Project

General

Profile

Bug #5440

bad free at checkauth+0x1a2()

Added by Marcel Telka about 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
nfs - NFS server and client
Start date:
2014-12-17
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

panic[cpu10]/thread=ffffff2682975c40:
vmem_hash_delete(ffffff25d6c0d000, ffffff0118d878b0, 8359543808): bad free

vpanic()
vmem_hash_delete+0x9b(ffffff25d6c0d000, ffffff0118d878b0, 1f2448400)
vmem_xfree+0x4b(ffffff25d6c0d000, ffffff0118d878b0, 1f2448400)
vmem_free+0x23(ffffff25d6c0d000, ffffff0118d878b0, 1f2448400)
kmem_free+0x128(ffffff0118d878b0, 1f2448400)
checkauth+0x1a2(ffffff267c912100, ffffff0118d87ca0, ffffff26966ae2b0, 1, 0, ffffff0118d87bb4)
common_dispatch+0x28d(ffffff0118d87ca0, ffffff267d077400, 2, 4, fffffffff85a1016, ffffffffc020e060)
rfs_dispatch+0x2d(ffffff0118d87ca0, ffffff267d077400)
svc_getreq+0x1c1(ffffff267d077400, ffffff262b011460)
svc_run+0xe0(ffffff2693b1f918)
svc_do_run+0x8e(1)
nfssys+0xf1(e, fdba0fbc)
_sys_sysenter_post_swapgs+0x149()

Root cause:

There is an assumption in the checkauth() implementation that the nfsauth_access() call will always initialize both ngids and gids. This is almost always true with one exception (line 1138):

1133    if (i >= exi->exi_export.ex_seccnt) {
1134        /*
1135         * Flavor not found, but use AUTH_NONE if it exists
1136         */
1137        if (authnone_entry == -1)
1138            return (NFSAUTH_DENIED);
1139        flavor = AUTH_NONE;
1140        mapaccess = NFSAUTH_MAPNONE;
1141        i = authnone_entry;
1142    }

In this case the nfsauth_access() return with uninitialized both ngids and gids.


Related issues

Related to illumos gate - Feature #5296: Support for more than 16 groups with AUTH_SYSClosedMarcel Telka2014-11-07

Actions

Also available in: Atom PDF