In the latest version of lustre file system, ptlrpc module has a buffer overflow bug due to the lack of validation for specific fields of packets sent by client. We can overwrite up to 0xffffffff bytes of buffer, and it may cause rce problems.
The kenrel panic:
In function tgt_brw_write(), the varible comes from req_capsule_get_size() don't be checked and it is passed to the tgt_shortio2pages() function. But in tgt_shortio2pages(), when executing the memcpy function, do '?:' check, len is int type, when len is negative, it can pass 'len<size' check, and the third parameter of memcpy is unsigned int, -1 will be parsed into 0xffffffff, causing a buffer overflow.