IETF Logo Mail Archive

[nfsv4] knfsd related bug reported to FreeBSD (again)

Rick Macklem <rick.macklem@gmail.com> Sat, 14 December 2024 00:50 UTC

Return-Path: <rick.macklem@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFB85C14CF0C for <nfsv4@ietfa.amsl.com>; Fri, 13 Dec 2024 16:50:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kLRzHZ7T1D5f for <nfsv4@ietfa.amsl.com>; Fri, 13 Dec 2024 16:50:37 -0800 (PST)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FE45C1CAE76 for <nfsv4@ietf.org>; Fri, 13 Dec 2024 16:50:34 -0800 (PST)
Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-5d647d5df90so1173755a12.2 for <nfsv4@ietf.org>; Fri, 13 Dec 2024 16:50:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734137432; x=1734742232; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=lzyki7oRJOiBcHkvUCYF/ycP01PP/vAyYs1nDiadrhk=; b=fZ8qhIC646JNzTnlzbGsg0ZV79NNPSrJmZ/FuEToIqsnjrf0w1Wowb4e44i881lwNA YzKLu6PBjpSk/XmzaXjH3MqU6qKOHtyVXCfQYe7ShrrJRAwL9gRCMU7s+VT+gkcxW6rX IaWivTm0zhQuE58oV17mWLIHjJAD1FzG2jWHKWF7jy/IOqbi2iZu+5i8ecyt2V27mulM Ui6zLM/Tvcr8CMR/oJBCgFrX/rzP3d4X84oMNkrU7Vh2PV6CEDuLytQ1sNpRB/IrxfJh EwTfdAURvGLUBSevqk3UfXuGoGslX2561myNTAKr4rfKEGDFGmcQn2ZL5rAs2Su9JYsT ylxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734137432; x=1734742232; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=lzyki7oRJOiBcHkvUCYF/ycP01PP/vAyYs1nDiadrhk=; b=B59x3dnCcLPQ0ERNhKyor+6i4RvNM3TWAO3CzTG9w5Q4Q93imHjLoz37+7LFaP2obH 7vTsQ9FXNl6kfQ2pk3UOGHkO8VxYqaG5fkUjRnpJY8K3LYgg0IGrQFZ9olR+7vCNPNIP q9iQJODQn9Q19vVACBSEAADIl5Jnr6jdepAGJZ5iefE/UUTg0jspgECrgCyPS6WJUC8y HsERqJTy1dgMwzoOwEbcGnhacbzYt6o2UUcZy6TpHxpSIVZkWFOniQmX5ikcUwNWHfRy N1qYzwbvkOiJr1QdKvSuqVBsD3MrhTTRCmTWZhOwiP/MD+VZ/UKmmZ/Nxwut2YzfdzvY Fl+g==
X-Gm-Message-State: AOJu0YzQ3q166HewoBDFY0GIMymy8IJkUEwfaJyPZWNFKkaYElREgGVk MgsKZYEOg02JRPUgdBv+8Di2mD4R1wbuiYBX5TMOcLTqHFOZMZj1gL4j44+ZI/YYavqo3OlADOi 18jvVIVEifQLLT2sCCp1VqRdWEk2MrL0=
X-Gm-Gg: ASbGnctm4nNiBP5tpL8xNe8Ku0U/lcFuC7MjMG3JKhXW9gA5M4m05qwZ4mKMKzrx5/r OG18MhR05UUzPU0sCI+r06Ycc1zBMpKLE/vEMHwInukJ9fw5zRvPlXGXrw1lGhZ1IyJ2lwQ==
X-Google-Smtp-Source: AGHT+IExY447lvL1lCclwgtFYPmPTp3JQjIiMK7enTiolnH2rVoK1cI3OHqw4lFLmsMS2qWiKtvdymnNkfyfOItIfmI=
X-Received: by 2002:a05:6402:2787:b0:5d3:d4cf:fea0 with SMTP id 4fb4d7f45d1cf-5d63c3b171amr3345315a12.21.1734137432088; Fri, 13 Dec 2024 16:50:32 -0800 (PST)
MIME-Version: 1.0
From: Rick Macklem <rick.macklem@gmail.com>
Date: Fri, 13 Dec 2024 16:50:22 -0800
Message-ID: <CAM5tNy7NjGihi1UtwNso0WjH21vjnndfK4o5Tbhfc4C3pVHd4w@mail.gmail.com>
To: NFSv4 <nfsv4@ietf.org>, J David <j.david.lists@gmail.com>
Content-Type: multipart/mixed; boundary="000000000000a1d89f06293055c4"
Message-ID-Hash: SWDKCNK2J4XHQDXRCRTHEXX2UJD7UNO4
X-Message-ID-Hash: SWDKCNK2J4XHQDXRCRTHEXX2UJD7UNO4
X-MailFrom: rick.macklem@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-nfsv4.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [nfsv4] knfsd related bug reported to FreeBSD (again)
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/yVe13RMd9VyMgoqdz7W83duYnb0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Owner: <mailto:nfsv4-owner@ietf.org>
List-Post: <mailto:nfsv4@ietf.org>
List-Subscribe: <mailto:nfsv4-join@ietf.org>
List-Unsubscribe: <mailto:nfsv4-leave@ietf.org>

Hi,

The attached pcap file shows that the knfsd server generates
bogus XDR for the reply to a GETATTR that follows a READDIR
operation.

More specifically, if you look at the pcap file in wireshark
and go to packet#22 and then click on the operations and
then "Opcode: GETATTR (9)", the start of
the XDR for the GETATTR will be highlighted in the hexadecimal
window.
Now, if you look at what follows (in the hexadeciaml window),
you'll see that the GETATTR reply looks like:
- GETATTR (9)
- NFS4_OK (0)
- Length of bitmap (0) <-- Not (2)
- 2 words of attribute bitmap
- 98 (length of attributes in hex)
- attribute values

Everything looks ok, except the number of bitmap words is
0 and not 2.

Since the knfsd does not do this normally, I'd guess it is
some sort of runaway pointer or use after free type bug that
causes this, maybe?

Sofar, it only appears to happen when the GETATTR follows a
READDIR operation.

This was reported to me for a FreeBSD client mounting the following:
Debian 12 w/kernel:
$ uname -r
6.1.0-25-amd64

> - what type of file system it exports

ZFS:

$ dpkg -l | fgrep libzfs4linux
ii  libzfs4linux                    2.1.11-1
               amd64
I suspect that ZFS exports are not common for the Linux knfsd?

Anyhow, I am not sure if you have seen such a problem before,
but I thought I would at least report it.
(I have cc'd the reporter, in case you have questions for him.)

rick
ps: If the pcap file does not make it through the mailing list,
       email me and I'll send you a copy.

v2.31.3 | Report a Bug | By Email | System Status