[LU-4984] Integer overflow in LL_IOC_HSM_REQUEST handler - Whamcloud Community JIRA

Details

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: Lustre 2.6.0
Affects Version/s: Lustre 2.5.0, Lustre 2.6.0
Labels:
- mq115

Severity:
3
Rank (Obsolete):
13804

Description

There's an integer overflow in LL_IOC_HSM_REQUEST handler

        case LL_IOC_HSM_REQUEST: {
                struct hsm_user_request *hur;
                int                      totalsize;

                OBD_ALLOC_PTR(hur);
                if (hur == NULL)
                        RETURN(-ENOMEM);

                /* We don't know the true size yet; copy the fixed-size part */
                if (copy_from_user(hur, (void *)arg, sizeof(*hur))) {
                        OBD_FREE_PTR(hur);
                        RETURN(-EFAULT);
                }

                /* Compute the whole struct size */
                totalsize = hur_len(hur);
                OBD_FREE_PTR(hur);

                /* Make sure the size is reasonable */
                if (totalsize >= MDS_MAXREQSIZE)
                        RETURN(-E2BIG);

Instead of checking totalsize which is past multiplication and is subject to overflow already, what we must do is we must ensure hur->hur_request.hr_itemcount is safe first.
Then it's safe to call hur_len

Attachments

Issue Links

is related to

LU-5323 memory leak in lfs_hsm_request()

Closed

Activity

[LU-4984] Integer overflow in LL_IOC_HSM_REQUEST handler

Oleg Drokin added a comment - 10/Jul/14 6:24 PM

The leak is in a short-lived lfs tool, not any sort of a library that can for extended periods of time, so I don't see this is a very important leak (still a bug, of course).

Please open a separate ticket about it so that it's not forgotten.

Oleg Drokin added a comment - 10/Jul/14 6:24 PM The leak is in a short-lived lfs tool, not any sort of a library that can for extended periods of time, so I don't see this is a very important leak (still a bug, of course). Please open a separate ticket about it so that it's not forgotten.

Frank Zago (Inactive) added a comment - 01/Jul/14 3:26 PM

The committed patch still has the memory leak mentioned here: http://review.whamcloud.com/#/c/10615/5/lustre/utils/lfs.c,cm

Frank Zago (Inactive) added a comment - 01/Jul/14 3:26 PM The committed patch still has the memory leak mentioned here: http://review.whamcloud.com/#/c/10615/5/lustre/utils/lfs.c,cm

Peter Jones added a comment - 01/Jul/14 2:53 PM

Landed for 2.6

Peter Jones added a comment - 01/Jul/14 2:53 PM Landed for 2.6

Nathaniel Clark added a comment - 05/Jun/14 8:09 PM

http://review.whamcloud.com/10615

Nathaniel Clark added a comment - 05/Jun/14 8:09 PM http://review.whamcloud.com/10615

Andreas Dilger added a comment - 05/Jun/14 6:27 PM

John,
is there any chance you would have time to look at this?

Andreas Dilger added a comment - 05/Jun/14 6:27 PM John, is there any chance you would have time to look at this?

Andreas Dilger added a comment - 30/Apr/14 5:24 PM

John, I suspect we should also annotate some of these fields with __user as well, could you please comment.

Andreas Dilger added a comment - 30/Apr/14 5:24 PM John, I suspect we should also annotate some of these fields with __user as well, could you please comment.

Jodi Levi (Inactive) added a comment - 30/Apr/14 5:24 PM

James,
Could you please take this one?
Thank you!

Jodi Levi (Inactive) added a comment - 30/Apr/14 5:24 PM James, Could you please take this one? Thank you!

People

Assignee:: Nathaniel Clark

Reporter:: Oleg Drokin

Votes:: 0 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 30/Apr/14 3:36 AM

Updated:: 01/Dec/14 8:41 AM

Resolved:: 01/Jul/14 2:53 PM