Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-985

buffer overflow resulting in stack corruption

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Blocker
    • Lustre 2.2.0, Lustre 2.1.2
    • Lustre 2.0.0, Lustre 2.1.0, Lustre 2.2.0
    • None
    • 3
    • 4737

    Description

      Trying to evict a client with a wrong but long (40+ characters) nid result on
      a stack corruption.

      1. cd /proc/fs/lustre/mdt/test-MDT0000/
      2. echo "nid:10.100.60.114@o2ib2_with_a_very_long_string" > evict_client
        => oops
       
crash> bt
PID: 39043  TASK: ffff88085bb3c380  CPU: 4   COMMAND: "bash"
 #0 [ffff880687cdbc10] machine_kexec at ffffffff8102e77b
 #1 [ffff880687cdbc70] crash_kexec at ffffffff810a6cd8
 #2 [ffff880687cdbd40] panic at ffffffff81466b1b
 #3 [ffff880687cdbdc0] __stack_chk_fail at ffffffff8105908b
 #4 [ffff880687cdbdd0] lprocfs_mdt_wr_evict_client at ffffffffa09b9b98
 #5 [ffff880687cdbe60] lprocfs_fops_write at ffffffffa0552512
 #6 [ffff880687cdbea0] proc_reg_write at ffffffff811bbc4e
 #7 [ffff880687cdbef0] vfs_write at ffffffff811583c8
 #8 [ffff880687cdbf30] sys_write at ffffffff81158e01
 #9 [ffff880687cdbf80] system_call_fastpath at ffffffff8100c172
    RIP: 00000037e2ad4210  RSP: 00007fff74745c28  RFLAGS: 00010202
    RAX: 0000000000000001  RBX: ffffffff8100c172  RCX: 000000000000006e
    RDX: 0000000000000017  RSI: 00002b50e34a6000  RDI: 0000000000000001
    RBP: 00002b50e34a6000   R8: 00000000ffffffff   R9: 0000000000000000
    R10: 00000000ffffffe9  R11: 0000000000000246  R12: 0000000000000017
    R13: 00000037e2d79780  R14: 0000000000000017  R15: 00000000012bd377
    ORIG_RAX: 0000000000000001  CS: 0033  SS: 002b

      the problem is located in the lprocfs_mdt_wr_evict_client routine, where the sscanf
      copy 40 characters into tmpbuf then add '\0' (so 41 characters) while tmpbuf is
      allocated with 'only' sizeof(struct obd_uuid) (=40) characters.

      Replacing %40s by a %39s will avoid this issue (I guess struct obd_uuid should be \0
      terminated). Patch attached.

      This problem looks also present at other places :

      • lprocfs_mds_wr_evict_client
      • lprocfs_mdt_wr_evict_client
      • lprocfs_mdt_wr_mdc
      • lprocfs_wr_evict_client

      Thanks,

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. LU-945 Unverified user buffer access in lprocfs_wr_evict_client

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          Trackbacks

          [Confluence: Whamcloud Community Space] Changelog 2.1 Changes from version 2.1.1 to version 2.1.2 Server support for kernels: 2.6.18308.4.1.el5 (RHEL5) 2.6.32220.17.1.el6 (RHEL6) Client support for unpatched kernels: 2.6.18308.4.1.el5 (RHEL5) 2.6.32220.17.1....

          [Confluence: Whamcloud Community Space] Changelog 2.2 version 2.2.0 Support for networks: o2iblnd OFED 1.5.4 Server support for kernels: 2.6.32220.4.2.el6 (RHEL6) Client support for unpatched kernels: 2.6.18274.18.1.el5 (RHEL5) 2.6.32220.4.2.el6 (RHEL6) 2.6.32.360....

          Activity

            People

              bobijam Zhenyu Xu
              louveta Alexandre Louvet (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: