Uploaded image for project: 'Lustre'
  1. Lustre
  2. LU-985

buffer overflow resulting in stack corruption

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Blocker
    • Lustre 2.2.0, Lustre 2.1.2
    • Lustre 2.0.0, Lustre 2.1.0, Lustre 2.2.0
    • None
    • 3
    • 4737

    Description

      Trying to evict a client with a wrong but long (40+ characters) nid result on
      a stack corruption.

      1. cd /proc/fs/lustre/mdt/test-MDT0000/
      2. echo "nid:10.100.60.114@o2ib2_with_a_very_long_string" > evict_client
        => oops
       
      crash> bt
      PID: 39043  TASK: ffff88085bb3c380  CPU: 4   COMMAND: "bash"
       #0 [ffff880687cdbc10] machine_kexec at ffffffff8102e77b
       #1 [ffff880687cdbc70] crash_kexec at ffffffff810a6cd8
       #2 [ffff880687cdbd40] panic at ffffffff81466b1b
       #3 [ffff880687cdbdc0] __stack_chk_fail at ffffffff8105908b
       #4 [ffff880687cdbdd0] lprocfs_mdt_wr_evict_client at ffffffffa09b9b98
       #5 [ffff880687cdbe60] lprocfs_fops_write at ffffffffa0552512
       #6 [ffff880687cdbea0] proc_reg_write at ffffffff811bbc4e
       #7 [ffff880687cdbef0] vfs_write at ffffffff811583c8
       #8 [ffff880687cdbf30] sys_write at ffffffff81158e01
       #9 [ffff880687cdbf80] system_call_fastpath at ffffffff8100c172
          RIP: 00000037e2ad4210  RSP: 00007fff74745c28  RFLAGS: 00010202
          RAX: 0000000000000001  RBX: ffffffff8100c172  RCX: 000000000000006e
          RDX: 0000000000000017  RSI: 00002b50e34a6000  RDI: 0000000000000001
          RBP: 00002b50e34a6000   R8: 00000000ffffffff   R9: 0000000000000000
          R10: 00000000ffffffe9  R11: 0000000000000246  R12: 0000000000000017
          R13: 00000037e2d79780  R14: 0000000000000017  R15: 00000000012bd377
          ORIG_RAX: 0000000000000001  CS: 0033  SS: 002b
      

      the problem is located in the lprocfs_mdt_wr_evict_client routine, where the sscanf
      copy 40 characters into tmpbuf then add '\0' (so 41 characters) while tmpbuf is
      allocated with 'only' sizeof(struct obd_uuid) (=40) characters.

      Replacing %40s by a %39s will avoid this issue (I guess struct obd_uuid should be \0
      terminated). Patch attached.

      This problem looks also present at other places :

      • lprocfs_mds_wr_evict_client
      • lprocfs_mdt_wr_evict_client
      • lprocfs_mdt_wr_mdc
      • lprocfs_wr_evict_client

      Thanks,

      Attachments

        Issue Links

          Activity

            People

              bobijam Zhenyu Xu
              louveta Alexandre Louvet (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: