Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-5476

Buffer overflow in ll_fid2path

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • Lustre 2.7.0
    • Lustre 2.5.0, Lustre 2.6.0, Lustre 2.4.2, Lustre 2.7.0
    • None
    • 3
    • 15272

    Description

      Reported by Dan Carpenter against upstream client:

      The patch d7e09d0397e8: "staging: add Lustre file system client
      support" from May 2, 2013, leads to the following static checker
      warning:

      drivers/staging/lustre/lustre/llite/file.c:1730 ll_fid2path()
      error: memcpy() 'gfout' too small

      drivers/staging/lustre/lustre/llite/file.c
      1719 if (copy_from_user(gfin, arg, sizeof(*gfin)))

      { 1720 OBD_FREE_PTR(gfin); 1721 return -EFAULT; 1722 }

      1723
      1724 outsize = sizeof(*gfout) + gfin->gf_pathlen;

      outsize is an int.
      gfin->gf_pathlen is a u32 which comes from the user.
      The addition can overflow so outsize is less than sizeof(*gfout).

      1725 OBD_ALLOC(gfout, outsize);
      1726 if (gfout == NULL)

      { 1727 OBD_FREE_PTR(gfin); 1728 return -ENOMEM; 1729 }

      1730 memcpy(gfout, gfin, sizeof(*gfout));

      It would lead to memory corruption here. Probably we should add
      something like:

      if (gfin->gf_pathlen > PATH_MAX)
      return -EINVAL;

      Is that the right limit here?

      1731 OBD_FREE_PTR(gfin);
      1732
      1733 /* Call mdc_iocontrol */
      1734 rc = obd_iocontrol(OBD_IOC_FID2PATH, exp, outsize, gfout, NULL);

      Attachments

        Activity

          People

            wc-triage WC Triage
            green Oleg Drokin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: