Project

General

Profile

Bug #5440

bad free at checkauth+0x1a2()

Added by Marcel Telka almost 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
nfs - NFS server and client
Start date:
2014-12-17
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

panic[cpu10]/thread=ffffff2682975c40:
vmem_hash_delete(ffffff25d6c0d000, ffffff0118d878b0, 8359543808): bad free

vpanic()
vmem_hash_delete+0x9b(ffffff25d6c0d000, ffffff0118d878b0, 1f2448400)
vmem_xfree+0x4b(ffffff25d6c0d000, ffffff0118d878b0, 1f2448400)
vmem_free+0x23(ffffff25d6c0d000, ffffff0118d878b0, 1f2448400)
kmem_free+0x128(ffffff0118d878b0, 1f2448400)
checkauth+0x1a2(ffffff267c912100, ffffff0118d87ca0, ffffff26966ae2b0, 1, 0, ffffff0118d87bb4)
common_dispatch+0x28d(ffffff0118d87ca0, ffffff267d077400, 2, 4, fffffffff85a1016, ffffffffc020e060)
rfs_dispatch+0x2d(ffffff0118d87ca0, ffffff267d077400)
svc_getreq+0x1c1(ffffff267d077400, ffffff262b011460)
svc_run+0xe0(ffffff2693b1f918)
svc_do_run+0x8e(1)
nfssys+0xf1(e, fdba0fbc)
_sys_sysenter_post_swapgs+0x149()

Root cause:

There is an assumption in the checkauth() implementation that the nfsauth_access() call will always initialize both ngids and gids. This is almost always true with one exception (line 1138):

1133    if (i >= exi->exi_export.ex_seccnt) {
1134        /*
1135         * Flavor not found, but use AUTH_NONE if it exists
1136         */
1137        if (authnone_entry == -1)
1138            return (NFSAUTH_DENIED);
1139        flavor = AUTH_NONE;
1140        mapaccess = NFSAUTH_MAPNONE;
1141        i = authnone_entry;
1142    }

In this case the nfsauth_access() return with uninitialized both ngids and gids.


Related issues

Related to illumos gate - Feature #5296: Support for more than 16 groups with AUTH_SYSClosedMarcel Telka2014-11-07

Actions
#1

Updated by Marcel Telka almost 6 years ago

  • Status changed from In Progress to Pending RTI
#2

Updated by Electric Monk almost 6 years ago

  • Status changed from Pending RTI to Closed
  • % Done changed from 0 to 100

git commit 9e835c7628dd0e7764a8341a1774a878dc0b024f

commit  9e835c7628dd0e7764a8341a1774a878dc0b024f
Author: Marcel Telka <marcel.telka@nexenta.com>
Date:   2014-12-17T16:25:16.000Z

    5440 bad free at checkauth+0x1a2()
    Reviewed by: Jan Kryl <jan.kryl@nexenta.com>
    Reviewed by: Josef 'Jeff' Sipek <josef.sipek@nexenta.com>
    Reviewed by: Jason King <jason.brian.king@gmail.com>
    Approved by: Dan McDonald <danmcd@omniti.com>

Also available in: Atom PDF