[LU-985] buffer overflow resulting in stack corruption Created: 12/Jan/12  Updated: 08/Apr/12  Resolved: 13/Feb/12

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: Lustre 2.0.0, Lustre 2.1.0, Lustre 2.2.0
Fix Version/s: Lustre 2.2.0, Lustre 2.1.2

Type: Bug Priority: Blocker
Reporter: Alexandre Louvet Assignee: Zhenyu Xu
Resolution: Fixed Votes: 0
Labels: None

Attachments: Text File buffer_overflow.patch    
Issue Links:
Related
is related to LU-945 Unverified user buffer access in lpro... Resolved
Severity: 3
Rank (Obsolete): 4737

 Description   

Trying to evict a client with a wrong but long (40+ characters) nid result on
a stack corruption.

  1. cd /proc/fs/lustre/mdt/test-MDT0000/
  2. echo "nid:10.100.60.114@o2ib2_with_a_very_long_string" > evict_client
    => oops
 
crash> bt
PID: 39043  TASK: ffff88085bb3c380  CPU: 4   COMMAND: "bash"
 #0 [ffff880687cdbc10] machine_kexec at ffffffff8102e77b
 #1 [ffff880687cdbc70] crash_kexec at ffffffff810a6cd8
 #2 [ffff880687cdbd40] panic at ffffffff81466b1b
 #3 [ffff880687cdbdc0] __stack_chk_fail at ffffffff8105908b
 #4 [ffff880687cdbdd0] lprocfs_mdt_wr_evict_client at ffffffffa09b9b98
 #5 [ffff880687cdbe60] lprocfs_fops_write at ffffffffa0552512
 #6 [ffff880687cdbea0] proc_reg_write at ffffffff811bbc4e
 #7 [ffff880687cdbef0] vfs_write at ffffffff811583c8
 #8 [ffff880687cdbf30] sys_write at ffffffff81158e01
 #9 [ffff880687cdbf80] system_call_fastpath at ffffffff8100c172
    RIP: 00000037e2ad4210  RSP: 00007fff74745c28  RFLAGS: 00010202
    RAX: 0000000000000001  RBX: ffffffff8100c172  RCX: 000000000000006e
    RDX: 0000000000000017  RSI: 00002b50e34a6000  RDI: 0000000000000001
    RBP: 00002b50e34a6000   R8: 00000000ffffffff   R9: 0000000000000000
    R10: 00000000ffffffe9  R11: 0000000000000246  R12: 0000000000000017
    R13: 00000037e2d79780  R14: 0000000000000017  R15: 00000000012bd377
    ORIG_RAX: 0000000000000001  CS: 0033  SS: 002b

the problem is located in the lprocfs_mdt_wr_evict_client routine, where the sscanf
copy 40 characters into tmpbuf then add '\0' (so 41 characters) while tmpbuf is
allocated with 'only' sizeof(struct obd_uuid) (=40) characters.

Replacing %40s by a %39s will avoid this issue (I guess struct obd_uuid should be \0
terminated). Patch attached.

This problem looks also present at other places :

  • lprocfs_mds_wr_evict_client
  • lprocfs_mdt_wr_evict_client
  • lprocfs_mdt_wr_mdc
  • lprocfs_wr_evict_client

Thanks,

 Comments   
Comment by Oleg Drokin [ 12/Jan/12 ]

There is also another issue in that code that is highlighted in LU-945.

Please submit all patches to gerrit.

Comment by Peter Jones [ 12/Jan/12 ]

Bobi

Could you please look into this one?

