Details
-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
3
-
9223372036854775807
Description
With the stock 3.10 kernel, hai_dump_data_field will do a stack buffer overrun when cat'ing /proc/fs/lustre/.../hsm/actions if an action has some data in it.
On that kernel, these 2 snprintf:
cnt = snprintf(buffer, 1, "%.2X", 54);
cnt = snprintf(buffer, 2, "%.2X", 54);
will return 2 instead of 0 and 1 respectively. The strings generated are correct, with 0 and 1 character followed by NUL, respectively.
The coordinator code calls hai_dump_data_field with 12 bytes in the buffer. The last byte is printed incompletely to make room for the terminating NUL. However since that version of the kernel returns that 2 characters were written, when hai_dump_data_field writes the final NUL, it does it outside the reserved buffer, in the 13th byte. This stack buffer overrun hangs my VM.
This doesn't happen on CentOS 6.