Bug 259996 - bad CREATE_SESSION NFS v4.1 reply can cause client kernel page fault
Summary: bad CREATE_SESSION NFS v4.1 reply can cause client kernel page fault
Status: In Progress
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: Rick Macklem
Depends on:
Reported: 2021-11-23 16:48 UTC by Robert Morris
Modified: 2021-11-26 23:34 UTC (History)
2 users (show)

See Also:
rmacklem: mfc-stable13?
rmacklem: mfc-stable12?

Demo that crashes an NFS client. (19.36 KB, text/plain)
2021-11-23 16:48 UTC, Robert Morris
no flags Details
sanity check the rdma cnt reply to Create_session (555 bytes, patch)
2021-11-25 23:29 UTC, Rick Macklem
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2021-11-23 16:48:26 UTC
Created attachment 229673 [details]
Demo that crashes an NFS client.

These lines in nfsrpc_createsession()

                irdcnt = fxdr_unsigned(int, *tl);
                if (irdcnt > 0)
                        NFSM_DISSECT(tl, uint32_t *, irdcnt * NFSX_UNSIGNED);

will accept the server's irdcount if it's huge and positive, but can
then pass a negative size due to overflow in the multiply. This can
cause nfsm_dissect() to subtract a big number from nd->nd_dpos, which
causes a wild pointer reference next time nd->nd_dpos is used.

I've attached a demo:

# uname -a
FreeBSD  14.0-CURRENT FreeBSD 14.0-CURRENT #91 main-n250901-77e3db078984-dirty: Tue Nov 23 10:48:40 EST 2021     rtm@xxx:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM  riscv
# cc fnfs_1.c
# ./a.out
panic: Fatal page fault at 0xffffffc000227d16: 0xffffffcf82b289c8
KDB: stack backtrace:
db_trace_self() at db_trace_self
db_trace_self_wrapper() at db_trace_self_wrapper+0x38
kdb_backtrace() at kdb_backtrace+0x2c
vpanic() at vpanic+0x154
panic() at panic+0x2a
page_fault_handler() at page_fault_handler+0x1ee
do_trap_supervisor() at do_trap_supervisor+0x76
cpu_exception_handler_supervisor() at cpu_exception_handler_supervisor+0x70
--- exception 13, tval = 0xffffffcf82b289c8
nfsrpc_createsession() at nfsrpc_createsession+0x730
nfsrpc_setclient() at nfsrpc_setclient+0x240
nfscl_getcl() at nfscl_getcl+0x53e
mountnfs() at mountnfs+0x722
nfs_mount() at nfs_mount+0x161e
vfs_mount_sigdefer() at vfs_mount_sigdefer+0x20
vfs_domount_first() at vfs_domount_first+0x1d4
vfs_domount() at vfs_domount+0x21c
vfs_donmount() at vfs_donmount+0x79c
sys_nmount() at sys_nmount+0x66
do_trap_user() at do_trap_user+0x206
cpu_exception_handler_user() at cpu_exception_handler_user+0x72
Comment 1 Rick Macklem freebsd_committer 2021-11-25 23:29:02 UTC
Created attachment 229730 [details]
sanity check the rdma cnt reply to Create_session

This patch should avoid the crash.

Maybe the reporter can verify that this patch fixes the problem?
Comment 2 Robert Morris 2021-11-26 16:44:44 UTC
(In reply to Rick Macklem from comment #1)
The patch does indeed fix the crash for me -- thank you.
Comment 3 commit-hook freebsd_committer 2021-11-26 23:32:28 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=22f7bcb523e7138248832fb304559c8f23276e08

commit 22f7bcb523e7138248832fb304559c8f23276e08
Author:     Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2021-11-26 23:28:40 +0000
Commit:     Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2021-11-26 23:28:40 +0000

    nfscl: Sanity check irdcnt in nfsrpc_createsession

    Reported by:    rtm@lcs.mit.edu
    Tested by:      rtm@lcs.mit.edu
    PR:     259996
    MFC after:      2 weeks

 sys/fs/nfsclient/nfs_clrpcops.c | 4 ++++
 1 file changed, 4 insertions(+)
Comment 4 Rick Macklem freebsd_committer 2021-11-26 23:34:53 UTC
Patch has been committed to main and will be MFC'd.