Thanks

Peter

Comment by Zhenyu Xu [ 13/Jan/12 ]

patch tracking at http://review.whamcloud.com/1961

Comment by Peter Jones [ 13/Feb/12 ]

Landed for 2.2

Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » x86_64,client,el5,ofa #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • libcfs/include/libcfs/libcfs_string.h
  • lustre/mds/lproc_mds.c
  • lustre/ptlrpc/lproc_ptlrpc.c
  • lustre/mdt/mdt_lproc.c
  • libcfs/libcfs/libcfs_string.c
Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » x86_64,client,el5,inkernel #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • libcfs/libcfs/libcfs_string.c
  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/mds/lproc_mds.c
  • lustre/mdt/mdt_lproc.c
Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » x86_64,client,ubuntu1004,inkernel #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/mds/lproc_mds.c
  • lustre/mdt/mdt_lproc.c
  • libcfs/libcfs/libcfs_string.c
Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » x86_64,client,sles11,inkernel #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/libcfs/libcfs_string.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/mdt/mdt_lproc.c
  • lustre/mds/lproc_mds.c
Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » x86_64,server,el5,inkernel #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • lustre/mdt/mdt_lproc.c
  • libcfs/libcfs/libcfs_string.c
  • lustre/mds/lproc_mds.c
  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/include/libcfs/libcfs_string.h
Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » x86_64,client,el6,inkernel #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • libcfs/libcfs/libcfs_string.c
  • lustre/mds/lproc_mds.c
  • lustre/ptlrpc/lproc_ptlrpc.c
  • lustre/mdt/mdt_lproc.c
  • libcfs/include/libcfs/libcfs_string.h
Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » x86_64,server,el5,ofa #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • lustre/mdt/mdt_lproc.c
  • libcfs/libcfs/libcfs_string.c
  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/mds/lproc_mds.c
Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » x86_64,server,el6,inkernel #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • libcfs/libcfs/libcfs_string.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/ptlrpc/lproc_ptlrpc.c
  • lustre/mdt/mdt_lproc.c
  • lustre/mds/lproc_mds.c
Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » i686,client,el6,inkernel #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • lustre/mds/lproc_mds.c
  • libcfs/libcfs/libcfs_string.c
  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/mdt/mdt_lproc.c
Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » i686,server,el6,inkernel #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/libcfs/libcfs_string.c
  • lustre/mds/lproc_mds.c
  • lustre/mdt/mdt_lproc.c
  • libcfs/include/libcfs/libcfs_string.h
Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » i686,client,el5,inkernel #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • libcfs/libcfs/libcfs_string.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/ptlrpc/lproc_ptlrpc.c
  • lustre/mdt/mdt_lproc.c
  • lustre/mds/lproc_mds.c
Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » i686,server,el5,inkernel #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • libcfs/include/libcfs/libcfs_string.h
  • lustre/ptlrpc/lproc_ptlrpc.c
  • lustre/mds/lproc_mds.c
  • lustre/mdt/mdt_lproc.c
  • libcfs/libcfs/libcfs_string.c
Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » i686,server,el5,ofa #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • libcfs/include/libcfs/libcfs_string.h
  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/libcfs/libcfs_string.c
  • lustre/mdt/mdt_lproc.c
  • lustre/mds/lproc_mds.c
Comment by Build Master (Inactive) [ 13/Feb/12 ]

Integrated in lustre-master » i686,client,el5,ofa #468
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = SUCCESS
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • lustre/mds/lproc_mds.c
  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/libcfs/libcfs_string.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/mdt/mdt_lproc.c
Comment by Build Master (Inactive) [ 17/Feb/12 ]

Integrated in lustre-master » x86_64,server,el6,ofa #480
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = FAILURE
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • libcfs/include/libcfs/libcfs_string.h
  • lustre/mds/lproc_mds.c
  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/libcfs/libcfs_string.c
  • lustre/mdt/mdt_lproc.c
Comment by Build Master (Inactive) [ 17/Feb/12 ]

Integrated in lustre-master » x86_64,client,el6,ofa #480
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = FAILURE
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • libcfs/libcfs/libcfs_string.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/ptlrpc/lproc_ptlrpc.c
  • lustre/mds/lproc_mds.c
  • lustre/mdt/mdt_lproc.c
Comment by Build Master (Inactive) [ 17/Feb/12 ]

Integrated in lustre-master » i686,client,el6,ofa #480
LU-985 lprocfs: verify user buffer access (Revision b18cecc6a17e9b30064ed9b24927d1905729d89b)

Result = ABORTED
Oleg Drokin : b18cecc6a17e9b30064ed9b24927d1905729d89b
Files :

  • lustre/mdt/mdt_lproc.c
  • libcfs/libcfs/libcfs_string.c
  • lustre/mds/lproc_mds.c
  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/include/libcfs/libcfs_string.h
Comment by Build Master (Inactive) [ 08/Apr/12 ]

Integrated in lustre-b2_1 » x86_64,client,sles11,inkernel #41
LU-985 lprocfs: verify user buffer access (Revision 98f1e971836bfc973d2b798f9689d590f9f7416d)

Result = SUCCESS
Oleg Drokin : 98f1e971836bfc973d2b798f9689d590f9f7416d
Files :

  • libcfs/include/libcfs/libcfs_string.h
  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/libcfs/libcfs_string.c
  • lustre/mds/lproc_mds.c
  • lustre/mdt/mdt_lproc.c
Comment by Build Master (Inactive) [ 08/Apr/12 ]

Integrated in lustre-b2_1 » i686,client,el6,inkernel #41
LU-985 lprocfs: verify user buffer access (Revision 98f1e971836bfc973d2b798f9689d590f9f7416d)

Result = SUCCESS
Oleg Drokin : 98f1e971836bfc973d2b798f9689d590f9f7416d
Files :

  • libcfs/libcfs/libcfs_string.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/mds/lproc_mds.c
  • lustre/ptlrpc/lproc_ptlrpc.c
  • lustre/mdt/mdt_lproc.c
Comment by Build Master (Inactive) [ 08/Apr/12 ]

Integrated in lustre-b2_1 » x86_64,server,el6,inkernel #41
LU-985 lprocfs: verify user buffer access (Revision 98f1e971836bfc973d2b798f9689d590f9f7416d)

Result = SUCCESS
Oleg Drokin : 98f1e971836bfc973d2b798f9689d590f9f7416d
Files :

  • lustre/mdt/mdt_lproc.c
  • libcfs/include/libcfs/libcfs_string.h
  • libcfs/libcfs/libcfs_string.c
  • lustre/mds/lproc_mds.c
  • lustre/ptlrpc/lproc_ptlrpc.c
Comment by Build Master (Inactive) [ 08/Apr/12 ]

Integrated in lustre-b2_1 » i686,client,el5,ofa #41
LU-985 lprocfs: verify user buffer access (Revision 98f1e971836bfc973d2b798f9689d590f9f7416d)

Result = SUCCESS
Oleg Drokin : 98f1e971836bfc973d2b798f9689d590f9f7416d
Files :

  • lustre/mdt/mdt_lproc.c
  • lustre/mds/lproc_mds.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/libcfs/libcfs_string.c
Comment by Build Master (Inactive) [ 08/Apr/12 ]

Integrated in lustre-b2_1 » x86_64,server,el5,ofa #41
LU-985 lprocfs: verify user buffer access (Revision 98f1e971836bfc973d2b798f9689d590f9f7416d)

Result = SUCCESS
Oleg Drokin : 98f1e971836bfc973d2b798f9689d590f9f7416d
Files :

  • libcfs/include/libcfs/libcfs_string.h
  • lustre/mds/lproc_mds.c
  • lustre/mdt/mdt_lproc.c
  • libcfs/libcfs/libcfs_string.c
  • lustre/ptlrpc/lproc_ptlrpc.c
Comment by Build Master (Inactive) [ 08/Apr/12 ]

Integrated in lustre-b2_1 » x86_64,client,el6,inkernel #41
LU-985 lprocfs: verify user buffer access (Revision 98f1e971836bfc973d2b798f9689d590f9f7416d)

Result = SUCCESS
Oleg Drokin : 98f1e971836bfc973d2b798f9689d590f9f7416d
Files :

  • libcfs/include/libcfs/libcfs_string.h
  • lustre/ptlrpc/lproc_ptlrpc.c
  • lustre/mdt/mdt_lproc.c
  • lustre/mds/lproc_mds.c
  • libcfs/libcfs/libcfs_string.c
Comment by Build Master (Inactive) [ 08/Apr/12 ]

Integrated in lustre-b2_1 » i686,server,el6,inkernel #41
LU-985 lprocfs: verify user buffer access (Revision 98f1e971836bfc973d2b798f9689d590f9f7416d)

