By the way, thanks for this work. Just out of curiosity: did anything in particular prompt this? And do you have some tool that's finding these, or is it manual code inspection, or some combination? --b. On Sat, Nov 13, 2021 at 03:58:42PM -0500, rtm@xxxxxxxxxxxxx wrote: > nfsd4_decode_bitmap4() will write beyond bmval[bmlen-1] if the RPC > directs it to do so. This can cause nfsd4_decode_state_protect4_a() to > write client-supplied data beyond the end of > nfsd4_exchange_id.spo_must_allow[] when called by > nfsd4_decode_exchange_id(). > > I've attached a demo in which the client's EXCHANGE_ID RPC supplies an > address (0x400) that nfsd4_decode_bitmap4() writes into > nii_domain.data due to overflowing bmval[]. The EXCHANGE_ID RPC also > supplies a zero-length eia_client_impl_id<>. The result is that > copy_impl_id() (called by nfsd4_exchange_id()) tries to read from > address 0x400. > > # cc nfsd_1.c > # uname -a > Linux (none) 5.15.0-rc7-dirty #64 SMP Sat Nov 13 20:10:21 UTC 2021 riscv64 riscv64 riscv64 GNU/Linux > # ./nfsd_1 > ... > [ 16.600786] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000400 > [ 16.643621] epc : __memcpy+0x3c/0xf8 > [ 16.650154] ra : kmemdup+0x2c/0x3c > [ 16.657733] epc : ffffffff803667bc ra : ffffffff800e80fe sp : ffffffd000553c20 > [ 16.777502] status: 0000000200000121 badaddr: 0000000000000400 cause: 000000000000000d > [ 16.788193] [<ffffffff803667bc>] __memcpy+0x3c/0xf8 > [ 16.796504] [<ffffffff8028cf0e>] nfsd4_exchange_id+0xe6/0x406 > [ 16.806159] [<ffffffff8027c352>] nfsd4_proc_compound+0x2b4/0x4e8 > [ 16.815721] [<ffffffff80266782>] nfsd_dispatch+0x118/0x172 > [ 16.823405] [<ffffffff807633fa>] svc_process_common+0x2de/0x62c > [ 16.832935] [<ffffffff8076380c>] svc_process+0xc4/0x102 > [ 16.840421] [<ffffffff802661de>] nfsd+0x102/0x16a > [ 16.848520] [<ffffffff80025b60>] kthread+0xfe/0x110 > [ 16.856648] [<ffffffff80003054>] ret_from_exception+0x0/0xc >
