[LU-8258] Unsafe userspace address access from proc handler in nodemap code Created: 11/Jun/16  Updated: 18/Aug/16  Resolved: 18/Aug/16

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: None
Fix Version/s: Lustre 2.9.0

Type: Bug Priority: Critical
Reporter: Oleg Drokin Assignee: Kit Westneat
Resolution: Fixed Votes: 0
Labels: None

Severity: 3
Rank (Obsolete): 9223372036854775807

 Description   

Patch http://review.whamcloud.com/18783 added this bit of code:

nodemap_fileset_seq_write(struct file *file,
                                      const char __user *buffer,
                                      size_t count, loff_t *off)
{
        struct seq_file *m = file->private_data;
        int rc = 0;

        if (count > 0)
                rc = nodemap_set_fileset(m->private, buffer);

        if (rc != 0)
                return -EINVAL;

        return count;
}

Now the problem is - buffer is in userspace, so we cannot just pass it like this to nodemap_set_fileset where it would get dereferenced.
We need to properly copy it to kernelspace first.

 Comments   
Comment by Peter Jones [ 05/Aug/16 ]

Kit

Are you able to help with this one?

Peter

Comment by Gerrit Updater [ 10/Aug/16 ]

Kit Westneat (kit.westneat@gmail.com) uploaded a new patch: http://review.whamcloud.com/21857
Subject: LU-8258 nodemap: fix userspace address access in proc code
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 001098168e33dbd856537725fc2dca1b3135cab7

Comment by Gerrit Updater [ 15/Aug/16 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/21857/
Subject: LU-8258 nodemap: fix userspace address access in proc code
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 288e55b8a38222af843a71a89df90234a72d8e0d

Comment by Joseph Gmitter (Inactive) [ 18/Aug/16 ]

Landed to master for 2.9.0

Generated at Sat Feb 10 02:15:59 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.