From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 85A8E32C312 for ; Wed, 10 Sep 2025 14:49:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757515778; cv=none; b=Eba5cpceC87SyV91pxk1zf10qrevopYVE5JfQ3ilkDAN3Jh5/mL2v7cPCJyh5QbhG2rmH7n3Y2W/fUvHA+WL+Y2xROfBO/NF25keDxEJSsoPrmAjiVNTk+giFbznKmraa1LUE3nm+vbZ9PW4KIl9PWND/7SNDo9RfblKjLewlnw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1757515778; c=relaxed/simple; bh=b/B9cTe2M/yMFrwAgztqejaNZHvKdSaAwCL9TNRSNyk=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=VInlhqzF1G9sSAz/Rl2Lm9NvA1YCBpi0cy3rqYgJi20TV6flFFDsw0HbsQc/g/OPkRkIBOxtBUyVENnFBJFgEOrXQWvvHKstc7tbb+1L5L+jjd41NQqwYIRUxR6mp5iDOLaOavXfj3PeMuYqjS8k16K3ntD3tTkhjI+Lm1OUXK8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=njJnqVdC; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="njJnqVdC" Received: by smtp.kernel.org (Postfix) with ESMTPSA id F0EBFC4CEF0; Wed, 10 Sep 2025 14:49:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1757515778; bh=b/B9cTe2M/yMFrwAgztqejaNZHvKdSaAwCL9TNRSNyk=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=njJnqVdCJt6KyQfXeptYyznb8o2hH1Jf0W36suSVsycEnZfZtf9dkHvVxFpTj+zuA yR+dbCADo5oxs4pcQx9QJcD3hvypCXZR6DA/wnqjvs2XsQUlOQOPhTPKeWcfKlVPWg d29TPLaFXcsrxoZXOkZdiw3x0//Tx+AbInK78WdmaLwHOpbMRemUVKMFy270wZ8V3s hptdwxkHBqSLoI1+YsmdXq3lZbFvWvX4ckZlfCuJiiH324I5JfWSNgcR5tunnnkmV7 5T/nfZZwgbReM2Lw0o9vjBeBjAN2E4WjN+JgVdTywL4NVnxQ91vQYfejQGhj54JlFZ wTt2csXADf9kw== Message-ID: Subject: Re: client can crash nfsd4_encode_fattr4() by setting bit 84 From: Jeff Layton To: rtm@csail.mit.edu, Chuck Lever Cc: NeilBrown , Olga Kornievskaia , Dai Ngo , Tom Talpey , linux-nfs@vger.kernel.org Date: Wed, 10 Sep 2025 10:49:35 -0400 In-Reply-To: <53032.1757512512@30-10-113.wireless.csail.mit.edu> References: <53032.1757512512@30-10-113.wireless.csail.mit.edu> Autocrypt: addr=jlayton@kernel.org; prefer-encrypt=mutual; keydata=mQINBE6V0TwBEADXhJg7s8wFDwBMEvn0qyhAnzFLTOCHooMZyx7XO7dAiIhDSi7G1NPxw n8jdFUQMCR/GlpozMFlSFiZXiObE7sef9rTtM68ukUyZM4pJ9l0KjQNgDJ6Fr342Htkjxu/kFV1Wv egyjnSsFt7EGoDjdKqr1TS9syJYFjagYtvWk/UfHlW09X+jOh4vYtfX7iYSx/NfqV3W1D7EDi0PqV