02ff636bd8) at /usr/home/somers/src/freebsd.org/src/sys/kern/vfs_lookup.c:684
#14 0xffffffff80c567a0 in kern_statat (td=0xfffffe02f5069000, flag=<optimized out>, fd=-100, path=0x8291804b9 <error: Cannot access memory at address 0x8291804b9>, 
    pathseg=pathseg@entry=UIO_USERSPACE, sbp=sbp@entry=0xfffffe02ff636d18) at /usr/home/somers/src/freebsd.org/src/sys/kern/vfs_syscalls.c:2439
#15 0xffffffff80c56ea7 in sys_fstatat (td=0xffffffff8196c800 <cnputs_mtx>, uap=0xfffffe02f5069400) at /usr/home/somers/src/freebsd.org/src/sys/kern/vfs_syscalls.c:2417
#16 0xffffffff8104e67f in syscallenter (td=0xfffffe02f5069000) at /usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/../../kern/subr_syscall.c:187

Comment 1 Alan Somers freebsd_committer

2023-10-04 18:53:43 UTC

This behavior was introduced in d81aefa8b7dd8cbeffeda541fca9962802404983 .  It's included in releases 13.1 and 13.2 and the upcoming 14.0.

Comment 2 commit-hook freebsd_committer

2023-10-07 14:25:42 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=662ec2f781521c36b76af748d74bb0a3c2e27a76

commit 662ec2f781521c36b76af748d74bb0a3c2e27a76
Author:     Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2023-10-04 18:48:01 +0000
Commit:     Alan Somers <asomers@FreeBSD.org>
CommitDate: 2023-10-07 14:22:03 +0000

    fusefs: sanitize FUSE_READLINK results for embedded NULs

    If VOP_READLINK returns a path that contains a NUL, it will trigger an
    assertion in vfs_lookup.  Sanitize such paths in fusefs, rejecting any
    and warning the user about the misbehaving server.

    PR:             274268
    MFC after:      1 week
    Sponsored by:   Axcient
    Reviewed by:    mjg, markj
    Differential Revision: https://reviews.freebsd.org/D42081

 sys/fs/fuse/fuse_ipc.h          |  1 +
 sys/fs/fuse/fuse_vnops.c        |  7 +++++++
 tests/sys/fs/fusefs/readlink.cc | 39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+)

Comment 3 Alan Somers freebsd_committer

2023-10-07 14:27:46 UTC

Per the discussion in the code review, we decided to leave vfs_lookup unchanged and fix the bug in fusefs instead.  This means that the same bug could potentially happen in other file systems, like ext2fs.

MFC to stable/12 is not required, as the crash isn't possible there.

Comment 4 commit-hook freebsd_committer

2023-10-14 17:58:05 UTC

A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=8fca98f6881fdd68a786f4366c345159ab0df408

commit 8fca98f6881fdd68a786f4366c345159ab0df408
Author:     Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2023-10-04 18:48:01 +0000
Commit:     Alan Somers <asomers@FreeBSD.org>
CommitDate: 2023-10-14 17:57:09 +0000

    fusefs: sanitize FUSE_READLINK results for embedded NULs

    If VOP_READLINK returns a path that contains a NUL, it will trigger an
    assertion in vfs_lookup.  Sanitize such paths in fusefs, rejecting any
    and warning the user about the misbehaving server.

    PR:             274268
    Sponsored by:   Axcient
    Reviewed by:    mjg, markj
    Differential Revision: https://reviews.freebsd.org/D42081

    (cherry picked from commit 662ec2f781521c36b76af748d74bb0a3c2e27a76)

 sys/fs/fuse/fuse_ipc.h          |  1 +
 sys/fs/fuse/fuse_vnops.c        |  7 +++++++
 tests/sys/fs/fusefs/readlink.cc | 39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+)

Comment 5 commit-hook freebsd_committer

2023-10-15 02:13:31 UTC

A commit in branch releng/14.0 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=0022bd418e6c0c7c767a296a3e0d3782e5137dce

commit 0022bd418e6c0c7c767a296a3e0d3782e5137dce
Author:     Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2023-10-04 18:48:01 +0000
Commit:     Alan Somers <asomers@FreeBSD.org>
CommitDate: 2023-10-15 02:13:05 +0000

    fusefs: sanitize FUSE_READLINK results for embedded NULs

    If VOP_READLINK returns a path that contains a NUL, it will trigger an
    assertion in vfs_lookup.  Sanitize such paths in fusefs, rejecting any
    and warning the user about the misbehaving server.

    PR:             274268
    Sponsored by:   Axcient
    Approved by:    gjb (re)
    Reviewed by:    mjg, markj
    Differential Revision: https://reviews.freebsd.org/D42081

    (cherry picked from commit 662ec2f781521c36b76af748d74bb0a3c2e27a76)
    (cherry picked from commit 8fca98f6881fdd68a786f4366c345159ab0df408)

 sys/fs/fuse/fuse_ipc.h          |  1 +
 sys/fs/fuse/fuse_vnops.c        |  7 +++++++
 tests/sys/fs/fusefs/readlink.cc | 39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+)

Comment 6 commit-hook freebsd_committer

2023-10-15 13:20:14 UTC

A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=ec3864cc68617edb106724a6d423b47ec455e31b

commit ec3864cc68617edb106724a6d423b47ec455e31b
Author:     Alan Somers <asomers@FreeBSD.org>
AuthorDate: 2023-10-04 18:48:01 +0000
Commit:     Alan Somers <asomers@FreeBSD.org>
CommitDate: 2023-10-15 13:02:07 +0000

    fusefs: sanitize FUSE_READLINK results for embedded NULs

    If VOP_READLINK returns a path that contains a NUL, it will trigger an
    assertion in vfs_lookup.  Sanitize such paths in fusefs, rejecting any
    and warning the user about the misbehaving server.

    PR:             274268
    Sponsored by:   Axcient
    Reviewed by:    mjg, markj
    Differential Revision: https://reviews.freebsd.org/D42081

    (cherry picked from commit 662ec2f781521c36b76af748d74bb0a3c2e27a76)

 sys/fs/fuse/fuse_ipc.h          |  1 +
 sys/fs/fuse/fuse_vnops.c        |  7 +++++++
 tests/sys/fs/fusefs/readlink.cc | 39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+)