[LU-1853] 'out-of-bounds access' error in osd_scrub_setup() - Whamcloud Community JIRA

Details

Type: Technical task
Resolution: Won't Fix
Priority: Major
Fix Version/s: None
Affects Version/s: Lustre 2.4.0
Labels:
- build
- coverity

Rank (Obsolete):
6334

Description

In osd_scrub_setup(), id variable is of type 'struct osd_inode_id *' (size 8). But then this variable is passed to __osd_oi_lookup(), and in this function, it is passed to osd_oi_iam_lookup(), which casts it to a 'struct dt_rec *'. Then it is passed to osd_fid_unpack() by casting it to 'struct lu_fid *'. And at last, inside this function, a memcpy() is performed considering the variable is of type 'struct lu_fid *', which is of size 16.
So we are accessing memory beyond what was allocated for that variable.

I do not know how to fix this issue, as it is quite complex.

Attachments

Activity

[LU-1853] 'out-of-bounds access' error in osd_scrub_setup()

nasf (Inactive) added a comment - 19/Oct/12 2:25 AM

It will not cause issues under current use mode.

nasf (Inactive) added a comment - 19/Oct/12 2:25 AM It will not cause issues under current use mode.

nasf (Inactive) added a comment - 11/Oct/12 9:33 PM

Yes, there are some dead codes in IAM, not only for this, but also for LVAR part. But nobody knows whether they will be re-used in the future or not, so these codes keep there since the beginning.

nasf (Inactive) added a comment - 11/Oct/12 9:33 PM Yes, there are some dead codes in IAM, not only for this, but also for LVAR part. But nobody knows whether they will be re-used in the future or not, so these codes keep there since the beginning.

Sebastien Buisson (Inactive) added a comment - 11/Oct/12 2:54 AM

OK I understand.
So maybe in that case, it would be better to remove this 'dead' branch, right?

Sebastien Buisson (Inactive) added a comment - 11/Oct/12 2:54 AM OK I understand. So maybe in that case, it would be better to remove this 'dead' branch, right?

nasf (Inactive) added a comment - 10/Oct/12 10:55 PM

Originally, the IAM was designed not only for index file, such as OI files, and quota files, but also for storing directory under Lustre namespace. But the later use case is not valid since Lustre-2.0, that means the "if (S_ISDIR(oi->oi_inode->i_mode))" branch will not be trigger anymore in current 2.x code. So I think there will not be out-of-bounds" issues in IAM according to current use cases.

nasf (Inactive) added a comment - 10/Oct/12 10:55 PM Originally, the IAM was designed not only for index file, such as OI files, and quota files, but also for storing directory under Lustre namespace. But the later use case is not valid since Lustre-2.0, that means the "if (S_ISDIR(oi->oi_inode->i_mode))" branch will not be trigger anymore in current 2.x code. So I think there will not be out-of-bounds" issues in IAM according to current use cases.

Sebastien Buisson (Inactive) added a comment - 10/Oct/12 10:33 AM

Hi Yong Fan,

This issue was found by the static code analysis tool named Coverity.

According to your analysis, osd_fid_unpack() will not be called because the condition above will evaluate to false. But maybe there is another call path leading to the issue described here?

Sebastien.

Sebastien Buisson (Inactive) added a comment - 10/Oct/12 10:33 AM Hi Yong Fan, This issue was found by the static code analysis tool named Coverity. According to your analysis, osd_fid_unpack() will not be called because the condition above will evaluate to false. But maybe there is another call path leading to the issue described here? Sebastien.

nasf (Inactive) added a comment - 08/Oct/12 11:01 AM - edited

static int osd_oi_iam_lookup(struct osd_thread_info *oti,
                             struct osd_oi *oi, struct dt_rec *rec,
                             const struct dt_key *key)
{
...
        rc = iam_it_get(it, (struct iam_key *)key);
        if (rc >= 0) {
                if (S_ISDIR(oi->oi_inode->i_mode))
                        iam_rec = (struct iam_rec *)oti->oti_ldp;
                else
                        iam_rec = (struct iam_rec *)rec;
                
                iam_reccpy(&it->ii_path.ip_leaf, (struct iam_rec *)iam_rec);
===>                if (S_ISDIR(oi->oi_inode->i_mode))
                        osd_fid_unpack((struct lu_fid *)rec,
                                       (struct osd_fid_pack *)iam_rec);
        }               
...
}

In this case, the IAM container is an OI index file, which is NOT directory, so the branch for "if (S_ISDIR(oi->oi_inode->i_mode))" in above code section will be skipped for the call trace: osd_scrub_setup() => __osd_oi_lookup() => osd_oi_iam_lookup(). So the OI scrub should not trigger "out-of-bounds access" error.

Sebastien, have you hit such failure during any test? or thought there may be potential issues by analyzing code?

nasf (Inactive) added a comment - 08/Oct/12 11:01 AM - edited static int osd_oi_iam_lookup(struct osd_thread_info *oti, struct osd_oi *oi, struct dt_rec *rec, const struct dt_key *key) { ... rc = iam_it_get(it, (struct iam_key *)key); if (rc >= 0) { if (S_ISDIR(oi->oi_inode->i_mode)) iam_rec = (struct iam_rec *)oti->oti_ldp; else iam_rec = (struct iam_rec *)rec; iam_reccpy(&it->ii_path.ip_leaf, (struct iam_rec *)iam_rec); ===> if (S_ISDIR(oi->oi_inode->i_mode)) osd_fid_unpack((struct lu_fid *)rec, (struct osd_fid_pack *)iam_rec); } ... } In this case, the IAM container is an OI index file, which is NOT directory, so the branch for "if (S_ISDIR(oi->oi_inode->i_mode))" in above code section will be skipped for the call trace: osd_scrub_setup() => __osd_oi_lookup() => osd_oi_iam_lookup(). So the OI scrub should not trigger "out-of-bounds access" error. Sebastien, have you hit such failure during any test? or thought there may be potential issues by analyzing code?

People

Assignee:: nasf (Inactive)

Reporter:: Sebastien Buisson (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 07/Sep/12 4:07 AM

Updated:: 04/Oct/13 7:59 PM

Resolved:: 19/Oct/12 2:25 AM