Re: NFS client can crash server due to overrun in nfsd4_decode_bitmap4()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Nov 13, 2021, at 3:58 PM, rtm@xxxxxxxxxxxxx wrote:
> 
> nfsd4_decode_bitmap4() will write beyond bmval[bmlen-1] if the RPC
> directs it to do so. This can cause nfsd4_decode_state_protect4_a() to
> write client-supplied data beyond the end of
> nfsd4_exchange_id.spo_must_allow[] when called by
> nfsd4_decode_exchange_id().

Thanks, I'll look into addressing this for v5.16-rc.

By the way, can you tell if this exposure was in the code
before 2548aa784d76 ("NFSD: Add a separate decoder to handle
state_protect_ops") ? (ie, do we need a separate fix for
this for pre-5.11 NFSD -- I'm guessing no).

Is the current implementation of nfsd4_decode_bitmap() a
problem for its other consumers?


> I've attached a demo in which the client's EXCHANGE_ID RPC supplies an
> address (0x400) that nfsd4_decode_bitmap4() writes into
> nii_domain.data due to overflowing bmval[]. The EXCHANGE_ID RPC also
> supplies a zero-length eia_client_impl_id<>. The result is that
> copy_impl_id() (called by nfsd4_exchange_id()) tries to read from
> address 0x400.
> 
> # cc nfsd_1.c
> # uname -a
> Linux (none) 5.15.0-rc7-dirty #64 SMP Sat Nov 13 20:10:21 UTC 2021 riscv64 riscv64 riscv64 GNU/Linux
> # ./nfsd_1
> ...
> [   16.600786] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000400
> [   16.643621] epc : __memcpy+0x3c/0xf8
> [   16.650154]  ra : kmemdup+0x2c/0x3c
> [   16.657733] epc : ffffffff803667bc ra : ffffffff800e80fe sp : ffffffd000553c20
> [   16.777502] status: 0000000200000121 badaddr: 0000000000000400 cause: 000000000000000d
> [   16.788193] [<ffffffff803667bc>] __memcpy+0x3c/0xf8
> [   16.796504] [<ffffffff8028cf0e>] nfsd4_exchange_id+0xe6/0x406
> [   16.806159] [<ffffffff8027c352>] nfsd4_proc_compound+0x2b4/0x4e8
> [   16.815721] [<ffffffff80266782>] nfsd_dispatch+0x118/0x172
> [   16.823405] [<ffffffff807633fa>] svc_process_common+0x2de/0x62c
> [   16.832935] [<ffffffff8076380c>] svc_process+0xc4/0x102
> [   16.840421] [<ffffffff802661de>] nfsd+0x102/0x16a
> [   16.848520] [<ffffffff80025b60>] kthread+0xfe/0x110
> [   16.856648] [<ffffffff80003054>] ret_from_exception+0x0/0xc
> 
> <nfsd_1.c>

--
Chuck Lever







[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux