Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-12605

Lustre target_handle_connect() bug

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: Lustre 2.13.0
    • Fix Version/s: Lustre 2.13.0, Lustre 2.12.3
    • Labels:
      None
    • Severity:
      3
    • Rank (Obsolete):
      9223372036854775807

      Description

      In the latest version of lustre file system, ptlrpc module has a buffer overflow bug due to the lack of validation for specific fields of packets sent by client.

      The kenrel panic:

      [  607.979453] Call Trace:
      [  607.981190]  [<ffffffffc0a76199>] ? +0xd19/0x2960 [ptlrpc]
      [  607.983385]  [<ffffffffc0b1f02a>] tgt_request_handle+0x67a/0x15c0 [ptlrpc]
      [  607.985484]  [<ffffffffc0710fa7>] ? libcfs_debug_msg+0x57/0x80 [libcfs]
      [  607.987581]  [<ffffffffc0ac288e>] ptlrpc_server_handle_request+0x24e/0xab0 [ptlrpc]
      [  607.989741]  [<ffffffffabacbadb>] ? __wake_up_common+0x5b/0x90
      [  607.991741]  [<ffffffffc0ac6384>] ptlrpc_main+0xbb4/0x20f0 [ptlrpc]
      [  607.993731]  [<ffffffffabad08c0>] ? finish_task_switch+0x50/0x1c0
      [  607.995760]  [<ffffffffc0ac57d0>] ? ptlrpc_register_service+0xfa0/0xfa0 [ptlrpc]
      [  607.997834]  [<ffffffffabac1c71>] kthread+0xd1/0xe0
      [  607.999655]  [<ffffffffabac1ba0>] ? insert_kthread_work+0x40/0x40
      [  608.001584]  [<ffffffffac175c1d>] ret_from_fork_nospec_begin+0x7/0x21
      [  608.003533]  [<ffffffffabac1ba0>] ? insert_kthread_work+0x40/0x40
      

      The function target_handle_connect() don't check the value of size when client connect to server. If size is -1, the min function will return -1. But the third parameter of memcpy is unsigned int, -1 will be parsed into 0xffffffff, causing a buffer overflow.

      size = req_capsule_get_size(&req->rq_pill, &RMF_CONNECT_DATA,
                                          RCL_CLIENT);
      memcpy(tmpdata, data, min(tmpsize, size));
      

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                emoly.liu Emoly Liu
                Reporter:
                yunye.ry Alibaba Cloud
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: