[LU-7625] gss_proc_write_secinit clobbers user buffer Created: 03/Jan/16 Updated: 05/Jan/16 |
|
| Status: | Open |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major |
| Reporter: | Oleg Drokin | Assignee: | WC Triage |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Severity: | 3 |
| Rank (Obsolete): | 9223372036854775807 |
| Description |
|
This is a long standing issue that I am not sure how it got through. gss_proc_write_secinit is a write function for /proc/fs/lustre/sptlrpc/gss/init_channel It calls gss_do_ctx_init_rpc() that proceeds to read some data from the buffer passed (as designed) and then proceeds to write a reply back into that same buffer - HUH?! So after some digging it looks like this really was supposed to be ioctl, see this fragment in lgss_keyring.c::do_nego_rpc(): fd = open(INIT_CHANNEL, O_WRONLY);
if (fd < 0) {
logmsg(LL_ERR, "can't open " INIT_CHANNEL "\n");
return -EACCES;
}
logmsg(LL_TRACE, "to down-write\n");
ret = write(fd, ¶m, sizeof(param));
if (ret != sizeof(param)) {
logmsg(LL_ERR, "lustre ioctl err: %s\n", strerror(errno));
close(fd);
return -EACCES;
}
close(fd);
We really need to update this bit to become proper ioctl for it all to make sense. |
| Comments |
| Comment by Andreas Dilger [ 04/Jan/16 ] |
|
Jeremy, is this problem something you are aware of? Is this code already being cleaned up by your security patches? |
| Comment by Jeremy Filizetti [ 05/Jan/16 ] |
|
I am aware of this code, and It was one of the primary reasons I felt the need to write a developer document for shared key because it was so bizarre to me. However, it is not fixed in the patches I pushed. I'd love to see this changed but I'm not sure that needs to fall on the shared key implementation specifically. |