[LU-5476] Buffer overflow in ll_fid2path Created: 12/Aug/14  Updated: 15/Aug/14  Resolved: 15/Aug/14

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.5.0, Lustre 2.6.0, Lustre 2.4.2, Lustre 2.7.0
Fix Version/s: Lustre 2.7.0

Type: Bug Priority: Major
Reporter: Oleg Drokin Assignee: WC Triage
Resolution: Fixed Votes: 0
Labels: None

Severity: 3
Rank (Obsolete): 15272

 Description   

Reported by Dan Carpenter against upstream client:

The patch d7e09d0397e8: "staging: add Lustre file system client
support" from May 2, 2013, leads to the following static checker
warning:

drivers/staging/lustre/lustre/llite/file.c:1730 ll_fid2path()
error: memcpy() 'gfout' too small

drivers/staging/lustre/lustre/llite/file.c
1719 if (copy_from_user(gfin, arg, sizeof(*gfin)))

{ 1720 OBD_FREE_PTR(gfin); 1721 return -EFAULT; 1722 }

1723
1724 outsize = sizeof(*gfout) + gfin->gf_pathlen;

outsize is an int.
gfin->gf_pathlen is a u32 which comes from the user.
The addition can overflow so outsize is less than sizeof(*gfout).

1725 OBD_ALLOC(gfout, outsize);
1726 if (gfout == NULL)

{ 1727 OBD_FREE_PTR(gfin); 1728 return -ENOMEM; 1729 }

1730 memcpy(gfout, gfin, sizeof(*gfout));

It would lead to memory corruption here. Probably we should add
something like:

if (gfin->gf_pathlen > PATH_MAX)
return -EINVAL;

Is that the right limit here?

1731 OBD_FREE_PTR(gfin);
1732
1733 /* Call mdc_iocontrol */
1734 rc = obd_iocontrol(OBD_IOC_FID2PATH, exp, outsize, gfout, NULL);

 Comments   
Comment by Oleg Drokin [ 12/Aug/14 ]

Patch in http://review.whamcloud.com/11412

Comment by Patrick Farrell (Inactive) [ 13/Aug/14 ]

Since you're looking at fid2path problems, could you possibly take a look at LU-4239?

http://review.whamcloud.com/10717

Comment by Jodi Levi (Inactive) [ 15/Aug/14 ]

Patch landed to Master.

Generated at Sat Feb 10 01:51:49 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.