From: "J. Bruce Fields" <bfields@fieldses.org>
To: rtm@csail.mit.edu
Cc: Chuck Lever <chuck.lever@oracle.com>, linux-nfs@vger.kernel.org
Subject: Re: NFS client can crash server due to overrun in nfsd4_decode_bitmap4()
Date: Sat, 13 Nov 2021 16:33:05 -0500 [thread overview]
Message-ID: <20211113213305.GC27601@fieldses.org> (raw)
In-Reply-To: <97860.1636837122@crash.local>
By the way, thanks for this work. Just out of curiosity: did anything
in particular prompt this? And do you have some tool that's finding
these, or is it manual code inspection, or some combination?
--b.
On Sat, Nov 13, 2021 at 03:58:42PM -0500, rtm@csail.mit.edu wrote:
> nfsd4_decode_bitmap4() will write beyond bmval[bmlen-1] if the RPC
> directs it to do so. This can cause nfsd4_decode_state_protect4_a() to
> write client-supplied data beyond the end of
> nfsd4_exchange_id.spo_must_allow[] when called by
> nfsd4_decode_exchange_id().
>
> I've attached a demo in which the client's EXCHANGE_ID RPC supplies an
> address (0x400) that nfsd4_decode_bitmap4() writes into
> nii_domain.data due to overflowing bmval[]. The EXCHANGE_ID RPC also
> supplies a zero-length eia_client_impl_id<>. The result is that
> copy_impl_id() (called by nfsd4_exchange_id()) tries to read from
> address 0x400.
>
> # cc nfsd_1.c
> # uname -a
> Linux (none) 5.15.0-rc7-dirty #64 SMP Sat Nov 13 20:10:21 UTC 2021 riscv64 riscv64 riscv64 GNU/Linux
> # ./nfsd_1
> ...
> [ 16.600786] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000400
> [ 16.643621] epc : __memcpy+0x3c/0xf8
> [ 16.650154] ra : kmemdup+0x2c/0x3c
> [ 16.657733] epc : ffffffff803667bc ra : ffffffff800e80fe sp : ffffffd000553c20
> [ 16.777502] status: 0000000200000121 badaddr: 0000000000000400 cause: 000000000000000d
> [ 16.788193] [<ffffffff803667bc>] __memcpy+0x3c/0xf8
> [ 16.796504] [<ffffffff8028cf0e>] nfsd4_exchange_id+0xe6/0x406
> [ 16.806159] [<ffffffff8027c352>] nfsd4_proc_compound+0x2b4/0x4e8
> [ 16.815721] [<ffffffff80266782>] nfsd_dispatch+0x118/0x172
> [ 16.823405] [<ffffffff807633fa>] svc_process_common+0x2de/0x62c
> [ 16.832935] [<ffffffff8076380c>] svc_process+0xc4/0x102
> [ 16.840421] [<ffffffff802661de>] nfsd+0x102/0x16a
> [ 16.848520] [<ffffffff80025b60>] kthread+0xfe/0x110
> [ 16.856648] [<ffffffff80003054>] ret_from_exception+0x0/0xc
>
prev parent reply other threads:[~2021-11-13 21:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-13 20:58 NFS client can crash server due to overrun in nfsd4_decode_bitmap4() rtm
2021-11-13 21:06 ` Chuck Lever III
2021-11-13 21:25 ` Bruce Fields
2021-11-13 21:31 ` Chuck Lever III
2021-11-13 21:57 ` Bruce Fields
2021-11-14 2:44 ` Chuck Lever III
2021-12-13 2:10 ` Bruce Fields
2021-12-13 4:21 ` Chuck Lever III
2021-12-13 4:52 ` Trond Myklebust
2021-11-13 21:33 ` J. Bruce Fields [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211113213305.GC27601@fieldses.org \
--to=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=rtm@csail.mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox