[LU-7624] fld_proc_hash_seq_write accesses userspace pointer directly Created: 03/Jan/16 Updated: 23/Sep/16 Resolved: 12/Jan/16 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | Lustre 2.7.0, Lustre 2.5.3, Lustre 2.8.0 |
| Fix Version/s: | Lustre 2.8.0 |
| Type: | Bug | Priority: | Critical |
| Reporter: | Oleg Drokin | Assignee: | Bob Glossman (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | easy | ||
| Issue Links: |
|
||||||||||||
| Severity: | 3 | ||||||||||||
| Rank (Obsolete): | 9223372036854775807 | ||||||||||||
| Description |
|
In lustre/fld/lproc_fld.c we have this gem: static ssize_t fld_proc_hash_seq_write(struct file *file, const char __user *buffer, size_t count, loff_t *off) { ... if (!strncmp(fld_hash[i].fh_name, buffer, count)) { hash = &fld_hash[i]; break; } ... This is a bug and we cannot really access user pointers directly. The value first must be copied to a kernel buffer. This was introduced in 2006 by Yury, part of cmd3 bringup. |
| Comments |
| Comment by Peter Jones [ 04/Jan/16 ] |
|
Bob Could you please fix this one? Thanks Peter |
| Comment by Gerrit Updater [ 04/Jan/16 ] |
|
Bob Glossman (bob.glossman@intel.com) uploaded a new patch: http://review.whamcloud.com/17797 |
| Comment by Gerrit Updater [ 12/Jan/16 ] |
|
Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/17797/ |
| Comment by James A Simmons [ 12/Jan/16 ] |
|
Patch has landed. This ticket can be closed. |
| Comment by Peter Jones [ 12/Jan/16 ] |
|
Do you realize that you have permissions to mark tickets as resolved James? |
| Comment by James A Simmons [ 12/Jan/16 ] |
|
Oh I have been given power. How scary!! |