[LU-11108] mdt_getxattr() may clobber errors from mo_xattr_get() Created: 29/Jun/18 Updated: 24/Jul/18 Resolved: 24/Jul/18 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | Lustre 2.12.0 |
| Type: | Bug | Priority: | Minor |
| Reporter: | John Hammond | Assignee: | John Hammond |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | xattr | ||
| Severity: | 3 |
| Rank (Obsolete): | 9223372036854775807 |
| Description |
|
In mdt_getxattr() we have the following:
if (valid == OBD_MD_FLXATTR) {
const char *xattr_name = req_capsule_client_get(info->mti_pill,
&RMF_NAME);
rc = mo_xattr_get(info->mti_env, next, buf, xattr_name);
rc = mdt_nodemap_map_acl(info, buf->lb_buf, rc, xattr_name,
NODEMAP_FS_TO_CLIENT);
} ...
If rc is negative then when passed to the size_t size parameter of mdt_nodemap_map_acl() it becomes very large and may be replaced with -ERANGE. static int mdt_nodemap_map_acl(struct mdt_thread_info *info, void *buf, size_t size, const char *name, enum nodemap_tree_type tree_type) { struct lu_nodemap *nodemap; struct obd_export *exp = info->mti_exp; int rc = size; ENTRY; if (strcmp(name, XATTR_NAME_ACL_ACCESS) == 0 || strcmp(name, XATTR_NAME_ACL_DEFAULT) == 0) { if (size > info->mti_mdt->mdt_max_ea_size || (!exp_connect_large_acl(exp) && size > LUSTRE_POSIX_ACL_MAX_SIZE_OLD)) GOTO(out, rc = -ERANGE); nodemap = nodemap_get_from_exp(exp); if (IS_ERR(nodemap)) GOTO(out, rc = PTR_ERR(nodemap)); rc = nodemap_map_acl(nodemap, buf, size, tree_type); nodemap_putref(nodemap); if (rc < 0) GOTO(out, rc); } out: RETURN(rc); } I noticed this while looking at |
| Comments |
| Comment by John Hammond [ 02/Jul/18 ] |
|
Please see https://review.whamcloud.com/#/c/32743/. |
| Comment by Gerrit Updater [ 24/Jul/18 ] |
|
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/32743/ |
| Comment by Peter Jones [ 24/Jul/18 ] |
|
Landed for 2.12 |