Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-12604] Lustre mdt_file_secctx_unpack() bug https://jira.whamcloud.com/browse/LU-12604 Lustre <p>In the latest version of lustre file system, mdt module has a out-of-access bug due to the lack of validation for specific fields of packets sent by client.</p> <p>The kernel panic:</p> <p> </p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> [ 207.996447] Call Trace: [ 207.998174] [&lt;ffffffffc0fc12d6&gt;] mdt_file_secctx_unpack+0xb6/0x140 [mdt] [ 208.000279] [&lt;ffffffffc0fc6ecc&gt;] mdt_open_unpack+0x19c/0x410 [mdt] [ 208.002318] [&lt;ffffffffc0fc71eb&gt;] mdt_reint_unpack+0xab/0x210 [mdt] [ 208.004342] [&lt;ffffffffc0fb0d23&gt;] mdt_reint_internal+0x43/0xb90 [mdt] [ 208.006379] [&lt;ffffffffc0fbd8e0&gt;] ? mdt_intent_fixup_resent+0x160/0x220 [mdt] [ 208.008481] [&lt;ffffffffc0fbda22&gt;] mdt_intent_open+0x82/0x3a0 [mdt] [ 208.010505] [&lt;ffffffffc0697b49&gt;] ? lprocfs_counter_add+0xf9/0x160 [obdclass] [ 208.012619] [&lt;ffffffffc0fbb9e4&gt;] mdt_intent_policy+0x2d4/0xdd0 [mdt] [ 208.014675] [&lt;ffffffffc0fbd9a0&gt;] ? mdt_intent_fixup_resent+0x220/0x220 [mdt] [ 208.016810] [&lt;ffffffffc08a3c66&gt;] ldlm_lock_enqueue+0x356/0xa20 [ptlrpc] [ 208.018833] [&lt;ffffffffc052f3d3&gt;] ? cfs_hash_bd_add_locked+0x63/0x80 [libcfs] [ 208.020881] [&lt;ffffffffc053296e&gt;] ? cfs_hash_add+0xbe/0x1a0 [libcfs] [ 208.022874] [&lt;ffffffffc08cc587&gt;] ldlm_handle_enqueue0+0xa47/0x15a0 [ptlrpc] [ 208.024948] [&lt;ffffffffc08f4520&gt;] ? lustre_swab_ldlm_lock_desc+0x30/0x30 [ptlrpc] [ 208.027041] [&lt;ffffffffc0955082&gt;] tgt_enqueue+0x62/0x210 [ptlrpc] [ 208.028973] [&lt;ffffffffc095b2ca&gt;] tgt_request_handle+0x91a/0x15c0 [ptlrpc] [ 208.030903] [&lt;ffffffffc052bfa7&gt;] ? libcfs_debug_msg+0x57/0x80 [libcfs] [ 208.032796] [&lt;ffffffffc08fe88e&gt;] ptlrpc_server_handle_request+0x24e/0xab0 [ptlrpc] [ 208.034745] [&lt;ffffffff8eccbadb&gt;] ? __wake_up_common+0x5b/0x90 [ 208.036513] [&lt;ffffffffc0902384&gt;] ptlrpc_main+0xbb4/0x20f0 [ptlrpc] [ 208.038274] [&lt;ffffffff8ecd08c0&gt;] ? finish_task_switch+0x50/0x1c0 [ 208.040036] [&lt;ffffffffc09017d0&gt;] ? ptlrpc_register_service+0xfa0/0xfa0 [ptlrpc] [ 208.041892] [&lt;ffffffff8ecc1c71&gt;] kthread+0xd1/0xe0 [ 208.043535] [&lt;ffffffff8ecc1ba0&gt;] ? insert_kthread_work+0x40/0x40 [ 208.045284] [&lt;ffffffff8f375c1d&gt;] ret_from_fork_nospec_begin+0x7/0x21 [ 208.047012] [&lt;ffffffff8ecc1ba0&gt;] ? insert_kthread_work+0x40/0x40 </pre> </div></div> <p>In function mdt_file_secctx_unpack(), it don't check the value of name_size derived from req_capsule_get_size(), and cause a out-of-access bug in strnlen.</p> <p> </p> <p><span class="image-wrap" style=""><img src="https://jira.whamcloud.com/secure/attachment/33301/33301_image-2019-07-29-17-49-02-101.png" style="border: 0px solid black" /></span></p> LU-12604 Lustre mdt_file_secctx_unpack() bug Bug Critical Resolved Fixed Sebastien Buisson Alibaba Cloud Mon, 29 Jul 2019 09:48:03 +0000 Wed, 18 Sep 2019 12:47:20 +0000 Thu, 15 Aug 2019 13:25:18 +0000 Lustre 2.13.0 Lustre 2.12.3 0 4 <p>I am looking into this.</p> <p>In the meantime, do you have more information coming along with the stack trace? For instance, the exact error message? More importantly, are you able to analyze the crash dump and retrieve the content of the name_size variable? I am wondering how this got corrupted.</p> <p>Thanks.</p> <p>Sebastien Buisson (sbuisson@ddn.com) uploaded a new patch: <a href="https://review.whamcloud.com/35655" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/35655</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12604" title="Lustre mdt_file_secctx_unpack() bug" class="issue-link" data-issue-key="LU-12604"><del>LU-12604</del></a> mdt: check field size of sec context name<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: e1ef6df469e4a72bb45ba1e1087739d87f957d0d</p> <p>Oleg Drokin (green@whamcloud.com) merged in patch <a href="https://review.whamcloud.com/35655/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/35655/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12604" title="Lustre mdt_file_secctx_unpack() bug" class="issue-link" data-issue-key="LU-12604"><del>LU-12604</del></a> mdt: check field size of sec context name<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 384cd84489c9a7aa3145560002eb7a053cf4b2db</p> <p>Landed for 2.13</p> <p>Minh Diep (mdiep@whamcloud.com) uploaded a new patch: <a href="https://review.whamcloud.com/35868" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/35868</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12604" title="Lustre mdt_file_secctx_unpack() bug" class="issue-link" data-issue-key="LU-12604"><del>LU-12604</del></a> mdt: check field size of sec context name<br/> Project: fs/lustre-release<br/> Branch: b2_12<br/> Current Patch Set: 1<br/> Commit: b3a5740be9e604a9f0e25d30655bab59d6022020</p> <p>Oleg Drokin (green@whamcloud.com) merged in patch <a href="https://review.whamcloud.com/35868/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/35868/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12604" title="Lustre mdt_file_secctx_unpack() bug" class="issue-link" data-issue-key="LU-12604"><del>LU-12604</del></a> mdt: check field size of sec context name<br/> Project: fs/lustre-release<br/> Branch: b2_12<br/> Current Patch Set: <br/> Commit: 92d09db94d725bb36a81bda6219c4ec9dfd17d0a</p> Related LU-12605 Development Rank 1|i00kb3: Rank (Obsolete) 9223372036854775807 Severity