T2h6v8i8YqsATFPwO4nuiTmL6I40ZofxVd+9wdRI4Db8yUNA4ZSP2nqLcLtFjClYRBoJvRWvsv4lm 0OX6MYPtv76hka8lW4mnRmZqqx3UtfHX/hF/zH24Gj7A6sYKYLCU3YrI2Ogiu7/ksKcl7goQjpvtV YrOOI5VGLHge0awt7bhMCTM9KAfPc+xL/ZxAMVWd3NCk5SamL2cE99UWgtvNOIYU8m6EjTLhsj8sn VluJH0/RcxEeFbnSaswVChNSGa7mXJrTR22lRL6ZPjdMgS2Km90haWPRc8Wolcz07Y2se0xpGVLEQ cDEsvv5IMmeMe1/qLZ6NaVkNuL3WOXvxaVT9USW1+/SGipO2IpKJjeDZfehlB/kpfF24+RrK+seQf CBYyUE8QJpvTZyfUHNYldXlrjO6n5MdOempLqWpfOmcGkwnyNRBR46g/jf8KnPRwXs509yAqDB6sE LZH+yWr9LQZEwARAQABtCVKZWZmIExheXRvbiA8amxheXRvbkBwb29jaGllcmVkcy5uZXQ+iQI7BB MBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCTpXWPAIZAQAKCRAADmhBGVaCFc65D/4 gBLNMHopQYgG/9RIM3kgFCCQV0pLv0hcg1cjr+bPI5f1PzJoOVi9s0wBDHwp8+vtHgYhM54yt43uI 7Htij0RHFL5eFqoVT4TSfAg2qlvNemJEOY0e4daljjmZM7UtmpGs9NN0r9r50W82eb5Kw5bc/r0km R/arUS2st+ecRsCnwAOj6HiURwIgfDMHGPtSkoPpu3DDp/cjcYUg3HaOJuTjtGHFH963B+f+hyQ2B rQZBBE76ErgTDJ2Db9Ey0kw7VEZ4I2nnVUY9B5dE2pJFVO5HJBMp30fUGKvwaKqYCU2iAKxdmJXRI ONb7dSde8LqZahuunPDMZyMA5+mkQl7kpIpR6kVDIiqmxzRuPeiMP7O2FCUlS2DnJnRVrHmCljLkZ Wf7ZUA22wJpepBligemtSRSbqCyZ3B48zJ8g5B8xLEntPo/NknSJaYRvfEQqGxgk5kkNWMIMDkfQO lDSXZvoxqU9wFH/9jTv1/6p8dHeGM0BsbBLMqQaqnWiVt5mG92E1zkOW69LnoozE6Le+12DsNW7Rj iR5K+27MObjXEYIW7FIvNN/TQ6U1EOsdxwB8o//Yfc3p2QqPr5uS93SDDan5ehH59BnHpguTc27Xi QQZ9EGiieCUx6Zh2ze3X2UW9YNzE15uKwkkuEIj60NvQRmEDfweYfOfPVOueC+iFifbQgSmVmZiBM YXl0b24gPGpsYXl0b25AcmVkaGF0LmNvbT6JAjgEEwECACIFAk6V0q0CGwMGCwkIBwMCBhUIAgkKC wQWAgMBAh4BAheAAAoJEAAOaEEZVoIViKUQALpvsacTMWWOd7SlPFzIYy2/fjvKlfB/Xs4YdNcf9q LqF+lk2RBUHdR/dGwZpvw/OLmnZ8TryDo2zXVJNWEEUFNc7wQpl3i78r6UU/GUY/RQmOgPhs3epQC 3PMJj4xFx+VuVcf/MXgDDdBUHaCTT793hyBeDbQuciARDJAW24Q1RCmjcwWIV/pgrlFa4lAXsmhoa c8UPc82Ijrs6ivlTweFf16VBc4nSLX5FB3ls7S5noRhm5/Zsd4PGPgIHgCZcPgkAnU1S/A/rSqf3F LpU+CbVBDvlVAnOq9gfNF+QiTlOHdZVIe4gEYAU3CUjbleywQqV02BKxPVM0C5/oVjMVx3bri75n1 TkBYGmqAXy9usCkHIsG5CBHmphv9MHmqMZQVsxvCzfnI5IO1+7MoloeeW/lxuyd0pU88dZsV/riHw 87i2GJUJtVlMl5IGBNFpqoNUoqmvRfEMeXhy/kUX4Xc03I1coZIgmwLmCSXwx9MaCPFzV/dOOrju2 xjO+2sYyB5BNtxRqUEyXglpujFZqJxxau7E0eXoYgoY9gtFGsspzFkVNntamVXEWVVgzJJr/EWW0y +jNd54MfPRqH+eCGuqlnNLktSAVz1MvVRY1dxUltSlDZT7P2bUoMorIPu8p7ZCg9dyX1+9T6Muc5d Hxf/BBP/ir+3e8JTFQBFOiLNdFtB9KZWZmIExheXRvbiA8amxheXRvbkBzYW1iYS5vcmc+iQI4BBM BAgAiBQJOldK9AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAADmhBGVaCFWgWD/0ZRi4h N9FK2BdQs9RwNnFZUr7JidAWfCrs37XrA/56olQl3ojn0fQtrP4DbTmCuh0SfMijB24psy1GnkPep naQ6VRf7Dxg/Y8muZELSOtsv2CKt3/02J1BBitrkkqmHyni5fLLYYg6fub0T/8Kwo1qGPdu1hx2BQ RERYtQ/S5d/T0cACdlzi6w8rs5f09hU9Tu4qV1JLKmBTgUWKN969HPRkxiojLQziHVyM/weR5Reu6 FZVNuVBGqBD+sfk/c98VJHjsQhYJijcsmgMb1NohAzwrBKcSGKOWJToGEO/1RkIN8tqGnYNp2G+aR 685D0chgTl1WzPRM6mFG1+n2b2RR95DxumKVpwBwdLPoCkI24JkeDJ7lXSe3uFWISstFGt0HL8Eew P8RuGC8s5h7Ct91HMNQTbjgA+Vi1foWUVXpEintAKgoywaIDlJfTZIl6Ew8ETN/7DLy8bXYgq0Xzh aKg3CnOUuGQV5/nl4OAX/3jocT5Cz/OtAiNYj5mLPeL5z2ZszjoCAH6caqsF2oLyAnLqRgDgR+wTQ T6gMhr2IRsl+cp8gPHBwQ4uZMb+X00c/Amm9VfviT+BI7B66cnC7Zv6Gvmtu2rEjWDGWPqUgccB7h dMKnKDthkA227/82tYoFiFMb/NwtgGrn5n2vwJyKN6SEoygGrNt0SI84y6hEVbQlSmVmZiBMYXl0b 24gPGpsYXl0b25AcHJpbWFyeWRhdGEuY29tPokCOQQTAQIAIwUCU4xmKQIbAwcLCQgHAwIBBhUIAg kKCwQWAgMBAh4BAheAAAoJEAAOaEEZVoIV1H0P/j4OUTwFd7BBbpoSp695qb6HqCzWMuExsp8nZjr uymMaeZbGr3OWMNEXRI1FWNHMtcMHWLP/RaDqCJil28proO+PQ/yPhsr2QqJcW4nr91tBrv/MqItu AXLYlsgXqp4BxLP67bzRJ1Bd2x0bWXurpEXY//VBOLnODqThGEcL7jouwjmnRh9FTKZfBDpFRaEfD FOXIfAkMKBa/c9TQwRpx2DPsl3eFWVCNuNGKeGsirLqCxUg5kWTxEorROppz9oU4HPicL6rRH22Ce 6nOAON2vHvhkUuO3GbffhrcsPD4DaYup4ic+DxWm+DaSSRJ+e1yJvwi6NmQ9P9UAuLG93S2MdNNbo sZ9P8k2mTOVKMc+GooI9Ve/vH8unwitwo7ORMVXhJeU6Q0X7zf3SjwDq2lBhn1DSuTsn2DbsNTiDv qrAaCvbsTsw+SZRwF85eG67eAwouYk+dnKmp1q57LDKMyzysij2oDKbcBlwB/TeX16p8+LxECv51a sjS9TInnipssssUDrHIvoTTXWcz7Y5wIngxDFwT8rPY3EggzLGfK5Zx2Q5S/N0FfmADmKknG/D8qG IcJE574D956tiUDKN4I+/g125ORR1v7bP+OIaayAvq17RP+qcAqkxc0x8iCYVCYDouDyNvWPGRhbL UO7mlBpjW9jK9e2fvZY9iw3QzIPGKtClKZWZmIExheXRvbiA8amVmZi5sYXl0b25AcHJpbWFyeWRh dGEuY29tPokCOQQTAQIAIwUCU4xmUAIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEAAOa EEZVoIVzJoQALFCS6n/FHQS+hIzHIb56JbokhK0AFqoLVzLKzrnaeXhE5isWcVg0eoV2oTScIwUSU apy94if69tnUo4Q7YNt8/6yFM6hwZAxFjOXR0ciGE3Q+Z1zi49Ox51yjGMQGxlakV9ep4sV/d5a50 M+LFTmYSAFp6HY23JN9PkjVJC4PUv5DYRbOZ6Y1+TfXKBAewMVqtwT1Y+LPlfmI8dbbbuUX/kKZ5d dhV2736fgyfpslvJKYl0YifUOVy4D1G/oSycyHkJG78OvX4JKcf2kKzVvg7/Rnv+AueCfFQ6nGwPn 0P91I7TEOC4XfZ6a1K3uTp4fPPs1Wn75X7K8lzJP/p8lme40uqwAyBjk+IA5VGd+CVRiyJTpGZwA0 jwSYLyXboX+Dqm9pSYzmC9+/AE7lIgpWj+3iNisp1SWtHc4pdtQ5EU2SEz8yKvDbD0lNDbv4ljI7e flPsvN6vOrxz24mCliEco5DwhpaaSnzWnbAPXhQDWb/lUgs/JNk8dtwmvWnqCwRqElMLVisAbJmC0 BhZ/Ab4sph3EaiZfdXKhiQqSGdK4La3OTJOJYZphPdGgnkvDV9Pl1QZ0ijXQrVIy3zd6VCNaKYq7B AKidn5g/2Q8oio9Tf4XfdZ9dtwcB+bwDJFgvvDYaZ5bI3ln4V3EyW5i2NfXazz/GA/I/ZtbsigCFc 8ftCBKZWZmIExheXRvbiA8amxheXRvbkBrZXJuZWwub3JnPokCOAQTAQIAIgUCWe8u6AIbAwYLCQg HAwIGFQgCCQoLBBYCAwECHgECF4AACgkQAA5oQRlWghUuCg/+Lb/xGxZD2Q1oJVAE37uW308UpVSD 2tAMJUvFTdDbfe3zKlPDTuVsyNsALBGclPLagJ5ZTP+Vp2irAN9uwBuacBOTtmOdz4ZN2tdvNgozz uxp4CHBDVzAslUi2idy+xpsp47DWPxYFIRP3M8QG/aNW052LaPc0cedYxp8+9eiVUNpxF4SiU4i9J DfX/sn9XcfoVZIxMpCRE750zvJvcCUz9HojsrMQ1NFc7MFT1z3MOW2/RlzPcog7xvR5ENPH19ojRD CHqumUHRry+RF0lH00clzX/W8OrQJZtoBPXv9ahka/Vp7kEulcBJr1cH5Wz/WprhsIM7U9pse1f1g Yy9YbXtWctUz8uvDR7shsQxAhX3qO7DilMtuGo1v97I/Kx4gXQ52syh/w6EBny71CZrOgD6kJwPVV AaM1LRC28muq91WCFhs/nzHozpbzcheyGtMUI2Ao4K6mnY+3zIuXPygZMFr9KXE6fF7HzKxKuZMJO aEZCiDOq0anx6FmOzs5E6Jqdpo/mtI8beK+BE7Va6ni7YrQlnT0i3vaTVMTiCThbqsB20VrbMjlhp f8lfK1XVNbRq/R7GZ9zHESlsa35ha60yd/j3pu5hT2xyy8krV8vGhHvnJ1XRMJBAB/UYb6FyC7S+m QZIQXVeAA+smfTT0tDrisj1U5x6ZB9b3nBg65kc= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.56.2 (3.56.2-2.fc42) Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 On Wed, 2025-09-10 at 09:55 -0400, rtm@csail.mit.edu wrote: > Entry 84 (and a few neighbors) in nfsd4_enc_fattr4_encode_ops[] is > NULL, so if a client sets that bit in an OP_VERIFY bitmask, the server > will crash here in nfsd_encode_fattr4(): >=20 > for_each_set_bit(bit, attr_bitmap, > ARRAY_SIZE(nfsd4_enc_fattr4_encode_ops)) { > status =3D nfsd4_enc_fattr4_encode_ops[bit](xdr, &args); Thanks. That looks like a real bug, alright. I think we just need to check that nfsd4_enc_fattr4_encode_ops[bit] is non-NULL before calling its handler. Care to propose a patch? >=20 > I've attached a demo: >=20 > # cc nfsd128b.c > # ./a.out > ... > [ 354.732253] BUG: kernel NULL pointer dereference, address: 00000000000= 00000 > [ 354.733355] #PF: supervisor instruction fetch in kernel mode > [ 354.734247] #PF: error_code(0x0010) - not-present page > [ 354.735053] PGD 0 P4D 0 > [ 354.735482] Oops: Oops: 0010 [#1] SMP PTI > [ 354.736120] CPU: 2 UID: 0 PID: 1459 Comm: nfsd Not tainted 6.17.0-rc4-= 00231-gc8ed9b5c02a5 #28 PREEMPT(voluntary) > [ 354.737664] Hardware name: FreeBSD BHYVE/BHYVE, BIOS 14.0 10/17/2021 > [ 354.738645] RIP: 0010:0x0 > [ 354.739087] Code: Unable to access opcode bytes at 0xffffffffffffffd6. > [ 354.739677] RSP: 0018:ffffa7a380e0fa20 EFLAGS: 00010293 > [ 354.739956] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000= 0000053 > [ 354.740327] RDX: 0000000000000014 RSI: ffffa7a380e0fa78 RDI: ffffa7a38= 0e0fc50 > [ 354.740691] RBP: ffffa7a380e0fc28 R08: 0000000000000001 R09: ffffa7a38= 0e0fa68 > [ 354.741060] R10: 0000000000000000 R11: 0000000000140000 R12: ffffa7a38= 0e0fc50 > [ 354.741432] R13: 0000000000000010 R14: 0000000000000054 R15: ffffa36c0= 3bdba00 > [ 354.741802] FS: 0000000000000000(0000) GS:ffffa36fa6c88000(0000) knlG= S:0000000000000000 > [ 354.742215] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > [ 354.742519] CR2: ffffffffffffffd6 CR3: 00000001885a6003 CR4: 000000000= 03706f0 > [ 354.742887] Call Trace: > [ 354.743030] > [ 354.743152] nfsd4_encode_fattr4+0x310/0x6b0 > [ 354.743396] nfsd4_encode_fattr_to_buf+0xb8/0xf0 > [ 354.743645] ? _nfsd4_verify+0x9a/0x160 > [ 354.743861] ? _nfsd4_verify+0xd0/0x160 > [ 354.744072] _nfsd4_verify+0xd0/0x160 > [ 354.744278] nfsd4_verify+0x9/0x20 > [ 354.744466] nfsd4_proc_compound+0x39c/0x720 > [ 354.744701] nfsd_dispatch+0xd2/0x210 > [ 354.744903] svc_process_common+0x481/0x630 > [ 354.745130] ? __pfx_nfsd_dispatch+0x10/0x10 > [ 354.745362] svc_process+0x12c/0x1b0 > [ 354.745558] svc_recv+0x7d0/0x990 > [ 354.745738] ? __pfx_nfsd+0x10/0x10 > [ 354.745929] nfsd+0x8a/0xe0 > [ 354.746083] kthread+0xf6/0x1f0 > [ 354.746260] ? __pfx_kthread+0x10/0x10 > [ 354.746464] ret_from_fork+0x80/0xd0 > [ 354.746658] ? __pfx_kthread+0x10/0x10 > [ 354.746859] ret_from_fork_asm+0x1a/0x30 > [ 354.747069] >=20 > Robert Morris > rtm@mit.edu --=20 Jeff Layton