nfsd4_decode_bitmap4() will write beyond bmval[bmlen-1] if the RPC directs it to do so. This can cause nfsd4_decode_state_protect4_a() to write client-supplied data beyond the end of nfsd4_exchange_id.spo_must_allow[] when called by nfsd4_decode_exchange_id(). I've attached a demo in which the client's EXCHANGE_ID RPC supplies an address (0x400) that nfsd4_decode_bitmap4() writes into nii_domain.data due to overflowing bmval[]. The EXCHANGE_ID RPC also supplies a zero-length eia_client_impl_id<>. The result is that copy_impl_id() (called by nfsd4_exchange_id()) tries to read from address 0x400. # cc nfsd_1.c # uname -a Linux (none) 5.15.0-rc7-dirty #64 SMP Sat Nov 13 20:10:21 UTC 2021 riscv64 riscv64 riscv64 GNU/Linux # ./nfsd_1 ... [ 16.600786] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000400 [ 16.643621] epc : __memcpy+0x3c/0xf8 [ 16.650154] ra : kmemdup+0x2c/0x3c [ 16.657733] epc : ffffffff803667bc ra : ffffffff800e80fe sp : ffffffd000553c20 [ 16.777502] status: 0000000200000121 badaddr: 0000000000000400 cause: 000000000000000d [ 16.788193] [<ffffffff803667bc>] __memcpy+0x3c/0xf8 [ 16.796504] [<ffffffff8028cf0e>] nfsd4_exchange_id+0xe6/0x406 [ 16.806159] [<ffffffff8027c352>] nfsd4_proc_compound+0x2b4/0x4e8 [ 16.815721] [<ffffffff80266782>] nfsd_dispatch+0x118/0x172 [ 16.823405] [<ffffffff807633fa>] svc_process_common+0x2de/0x62c [ 16.832935] [<ffffffff8076380c>] svc_process+0xc4/0x102 [ 16.840421] [<ffffffff802661de>] nfsd+0x102/0x16a [ 16.848520] [<ffffffff80025b60>] kthread+0xfe/0x110 [ 16.856648] [<ffffffff80003054>] ret_from_exception+0x0/0xc
Attachment:
nfsd_1.c
Description: Binary data