Result = SUCCESS
Oleg Drokin : 98f1e971836bfc973d2b798f9689d590f9f7416d
Files :

  • lustre/mdt/mdt_lproc.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/mds/lproc_mds.c
  • libcfs/libcfs/libcfs_string.c
  • lustre/ptlrpc/lproc_ptlrpc.c
Comment by Build Master (Inactive) [ 08/Apr/12 ]

Integrated in lustre-b2_1 » x86_64,client,el5,inkernel #41
LU-985 lprocfs: verify user buffer access (Revision 98f1e971836bfc973d2b798f9689d590f9f7416d)

Result = SUCCESS
Oleg Drokin : 98f1e971836bfc973d2b798f9689d590f9f7416d
Files :

  • lustre/ptlrpc/lproc_ptlrpc.c
  • lustre/mdt/mdt_lproc.c
  • lustre/mds/lproc_mds.c
  • libcfs/libcfs/libcfs_string.c
  • libcfs/include/libcfs/libcfs_string.h
Comment by Build Master (Inactive) [ 08/Apr/12 ]

Integrated in lustre-b2_1 » i686,server,el5,inkernel #41
LU-985 lprocfs: verify user buffer access (Revision 98f1e971836bfc973d2b798f9689d590f9f7416d)

Result = SUCCESS
Oleg Drokin : 98f1e971836bfc973d2b798f9689d590f9f7416d
Files :

  • lustre/ptlrpc/lproc_ptlrpc.c
  • lustre/mdt/mdt_lproc.c
  • lustre/mds/lproc_mds.c
  • libcfs/libcfs/libcfs_string.c
  • libcfs/include/libcfs/libcfs_string.h
Comment by Build Master (Inactive) [ 08/Apr/12 ]

Integrated in lustre-b2_1 » x86_64,server,el5,inkernel #41
LU-985 lprocfs: verify user buffer access (Revision 98f1e971836bfc973d2b798f9689d590f9f7416d)

Result = SUCCESS
Oleg Drokin : 98f1e971836bfc973d2b798f9689d590f9f7416d
Files :

  • lustre/mds/lproc_mds.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/libcfs/libcfs_string.c
  • lustre/mdt/mdt_lproc.c
Comment by Build Master (Inactive) [ 08/Apr/12 ]

Integrated in lustre-b2_1 » i686,server,el5,ofa #41
LU-985 lprocfs: verify user buffer access (Revision 98f1e971836bfc973d2b798f9689d590f9f7416d)

Result = SUCCESS
Oleg Drokin : 98f1e971836bfc973d2b798f9689d590f9f7416d
Files :

  • lustre/mds/lproc_mds.c
  • lustre/mdt/mdt_lproc.c
  • libcfs/libcfs/libcfs_string.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/ptlrpc/lproc_ptlrpc.c
Comment by Build Master (Inactive) [ 08/Apr/12 ]

Integrated in lustre-b2_1 » x86_64,client,el5,ofa #41
LU-985 lprocfs: verify user buffer access (Revision 98f1e971836bfc973d2b798f9689d590f9f7416d)

Result = SUCCESS
Oleg Drokin : 98f1e971836bfc973d2b798f9689d590f9f7416d
Files :

  • lustre/ptlrpc/lproc_ptlrpc.c
  • libcfs/include/libcfs/libcfs_string.h
  • lustre/mds/lproc_mds.c
  • lustre/mdt/mdt_lproc.c
  • libcfs/libcfs/libcfs_string.c
Comment by Build Master (Inactive) [ 08/Apr/12 ]

Integrated in lustre-b2_1 » i686,client,el5,inkernel #41
LU-985 lprocfs: verify user buffer access (Revision 98f1e971836bfc973d2b798f9689d590f9f7416d)

Result = SUCCESS
Oleg Drokin : 98f1e971836bfc973d2b798f9689d590f9f7416d
Files :

  • lustre/mdt/mdt_lproc.c
  • libcfs/include/libcfs/libcfs_string.h
  • libcfs/libcfs/libcfs_string.c
  • lustre/ptlrpc/lproc_ptlrpc.c
  • lustre/mds/lproc_mds.c
Generated at Sat Feb 10 01:12:23 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.