Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-7624

fld_proc_hash_seq_write accesses userspace pointer directly

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: Lustre 2.7.0, Lustre 2.5.3, Lustre 2.8.0
    • Fix Version/s: Lustre 2.8.0
    • Labels:
    • Severity:
      3
    • Rank (Obsolete):
      9223372036854775807

      Description

      In lustre/fld/lproc_fld.c we have this gem:

      static ssize_t
      fld_proc_hash_seq_write(struct file *file, const char __user *buffer,
                              size_t count, loff_t *off)
      {
      ...
                      if (!strncmp(fld_hash[i].fh_name, buffer, count)) {
                              hash = &fld_hash[i];
                              break;
                      }
      ...
      

      This is a bug and we cannot really access user pointers directly. The value first must be copied to a kernel buffer.

      This was introduced in 2006 by Yury, part of cmd3 bringup.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bogl Bob Glossman (Inactive)
                Reporter:
                green Oleg Drokin
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: