Details
-
Bug
-
Resolution: Fixed
-
Critical
-
None
-
None
-
3
-
9223372036854775807
Description
In the latest version of lustre file system, ptlrpc module has a out-of-access bug due to the lack of validation for specific fields of packets sent by client.
The kernel panic:
[ 926.531595] BUG: unable to handle kernel paging request at 000000001ebe8010 [ 926.533844] IP: [<ffffffffc0826783>] lu_context_key_get+0x13/0x30 [obdclass] [ 926.536063] PGD 8000000424360067 PUD 42865d067 PMD 0 [ 926.538060] Oops: 0000 [#1] SMP [ 926.539857] Modules linked in: ofd(OE) ost(OE) osp(OE) mdd(OE) lod(OE) mdt(OE) lfsck(OE) mgs(OE) osd_ldiskfs(OE) lquota(OE) ldiskfs(OE) loop lustre(OE) obdecho(OE) mgc(OE) lov(OE) mdc(OE) osc(OE) lmv(OE) fid(OE) fld(OE) ptlrpc(OE) obdclass(OE) crc_t10dif crct10dif_generic ksocklnd(OE) lnet(OE) libcfs(OE) dm_flakey dm_mod nfit libnvdimm iosf_mbi crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul ppdev glue_helper ablk_helper cryptd virtio_balloon joydev parport_pc parport i2c_piix4 pcspkr ip_tables ext4 mbcache jbd2 ata_generic pata_acpi virtio_net virtio_console virtio_blk cirrus drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm crct10dif_pclmul crct10dif_common drm ata_piix libata crc32c_intel serio_raw virtio_pci virtio_ring virtio drm_panel_orientation_quirks floppy [ 926.558093] CPU: 2 PID: 3308 Comm: ll_ost_io00_002 Kdump: loaded Tainted: G OE ------------ 3.10.0-957.10.1.el7_lustre.x86_64 #1 [ 926.562313] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 3288b3c 04/01/2014 [ 926.564575] task: ffff8911ac64b0c0 ti: ffff8911847ec000 task.ti: ffff8911847ec000 [ 926.566820] RIP: 0010:[<ffffffffc0826783>] [<ffffffffc0826783>] lu_context_key_get+0x13/0x30 [obdclass] [ 926.569301] RSP: 0018:ffff8911847ef9e8 EFLAGS: 00010246 [ 926.571339] RAX: 0000000000000016 RBX: 0000000000039594 RCX: 000000000000021d [ 926.573536] RDX: 000000000000021d RSI: ffffffffc0f9f180 RDI: 000000001ebe8000 [ 926.575719] RBP: ffff8911847efa38 R08: ffff891184040000 R09: 0000000000000001 [ 926.577890] R10: 0000000000000001 R11: ffff89118cbdc1a0 R12: 0000000000000000 [ 926.580035] R13: ffff891189a48a00 R14: 0000000000000000 R15: ffff891184040000 [ 926.582180] FS: 0000000000000000(0000) GS:ffff8911bfd00000(0000) knlGS:0000000000000000 [ 926.584424] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 926.586446] CR2: 000000001ebe8010 CR3: 00000004287fe000 CR4: 00000000003606e0 [ 926.588588] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 926.590725] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 926.592836] Call Trace: [ 926.594522] [<ffffffffc0f71cc3>] ? osd_bufs_get+0x203/0x800 [osd_ldiskfs] [ 926.596608] [<ffffffffc1376af2>] ? ofd_preprw+0x422/0x1160 [ofd] [ 926.598618] [<ffffffffc0696394>] ? cfs_trace_unlock_tcd+0x34/0x90 [libcfs] [ 926.600681] [<ffffffffa2966e92>] ? mutex_lock+0x12/0x2f [ 926.602572] [<ffffffffc069cfa7>] ? libcfs_debug_msg+0x57/0x80 [libcfs] [ 926.604578] [<ffffffffa22cbadb>] ? __wake_up_common+0x5b/0x90 [ 926.606557] [<ffffffffc0a73384>] ? ptlrpc_main+0xbb4/0x20f0 [ptlrpc] [ 926.608575] [<ffffffffc0a727d0>] ? ptlrpc_register_service+0xfa0/0xfa0 [ptlrpc] [ 926.610621] [<ffffffffa22c1ba0>] ? insert_kthread_work+0x40/0x40 [ 926.612531] Code: 00 04 00 e8 f0 67 e7 ff 48 c7 c7 00 aa 88 c0 e8 c4 00 e7 ff 0f 1f 40 00 0f 1f 44 00 00 48 63 46 20 48 3b 34 c5 a0 30 8b c0 75 09 <48> 8b 57 10 48 8b 04 c2 c3 55 48 89 e5 e8 aa f9 02 00 90 66 2e [ 926.618057] RIP [<ffffffffc0826783>] lu_context_key_get+0x13/0x30 [obdclass] [ 926.620212] RSP <ffff8911847ef9e8> [ 926.621918] CR2: 000000001ebe8010
In function osd_bufs_get() of osd_ldiskfs module, there is no check about the value len, which is derived from the Nio buffer section of the packet sent by client, and cause a out-of-access bug in osd_map_remote_to_local() function.
static int osd_bufs_get(const struct lu_env *env, struct dt_object *dt, loff_t pos, ssize_t len, struct niobuf_local *lnb, enum dt_bufs_type rw) { : osd_map_remote_to_local(pos, len, &npages, lnb); : }
Attachments
Issue Links
- is related to
-
-
- Resolved
-