[nfsv4] knfsd related bug reported to FreeBSD

Rick Macklem <rick.macklem@gmail.com> Sat, 14 December 2024 00:47 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4EB1C169427 for <nfsv4@ietfa.amsl.com>; Fri, 13 Dec 2024 16:47:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ae3fIc-A6Qu5 for <nfsv4@ietfa.amsl.com>; Fri, 13 Dec 2024 16:47:57 -0800 (PST)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C3BFC14CF18 for <nfsv4@ietf.org>; Fri, 13 Dec 2024 16:47:57 -0800 (PST)
Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-5d3bdccba49so4089920a12.1 for <nfsv4@ietf.org>; Fri, 13 Dec 2024 16:47:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734137275; x=1734742075; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=KYTyOmbV1iAZ4ywnHOHf23ACZ9B7CMv3bNOv/n3+9XE=; b=lhb3ZZJYG6vRpuVQquERYkc4wa9r4Jcqac5JqZxw40Kfty+MH5yltxcp3JzVX392RL mL+GZHwJbg2FWdoCaEQYtwV+g5+nqH4zq2DP6jCQpxjbOppSFmr6x8gq91etP79EUBU0 qLwoetvkgz45cVUQ8b5LtXUv6w90BAG62Ps7oJ5cT2pHtnBynO7seGD9+dErdf22TlWC k84iE2FL9k7xwLMcEcvaULCv2lSVmXlweaiir9tpuuc98ZlqY0BVdgqI5w+WvoLunE4h Elo1mq3GzhXBNXflvDeHbs+ux1B65skSu9QEZo3zD9W9/sME2+rxM1dzMm9Man37weuB RVXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734137275; x=1734742075; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=KYTyOmbV1iAZ4ywnHOHf23ACZ9B7CMv3bNOv/n3+9XE=; b=nmPXZRPv9lYnryguktCV2a5Uk7ouY2r58BTXyaaxmKT5yba2tYhnPlGugI+XhQcP77 RREDVz+zOYd+CfvzDh1x44eLSwZIqnM1i/sgW73mlX1mguED17V0bEgO8ogbjddusfI4 tvPz340PXbCvUMR/KB8aER1MvJZbRraIOe8jv1cJ/UnxtCKUnPeNmyE3a3FqRdoc+EN5 hHXUSxe/0Gb8MNH+rT3Yl8e0OeRcmyS2HcaoicJ4nByzwJIcC62XDiLzlYTM12Y0JJD/ oEaKS+U3rwFvzJ1we8HcSBYqn8yd5UT/2ocPe6JTRA/l/8w+q0U9SUapDXhasFaC2NVg CiLg==
X-Gm-Message-State: AOJu0YxsELO0TyOwMWWfEOYB4gh0YwTTF0K6ob5A3SzCndvuX+mMm9xF Mia+V1o6jY/piv7UgohUXJI3nfgarw25mKwKCR19Nya8kNUAxE/rzBDnnynRE+ne3ZuIhL+9xZx wf6Xeo08rBV2p9umAinmoiZ31Ww2B7+w=
X-Gm-Gg: ASbGncuTfMrqcPdZpMYV5z1JmcOlmKU4FQzcgylF7xFIEUyZUaWmZ2kV+O8eFnqyzIM Yo40GHjmvNrLbrrkBDMTVStWs0knhIAPFF/p0u8WhD1BgZglDCI8irtchqnMkxC/J40G5Zg==
X-Google-Smtp-Source: AGHT+IEyvB67Gh3gXCvLPVR9jX4SHep/nov46WnJhSQijNJPK5wxZED9w+kh25hzActGEJ4uPjuF82WPlZ4m+2tZczU=
X-Received: by 2002:a05:6402:35c8:b0:5d0:e90c:dd61 with SMTP id 4fb4d7f45d1cf-5d63c3ac7b3mr3603625a12.21.1734137275129; Fri, 13 Dec 2024 16:47:55 -0800 (PST)
MIME-Version: 1.0
From: Rick Macklem <rick.macklem@gmail.com>
Date: Fri, 13 Dec 2024 16:47:45 -0800
Message-ID: <CAM5tNy4q61V=JNB569wuFPpLVgvYkPMX=ENhwTpWanZkRFydAQ@mail.gmail.com>
To: NFSv4 <nfsv4@ietf.org>
Content-Type: multipart/mixed; boundary="00000000000046e1b90629304c08"
Message-ID-Hash: ZIZBWBV74FESYS2RWNNOS7BWN2SJMHKN
X-Message-ID-Hash: ZIZBWBV74FESYS2RWNNOS7BWN2SJMHKN
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [nfsv4] knfsd related bug reported to FreeBSD
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/1IVLitBLHSWNnbir2uBsqH-Bs6k>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

Hi,

The attached pcap file shows that the knfsd server generates
bogus XDR for the reply to a GETATTR that follows a READDIR
operation.

More specifically, if you look at the pcap file in wireshark
and go to packet#22 and then click on the operations and
then "Opcode: GETATTR (9)", the start of
the XDR for the GETATTR will be highlighted in the hexadecimal
window.
Now, if you look at what follows (in the hexadeciaml window),
you'll see that the GETATTR reply looks like:
- GETATTR (9)
- NFS4_OK (0)
- Length of bitmap (0) <-- Not (2)
- 2 words of attribute bitmap
- 98 (length of attributes in hex)
- attribute values

Everything looks ok, except the number of bitmap words is
0 and not 2.

Since the knfsd does not do this normally, I'd guess it is
some sort of runaway pointer or use after free type bug that
causes this, maybe?

Sofar, it only appears to happen when the GETATTR follows a
READDIR operation.

This was reported to me for a FreeBSD client mounting the following:
Debian 12 w/kernel:
$ uname -r
6.1.0-25-amd64

> - what type of file system it exports

ZFS:

$ dpkg -l | fgrep libzfs4linux
ii  libzfs4linux                    2.1.11-1
               amd64
I suspect that ZFS exports are not common for the Linux knfsd?

Anyhow, I am not sure if you have seen such a problem before,
but I thought I would at least report it.
(I have cc'd the reporter, in case you have questions for him.)

rick
ps: If the pcap file does not make it through the mailing list, email and
      I can send you a copy.