[LU-12911] Setting a LOV EA can access or change outside allocated buffer Created: 28/Oct/19 Updated: 20/May/20 Resolved: 14/Feb/20 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | Lustre 2.14.0, Lustre 2.12.5 |
| Type: | Bug | Priority: | Minor |
| Reporter: | Neil Brown | Assignee: | Neil Brown |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||||||
| Severity: | 3 | ||||||||
| Rank (Obsolete): | 9223372036854775807 | ||||||||
| Description |
|
The attribute passed to ll_setstripe_ea() is copied to a buffer allocated based on size information passed from userspace. But the contents of this attribute are analyized and possibly changed (in ll_adjust_lum) before the size is validated. This can result in a warning from KASAN, and could result in memory corruption. The size should be validated before, or while, the attribute is examined.
|
| Comments |
| Comment by Gerrit Updater [ 28/Oct/19 ] |
|
Neil Brown (neilb@suse.de) uploaded a new patch: https://review.whamcloud.com/36589 |
| Comment by Gerrit Updater [ 14/Feb/20 ] |
|
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/36589/ |
| Comment by Peter Jones [ 14/Feb/20 ] |
|
Landed for 2.14 |
| Comment by Gerrit Updater [ 30/Apr/20 ] |
|
Andreas Dilger (adilger@whamcloud.com) uploaded a new patch: https://review.whamcloud.com/38433 |
| Comment by Gerrit Updater [ 20/May/20 ] |
|
Oleg Drokin (green@whamcloud.com) merged in patch https://review.whamcloud.com/38433/ |