https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-12590 Lustre <p>In the latest version of lustre file system, ptlrpc module has a out of read bug due to the lack of validation for specific fields of packets sent by client.</p> <p> </p> <p>The kenrel panic:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>CPU: 0 PID: 3002 Comm: ll_mgs_0002 Kdump: loaded Tainted: G OE ------------ 3.10.0-957.10.1.el7_lustre.x86_64 #1 Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 99a222b 04/01/2014 task: ffff986c19a85140 ti: ffff986c22a88000 task.ti: ffff986c22a88000 RIP: 0010:[&lt;ffffffffc077a480&gt;] [&lt;ffffffffc077a480&gt;] __lustre_unpack_msg+0x100/0x430 [ptlrpc] RSP: 0018:ffff986c22a8bda0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff986c2ed0e000 RCX: 00000000786c35f8 RDX: 00000000000000e0 RSI: 00000000044bc7f8 RDI: ffff986c2ed0e000 RBP: ffff986c22a8bdb8 R08: 00000000044bc7f8 R09: 0000000000000008 R10: 00000000ffffff10 R11: 0000000000000005 R12: ffff986c2ed0e000 R13: ffff986c19bf77c0 R14: ffff986c2aa24700 R15: ffff986c19ea9000 FS: 0000000000000000(0000) GS:ffff986c3fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff986c40000000 CR3: 000000042277c000 CR4: 00000000003606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: [&lt;ffffffffc07ad7d3&gt;] sptlrpc_svc_unwrap_request+0x73/0x600 [ptlrpc] [&lt;ffffffffc078e236&gt;] ptlrpc_main+0xa66/0x20f0 [ptlrpc] [&lt;ffffffff9e2c1c71&gt;] kthread+0xd1/0xe0 [&lt;ffffffff9e975c1d&gt;] ret_from_fork_nospec_begin+0x7/0x21 Code: RIP [&lt;ffffffffc077a480&gt;] __lustre_unpack_msg+0x100/0x430 [ptlrpc] RSP &lt;ffff986c22a8bda0&gt; CR2: ffff986c40000000 </pre> </div></div> <p> </p> <p>In the 'sptlrpc_svc_unwrap_request' function of ptlrpc module, lustre_msg_hdr_size_v2() parses lustre_msg sent by client, but does not check the value, which results in out-of-bounds read.</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> <span class="code-keyword">static</span> inline __u32 lustre_msg_hdr_size_v2(__u32 count) {          <span class="code-keyword">return</span> cfs_size_round(offsetof(struct lustre_msg_v2, lm_buflens[count])); } </pre> </div></div> <p> </p> <p>We can trigger this bug by sending a malformed lustre packet and modifying the lm_bufcount field.</p> <p> </p> <p> </p> <p> </p> <p> </p> <p> </p> Red hat 7 LU-12590

Lustre lustre_msg_hdr_size_v2() bug

Bug Critical Resolved Fixed Emoly Liu Alibaba Cloud Fri, 26 Jul 2019 07:26:07 +0000 Wed, 18 Sep 2019 12:46:31 +0000 Sat, 7 Sep 2019 05:07:35 +0000 Lustre 2.13.0 Lustre 2.12.3 0 4 <p>Emoly</p> <p>Could you please assist with this one?</p> <p>Thanks</p> <p>Peter</p> <p>The most simple fix would be to check the <tt>count</tt> files in <tt>lustre_msg_hdr_size_v2()</tt>, but it is likely that we would need to add similar checks all over the code. Instead, it makes sense to do a higher-level validation of the RPC format in <tt>__lustre_unpack_msg()</tt> (<tt>lm_bufcount</tt>, etc.) before any of these fields are used. </p> <p>Please add "<tt>Reported-by: Alibaba Cloud &lt;yunye.ry@alibaba-inc.com&gt;</tt>" to the patch commit message.</p> <p>Emoly Liu (emoly@whamcloud.com) uploaded a new patch: <a href="https://review.whamcloud.com/35783" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/35783</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12590" title="Lustre lustre_msg_hdr_size_v2() bug" class="issue-link" data-issue-key="LU-12590"><del>LU-12590</del></a> ptlrpc: check lm_bufcount for lustre_msg_hdr_size_v2()<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: fd0533b2f934ffc644f818ece41fc9349ea447fb</p> <p>Alibaba Cloud, are you willing to share your testing tool? That would save us development effort. </p> <p>Otherwise, my thought is to add a fail_loc that causes an outgoing RPC message buffer to be randomly corrupted in some small way like a fuzzer tool. This would mean changing eg. one byte in the header or body of the message at some frequency below 100%, otherwise it may be that the client would just be evicted if all of its messages are broken. </p> <p>Oleg Drokin (green@whamcloud.com) merged in patch <a href="https://review.whamcloud.com/35783/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/35783/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12590" title="Lustre lustre_msg_hdr_size_v2() bug" class="issue-link" data-issue-key="LU-12590"><del>LU-12590</del></a> ptlrpc: check lm_bufcount and lm_buflen<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 268edb13d769994c4841864034d72f0bd7b36e12</p> <p>Landed for 2.13</p> <p>Minh Diep (mdiep@whamcloud.com) uploaded a new patch: <a href="https://review.whamcloud.com/36119" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/36119</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12590" title="Lustre lustre_msg_hdr_size_v2() bug" class="issue-link" data-issue-key="LU-12590"><del>LU-12590</del></a> ptlrpc: check lm_bufcount and lm_buflen<br/> Project: fs/lustre-release<br/> Branch: b2_12<br/> Current Patch Set: 1<br/> Commit: 4a346abc8cf45088e4b27dda0ce5100039b60eea</p> <p>Oleg Drokin (green@whamcloud.com) merged in patch <a href="https://review.whamcloud.com/36119/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/36119/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12590" title="Lustre lustre_msg_hdr_size_v2() bug" class="issue-link" data-issue-key="LU-12590"><del>LU-12590</del></a> ptlrpc: check lm_bufcount and lm_buflen<br/> Project: fs/lustre-release<br/> Branch: b2_12<br/> Current Patch Set: <br/> Commit: 2257e1ed7ce6a449fdc52ca7a492b8320289e9db</p> Related LU-12605 Development Rank 1|i00k7b: Rank (Obsolete) 9223372036854775807 Severity