Bug 274268
| Summary: | panic: vfs_lookup: encountered unexpected nul; string when a symlink contains an embedded NUL | ||
|---|---|---|---|
| Product: | Base System | Reporter: | Alan Somers <asomers> |
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> |
| Status: | Closed FIXED | ||
| Severity: | Affects Some People | CC: | emaste, grahamperrin, mjg |
| Priority: | --- | Keywords: | crash |
| Version: | 15.0-CURRENT | Flags: | asomers:
mfc-stable14+
asomers: mfc-stable13+ asomers: mfc-stable12- |
| Hardware: | Any | ||
| OS: | Any | ||
| URL: | https://reviews.freebsd.org/D42081 | ||
| Bug Depends on: | |||
| Bug Blocks: | 271607 | ||
This behavior was introduced in d81aefa8b7dd8cbeffeda541fca9962802404983 . It's included in releases 13.1 and 13.2 and the upcoming 14.0. A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=662ec2f781521c36b76af748d74bb0a3c2e27a76 commit 662ec2f781521c36b76af748d74bb0a3c2e27a76 Author: Alan Somers <asomers@FreeBSD.org> AuthorDate: 2023-10-04 18:48:01 +0000 Commit: Alan Somers <asomers@FreeBSD.org> CommitDate: 2023-10-07 14:22:03 +0000 fusefs: sanitize FUSE_READLINK results for embedded NULs If VOP_READLINK returns a path that contains a NUL, it will trigger an assertion in vfs_lookup. Sanitize such paths in fusefs, rejecting any and warning the user about the misbehaving server. PR: 274268 MFC after: 1 week Sponsored by: Axcient Reviewed by: mjg, markj Differential Revision: https://reviews.freebsd.org/D42081 sys/fs/fuse/fuse_ipc.h | 1 + sys/fs/fuse/fuse_vnops.c | 7 +++++++ tests/sys/fs/fusefs/readlink.cc | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+) Per the discussion in the code review, we decided to leave vfs_lookup unchanged and fix the bug in fusefs instead. This means that the same bug could potentially happen in other file systems, like ext2fs. MFC to stable/12 is not required, as the crash isn't possible there. A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=8fca98f6881fdd68a786f4366c345159ab0df408 commit 8fca98f6881fdd68a786f4366c345159ab0df408 Author: Alan Somers <asomers@FreeBSD.org> AuthorDate: 2023-10-04 18:48:01 +0000 Commit: Alan Somers <asomers@FreeBSD.org> CommitDate: 2023-10-14 17:57:09 +0000 fusefs: sanitize FUSE_READLINK results for embedded NULs If VOP_READLINK returns a path that contains a NUL, it will trigger an assertion in vfs_lookup. Sanitize such paths in fusefs, rejecting any and warning the user about the misbehaving server. PR: 274268 Sponsored by: Axcient Reviewed by: mjg, markj Differential Revision: https://reviews.freebsd.org/D42081 (cherry picked from commit 662ec2f781521c36b76af748d74bb0a3c2e27a76) sys/fs/fuse/fuse_ipc.h | 1 + sys/fs/fuse/fuse_vnops.c | 7 +++++++ tests/sys/fs/fusefs/readlink.cc | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+) A commit in branch releng/14.0 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=0022bd418e6c0c7c767a296a3e0d3782e5137dce commit 0022bd418e6c0c7c767a296a3e0d3782e5137dce Author: Alan Somers <asomers@FreeBSD.org> AuthorDate: 2023-10-04 18:48:01 +0000 Commit: Alan Somers <asomers@FreeBSD.org> CommitDate: 2023-10-15 02:13:05 +0000 fusefs: sanitize FUSE_READLINK results for embedded NULs If VOP_READLINK returns a path that contains a NUL, it will trigger an assertion in vfs_lookup. Sanitize such paths in fusefs, rejecting any and warning the user about the misbehaving server. PR: 274268 Sponsored by: Axcient Approved by: gjb (re) Reviewed by: mjg, markj Differential Revision: https://reviews.freebsd.org/D42081 (cherry picked from commit 662ec2f781521c36b76af748d74bb0a3c2e27a76) (cherry picked from commit 8fca98f6881fdd68a786f4366c345159ab0df408) sys/fs/fuse/fuse_ipc.h | 1 + sys/fs/fuse/fuse_vnops.c | 7 +++++++ tests/sys/fs/fusefs/readlink.cc | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+) A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=ec3864cc68617edb106724a6d423b47ec455e31b commit ec3864cc68617edb106724a6d423b47ec455e31b Author: Alan Somers <asomers@FreeBSD.org> AuthorDate: 2023-10-04 18:48:01 +0000 Commit: Alan Somers <asomers@FreeBSD.org> CommitDate: 2023-10-15 13:02:07 +0000 fusefs: sanitize FUSE_READLINK results for embedded NULs If VOP_READLINK returns a path that contains a NUL, it will trigger an assertion in vfs_lookup. Sanitize such paths in fusefs, rejecting any and warning the user about the misbehaving server. PR: 274268 Sponsored by: Axcient Reviewed by: mjg, markj Differential Revision: https://reviews.freebsd.org/D42081 (cherry picked from commit 662ec2f781521c36b76af748d74bb0a3c2e27a76) sys/fs/fuse/fuse_ipc.h | 1 + sys/fs/fuse/fuse_vnops.c | 7 +++++++ tests/sys/fs/fusefs/readlink.cc | 39 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+) |
If VOP_READLINK returns a buffer containing an embedded NUL, then this panic will result during lookup. I can reproduce this panic with a buggy or malicious fusefs server. I can also fix it in fusefs, but a different file system might be able to trigger it too. For example, from inspection ext3_readlink contains no protection against a this condition. So it might be better to fix it vfs_lookup. #0 __curthread () at /usr/home/somers/src/freebsd.org/src/sys/amd64/include/pcpu_aux.h:57 #1 doadump (textdump=textdump@entry=0) at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:405 #2 0xffffffff804a401a in db_dump (dummy=<optimized out>, dummy2=<optimized out>, dummy3=<optimized out>, dummy4=<optimized out>) at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:591 #3 0xffffffff804a3e1d in db_command (last_cmdp=<optimized out>, cmd_table=<optimized out>, dopager=true) at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:504 #4 0xffffffff804a3add in db_command_loop () at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_command.c:551 #5 0xffffffff804a71b6 in db_trap (type=<optimized out>, code=<optimized out>) at /usr/home/somers/src/freebsd.org/src/sys/ddb/db_main.c:268 #6 0xffffffff80b9e4c3 in kdb_trap (type=type@entry=3, code=code@entry=0, tf=tf@entry=0xfffffe02ff636880) at /usr/home/somers/src/freebsd.org/src/sys/kern/subr_kdb.c:790 #7 0xffffffff8104d809 in trap (frame=0xfffffe02ff636880) at /usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/trap.c:608 #8 <signal handler called> #9 kdb_enter (why=<optimized out>, msg=<optimized out>) at /usr/home/somers/src/freebsd.org/src/sys/kern/subr_kdb.c:556 #10 0xffffffff80b4f8e3 in vpanic (fmt=0xffffffff811b04a5 "%s: encountered unexpected nul; string [%s]\n", ap=ap@entry=0xfffffe02ff636ab0) at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:958 #11 0xffffffff80b4f6c3 in panic (fmt=0xffffffff8196c800 <cnputs_mtx> "J\250\024\201\377\377\377\377") at /usr/home/somers/src/freebsd.org/src/sys/kern/kern_shutdown.c:894 #12 0xffffffff80c377f5 in vfs_lookup (ndp=ndp@entry=0xfffffe02ff636bd8) at /usr/home/somers/src/freebsd.org/src/sys/kern/vfs_lookup.c:1093 #13 0xffffffff80c360ed in namei (ndp=ndp@entry=0xfffffe02ff636bd8) at /usr/home/somers/src/freebsd.org/src/sys/kern/vfs_lookup.c:684 #14 0xffffffff80c567a0 in kern_statat (td=0xfffffe02f5069000, flag=<optimized out>, fd=-100, path=0x8291804b9 <error: Cannot access memory at address 0x8291804b9>, pathseg=pathseg@entry=UIO_USERSPACE, sbp=sbp@entry=0xfffffe02ff636d18) at /usr/home/somers/src/freebsd.org/src/sys/kern/vfs_syscalls.c:2439 #15 0xffffffff80c56ea7 in sys_fstatat (td=0xffffffff8196c800 <cnputs_mtx>, uap=0xfffffe02f5069400) at /usr/home/somers/src/freebsd.org/src/sys/kern/vfs_syscalls.c:2417 #16 0xffffffff8104e67f in syscallenter (td=0xfffffe02f5069000) at /usr/home/somers/src/freebsd.org/src/sys/amd64/amd64/../../kern/subr_syscall.c:187