[LU-3048] lfs getstripe heap corruption with MOUNT_2=y Created: 27/Mar/13  Updated: 23/Apr/13  Resolved: 23/Apr/13

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.4.0
Fix Version/s: Lustre 2.4.0

Type: Bug Priority: Major
Reporter: John Hammond Assignee: John Hammond
Resolution: Fixed Votes: 0
Labels: lfs, liblustreapi

Issue Links:
Related
is related to LU-3046 lfs getstripe fails on files with bas... Resolved
Severity: 3
Rank (Obsolete): 7442

 Description   

To reproduce:

# MOUNT_2=y llmount.sh 
...
# cd /mnt/lustre
# lfs setstripe -c2 LOLWUT
# lfs getstripe LOLWUT
# lfs getstripe LOLWUT
LOLWUT
lmm_stripe_count:   2
lmm_stripe_size:    1048576
lmm_layout_gen:     0
lmm_stripe_offset:  0
	obdidx		 objid		 objid		 group
	     0	             1	          0x1	             0
	     1	             1	          0x1	             0

*** glibc detected *** lfs: free(): invalid next size (normal): 
...
# MALLOC_CHECK_=1 lfs getstripe LOLWUT
LOLWUT
lmm_stripe_count:   2
lmm_stripe_size:    1048576
lmm_layout_gen:     0
lmm_stripe_offset:  0
	obdidx		 objid		 objid		 group
	     0	             1	          0x1	             0
	     1	             1	          0x1	             0

*** glibc detected *** lfs: free(): invalid pointer: 0x0000000001d1f1a0 ***
*** glibc detected *** lfs: free(): invalid pointer: 0x0000000001d1f270 ***
# ls /proc/fs/lustre/llite/*/max_easize
/proc/fs/lustre/llite/lustre-ffff88015536fc00/max_easize
/proc/fs/lustre/llite/lustre-ffff880173af2800/max_easize
# cat /proc/fs/lustre/llite/*/max_easize
48
128

get_mds_md_size() may be reading the max_easize from the file corresponding to /mnt/lustre2, in which it's allocating a 48 byte lum to recieve the stripe info. Since this uses IOC_MDC_GETFILESTRIPE the kernel cannot infer the size of the userspace buffer, but it write 128 bytes of stripe info. Hence the kernel in copy_to_user() is corruption the heap.

liblustreapi could be fixed to locate the correct max_easize file. But this still leaves us with a TOCTTOU issue as the max_easize can change at any time from userspace's POV.



 Comments   
Comment by John Hammond [ 03/Apr/13 ]

Please see http://review.whamcloud.com/5934.

Comment by John Hammond [ 23/Apr/13 ]

Patch landed for 2.4.

Generated at Sat Feb 10 01:30:31 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.