Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-4984

Integer overflow in LL_IOC_HSM_REQUEST handler

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • Lustre 2.6.0
    • Lustre 2.5.0, Lustre 2.6.0
    • 3
    • 13804

    Description

      There's an integer overflow in LL_IOC_HSM_REQUEST handler

              case LL_IOC_HSM_REQUEST: {
                struct hsm_user_request *hur;
                int                      totalsize;

                OBD_ALLOC_PTR(hur);
                if (hur == NULL)
                        RETURN(-ENOMEM);

                /* We don't know the true size yet; copy the fixed-size part */
                if (copy_from_user(hur, (void *)arg, sizeof(*hur))) {
                        OBD_FREE_PTR(hur);
                        RETURN(-EFAULT);
                }

                /* Compute the whole struct size */
                totalsize = hur_len(hur);
                OBD_FREE_PTR(hur);

                /* Make sure the size is reasonable */
                if (totalsize >= MDS_MAXREQSIZE)
                        RETURN(-E2BIG);

      Instead of checking totalsize which is past multiplication and is subject to overflow already, what we must do is we must ensure hur->hur_request.hr_itemcount is safe first.
      Then it's safe to call hur_len

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-5323 memory leak in lfs_hsm_request()

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              utopiabound Nathaniel Clark
              green Oleg Drokin
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: