[LU-12580] usercopy exposure attempt detected in LL_IOC_LOV_GETSTRIPE ioctl - Whamcloud Community JIRA

Details

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: Lustre 2.14.0, Lustre 2.12.5
Affects Version/s: Upstream
Labels:
None
Environment:
CentOS 7.6.1810, starting with kernel 3.10.0-957

Severity:
3
Rank (Obsolete):
9223372036854775807

Description

Software like darshan are still using the old `ioctl` way to gather striping info for a file.

The kernel BUG is easily triggered on a not-PFL striped file, using:

lum->lmm_magic = LOV_USER_MAGIC;
lum->lmm_stripe_count = LOV_MAX_STRIPE_COUNT;

Any `lmm_stripe_count` greater than the actual file's stripe count will trigger the bug.

Kernel side the issue appears to be in `lov_getstripe`: with a positive `lum_size`(line 409), `lmm_size` is set as `lum_size`(line 442) even if `lmm_magic != LOV_MAGIC_COMP_V1`(line 414), while instead the structure is just as big as `lmmk_size`:

404         if (lum.lmm_magic == LOV_USER_MAGIC_V1 ||
405             lum.lmm_magic == LOV_USER_MAGIC_V3)
406                 lum_size = lov_user_md_size(lum.lmm_stripe_count,
407                                             lum.lmm_magic);
408 
409         if (lum_size != 0) {
410                 struct lov_mds_md *comp_md = lmmk;
411 
412                 /* Legacy app (ADIO for instance) treats the layout as V1/V3
413                  * blindly, we'd return a reasonable V1/V3 for them. */
414                 if (lmmk->lmm_magic == LOV_MAGIC_COMP_V1) {
[...]
439                 }
440 
441                 lmm = comp_md;
442                 lmm_size = lum_size;
443         } else {
444                 lmm = lmmk;
445                 lmm_size = lmmk_size;
446         }
447         /**
448          * User specified limited buffer size, usually the buffer is
449          * from ll_lov_setstripe(), and the buffer can only hold basic
450          * layout template info.
451          */
452         if (size == 0 || size > lmm_size)
453                 size = lmm_size;
454         if (copy_to_user(lump, lmm, size))
455                 GOTO(out_free, rc = -EFAULT);

Please find as attachment the kernel trace and a reproducer, to be invoked as:

$ gcc reproducer.c -o reproducer -W -Wall --pedantic
$ ./reproducer <file_path>

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

kernel_trace.txt
4 kB
23/Jul/19 5:09 PM
reproducer.c
1 kB
23/Jul/19 4:51 PM

Issue Links

is duplicated by

LU-13596 usercopy: kernel memory exposure attempt detected from ffff98c06ba17d80 (kmalloc-128) (48032 bytes)

Resolved

is related to

LU-14316 lfs: using old ioctl(LL_IOC_LOV_GETSTRIPE), use llapi_layout_get_by_path()

Open

Activity

[LU-12580] usercopy exposure attempt detected in LL_IOC_LOV_GETSTRIPE ioctl

Andreas Dilger made changes - 10/Jan/21 8:56 PM

Link

New: This issue is related to LU-14316 [ LU-14316 ]

Andreas Dilger made changes - 25/May/20 5:28 PM

Link

New: This issue is duplicated by ~~LU-13596~~ [ ~~LU-13596~~ ]

Peter Jones made changes - 06/Apr/20 9:34 PM

Link

Original: This issue is related to JFC-17 [ JFC-17 ]

Peter Jones made changes - 06/Apr/20 9:34 PM

Link

New: This issue is related to JFC-20 [ JFC-20 ]

Peter Jones made changes - 06/Apr/20 9:34 PM

Labels

Original: LTS12

Peter Jones made changes - 06/Apr/20 9:34 PM

Fix Version/s

New: Lustre 2.12.5 [ 14696 ]

Gerrit Updater added a comment - 06/Apr/20 9:17 PM

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/38051/
Subject: ~~LU-12580~~ lov: fix out of bound usercopy
Project: fs/lustre-release
Branch: b2_12
Current Patch Set:
Commit: d4dd52a3a1dea9e6117512889837e245fb983556

Gerrit Updater added a comment - 06/Apr/20 9:17 PM Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/38051/ Subject: LU-12580 lov: fix out of bound usercopy Project: fs/lustre-release Branch: b2_12 Current Patch Set: Commit: d4dd52a3a1dea9e6117512889837e245fb983556

Gerrit Updater added a comment - 06/Apr/20 9:17 PM

Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/38050/
Subject: ~~LU-12580~~ lov: fix typo in lov_comp_md_size
Project: fs/lustre-release
Branch: b2_12
Current Patch Set:
Commit: 13dc723aea39c60d8ed128a312fba1520921c792

Gerrit Updater added a comment - 06/Apr/20 9:17 PM Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/38050/ Subject: LU-12580 lov: fix typo in lov_comp_md_size Project: fs/lustre-release Branch: b2_12 Current Patch Set: Commit: 13dc723aea39c60d8ed128a312fba1520921c792

Gerrit Updater added a comment - 25/Mar/20 2:30 AM

Minh Diep (mdiep@whamcloud.com) uploaded a new patch: https://review.whamcloud.com/38051
Subject: ~~LU-12580~~ lov: fix out of bound usercopy
Project: fs/lustre-release
Branch: b2_12
Current Patch Set: 1
Commit: b47ff3cd33984e72fc2f59032ad8147074628d28

Gerrit Updater added a comment - 25/Mar/20 2:30 AM Minh Diep (mdiep@whamcloud.com) uploaded a new patch: https://review.whamcloud.com/38051 Subject: LU-12580 lov: fix out of bound usercopy Project: fs/lustre-release Branch: b2_12 Current Patch Set: 1 Commit: b47ff3cd33984e72fc2f59032ad8147074628d28

Gerrit Updater added a comment - 25/Mar/20 2:30 AM

Minh Diep (mdiep@whamcloud.com) uploaded a new patch: https://review.whamcloud.com/38050
Subject: ~~LU-12580~~ lov: fix typo in lov_comp_md_size
Project: fs/lustre-release
Branch: b2_12
Current Patch Set: 1
Commit: 865177bca926efd4f69d4dcaa74624054a2a5aaf

Gerrit Updater added a comment - 25/Mar/20 2:30 AM Minh Diep (mdiep@whamcloud.com) uploaded a new patch: https://review.whamcloud.com/38050 Subject: LU-12580 lov: fix typo in lov_comp_md_size Project: fs/lustre-release Branch: b2_12 Current Patch Set: 1 Commit: 865177bca926efd4f69d4dcaa74624054a2a5aaf

People

Assignee:: Marco Grossi (Inactive)

Reporter:: Marco Grossi (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 23/Jul/19 5:13 PM

Updated:: 10/Jan/21 8:56 PM

Resolved:: 24/Mar/20 11:58 AM