[LU-12605] Lustre target_handle_connect() bug Created: 29/Jul/19 Updated: 12/Sep/19 Resolved: 27/Aug/19 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | Lustre 2.13.0 |
| Fix Version/s: | Lustre 2.13.0, Lustre 2.12.3 |
| Type: | Bug | Priority: | Critical |
| Reporter: | Alibaba Cloud | Assignee: | Emoly Liu |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||
| Severity: | 3 | ||||||||||||||||||||||||||||||||||||
| Rank (Obsolete): | 9223372036854775807 | ||||||||||||||||||||||||||||||||||||
| Description |
|
In the latest version of lustre file system, ptlrpc module has a buffer overflow bug due to the lack of validation for specific fields of packets sent by client. The kenrel panic: [ 607.979453] Call Trace: [ 607.981190] [<ffffffffc0a76199>] ? +0xd19/0x2960 [ptlrpc] [ 607.983385] [<ffffffffc0b1f02a>] tgt_request_handle+0x67a/0x15c0 [ptlrpc] [ 607.985484] [<ffffffffc0710fa7>] ? libcfs_debug_msg+0x57/0x80 [libcfs] [ 607.987581] [<ffffffffc0ac288e>] ptlrpc_server_handle_request+0x24e/0xab0 [ptlrpc] [ 607.989741] [<ffffffffabacbadb>] ? __wake_up_common+0x5b/0x90 [ 607.991741] [<ffffffffc0ac6384>] ptlrpc_main+0xbb4/0x20f0 [ptlrpc] [ 607.993731] [<ffffffffabad08c0>] ? finish_task_switch+0x50/0x1c0 [ 607.995760] [<ffffffffc0ac57d0>] ? ptlrpc_register_service+0xfa0/0xfa0 [ptlrpc] [ 607.997834] [<ffffffffabac1c71>] kthread+0xd1/0xe0 [ 607.999655] [<ffffffffabac1ba0>] ? insert_kthread_work+0x40/0x40 [ 608.001584] [<ffffffffac175c1d>] ret_from_fork_nospec_begin+0x7/0x21 [ 608.003533] [<ffffffffabac1ba0>] ? insert_kthread_work+0x40/0x40 The function target_handle_connect() don't check the value of size when client connect to server. If size is -1, the min function will return -1. But the third parameter of memcpy is unsigned int, -1 will be parsed into 0xffffffff, causing a buffer overflow.
size = req_capsule_get_size(&req->rq_pill, &RMF_CONNECT_DATA,
RCL_CLIENT);
memcpy(tmpdata, data, min(tmpsize, size));
|
| Comments |
| Comment by Peter Jones [ 31/Jul/19 ] |
|
Sébastien Could you please investigate Peter |
| Comment by Andreas Dilger [ 31/Jul/19 ] |
|
lustre_unpack_msg_v2() is what is touching the message buffer first, and is the right place to do sanity checking of the message buffers. While lustre_msg_buf_v2() is used in a lot of places to access various buffers internally, we don't necessarily want to do validity checking for every access throughout the code. Having a high-level scrub once at message receipt makes the most sense, and then the internal accessors can assume it is valid. Checks that should be added:
|
| Comment by Peter Jones [ 31/Jul/19 ] |
|
Emoly Actually can you please work on this one Thanks Peter |
| Comment by Andreas Dilger [ 01/Aug/19 ] |
|
Hello yunye.ry, please register for an account on Gerrit https://review.whamcloud.com/ so that you can be added as a reviewer for the patches that are being developed for the various issues that you have filed. Then you can verify that they are fixing the reported problems by adding your +1 to the patch (assuming it is correct). This will result in a "Reviewed-by: Your Name <your_email>" label on the final patch, and Alibaba will also be listed in the Lustre contribution statistics in Lustre presentations. |
| Comment by Alibaba Cloud [ 02/Aug/19 ] |
|
Ok, I will do it, thank you |
| Comment by Alibaba Cloud [ 02/Aug/19 ] |
|
Hi Andreas, |
| Comment by Peter Jones [ 02/Aug/19 ] |
|
Yes - as you are not part of the Whamcloud team you will need an account based on an OpenID identity. These kinds of questions are probably best handled via direct email rather than in JIRA (where anyone can read them) |
| Comment by Gerrit Updater [ 07/Aug/19 ] |
|
Emoly Liu (emoly@whamcloud.com) uploaded a new patch: https://review.whamcloud.com/35711 |
| Comment by Gerrit Updater [ 27/Aug/19 ] |
|
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/35711/ |
| Comment by Peter Jones [ 27/Aug/19 ] |
|
Landed for 2.13 |
| Comment by Gerrit Updater [ 27/Aug/19 ] |
|
Minh Diep (mdiep@whamcloud.com) uploaded a new patch: https://review.whamcloud.com/35935 |
| Comment by Gerrit Updater [ 12/Sep/19 ] |
|
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/35935/ |