Details
-
Bug
-
Resolution: Fixed
-
Critical
-
Lustre 2.13.0
-
None
-
3
-
9223372036854775807
Description
In the latest version of lustre file system, ptlrpc module has a buffer overflow bug due to the lack of validation for specific fields of packets sent by client.
The kenrel panic:
[ 607.979453] Call Trace: [ 607.981190] [<ffffffffc0a76199>] ? +0xd19/0x2960 [ptlrpc] [ 607.983385] [<ffffffffc0b1f02a>] tgt_request_handle+0x67a/0x15c0 [ptlrpc] [ 607.985484] [<ffffffffc0710fa7>] ? libcfs_debug_msg+0x57/0x80 [libcfs] [ 607.987581] [<ffffffffc0ac288e>] ptlrpc_server_handle_request+0x24e/0xab0 [ptlrpc] [ 607.989741] [<ffffffffabacbadb>] ? __wake_up_common+0x5b/0x90 [ 607.991741] [<ffffffffc0ac6384>] ptlrpc_main+0xbb4/0x20f0 [ptlrpc] [ 607.993731] [<ffffffffabad08c0>] ? finish_task_switch+0x50/0x1c0 [ 607.995760] [<ffffffffc0ac57d0>] ? ptlrpc_register_service+0xfa0/0xfa0 [ptlrpc] [ 607.997834] [<ffffffffabac1c71>] kthread+0xd1/0xe0 [ 607.999655] [<ffffffffabac1ba0>] ? insert_kthread_work+0x40/0x40 [ 608.001584] [<ffffffffac175c1d>] ret_from_fork_nospec_begin+0x7/0x21 [ 608.003533] [<ffffffffabac1ba0>] ? insert_kthread_work+0x40/0x40
The function target_handle_connect() don't check the value of size when client connect to server. If size is -1, the min function will return -1. But the third parameter of memcpy is unsigned int, -1 will be parsed into 0xffffffff, causing a buffer overflow.
size = req_capsule_get_size(&req->rq_pill, &RMF_CONNECT_DATA,
RCL_CLIENT);
memcpy(tmpdata, data, min(tmpsize, size));
Attachments
Issue Links
- is related to
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-