https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-12605 Lustre <p>In the latest version of lustre file system, ptlrpc module has a buffer overflow bug due to the lack of validation for specific fields of packets sent by client.</p> <p>The kenrel panic:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> [ 607.979453] Call Trace: [ 607.981190] [&lt;ffffffffc0a76199&gt;] ? +0xd19/0x2960 [ptlrpc] [ 607.983385] [&lt;ffffffffc0b1f02a&gt;] tgt_request_handle+0x67a/0x15c0 [ptlrpc] [ 607.985484] [&lt;ffffffffc0710fa7&gt;] ? libcfs_debug_msg+0x57/0x80 [libcfs] [ 607.987581] [&lt;ffffffffc0ac288e&gt;] ptlrpc_server_handle_request+0x24e/0xab0 [ptlrpc] [ 607.989741] [&lt;ffffffffabacbadb&gt;] ? __wake_up_common+0x5b/0x90 [ 607.991741] [&lt;ffffffffc0ac6384&gt;] ptlrpc_main+0xbb4/0x20f0 [ptlrpc] [ 607.993731] [&lt;ffffffffabad08c0&gt;] ? finish_task_switch+0x50/0x1c0 [ 607.995760] [&lt;ffffffffc0ac57d0&gt;] ? ptlrpc_register_service+0xfa0/0xfa0 [ptlrpc] [ 607.997834] [&lt;ffffffffabac1c71&gt;] kthread+0xd1/0xe0 [ 607.999655] [&lt;ffffffffabac1ba0&gt;] ? insert_kthread_work+0x40/0x40 [ 608.001584] [&lt;ffffffffac175c1d&gt;] ret_from_fork_nospec_begin+0x7/0x21 [ 608.003533] [&lt;ffffffffabac1ba0&gt;] ? insert_kthread_work+0x40/0x40 </pre> </div></div> <p>The function target_handle_connect() don't check the value of size when client connect to server. If size is -1, the min function will return -1. But the third parameter of memcpy is unsigned int, -1 will be parsed into 0xffffffff, causing a buffer overflow.</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> size = req_capsule_get_size(&amp;req-&gt;rq_pill, &amp;RMF_CONNECT_DATA, RCL_CLIENT); memcpy(tmpdata, data, min(tmpsize, size)); </pre> </div></div> <p> </p> <p> </p> LU-12605

Lustre target_handle_connect() bug

Bug Critical Resolved Fixed Emoly Liu Alibaba Cloud Mon, 29 Jul 2019 10:51:13 +0000 Thu, 12 Sep 2019 17:16:12 +0000 Tue, 27 Aug 2019 02:52:05 +0000 Lustre 2.13.0 Lustre 2.13.0 Lustre 2.12.3 0 5 <p>Sébastien</p> <p>Could you please investigate</p> <p>Peter</p> <p><tt>lustre_unpack_msg_v2()</tt> is what is touching the message buffer first, and is the right place to do sanity checking of the message buffers. While <tt>lustre_msg_buf_v2()</tt> is used in a lot of places to access various buffers internally, we don't necessarily want to do validity checking for every access throughout the code. Having a high-level scrub once at message receipt makes the most sense, and then the internal accessors can assume it is valid.</p> <p>Checks that should be added:</p> <ol> <li>validate that the number of buffers is not too large (there a limit of 32 buffers per message based on <tt>sizeof(req-&gt;rq_req_swab_mask)*8</tt>, but there is no check of <tt>lm_bufcount</tt> before it is used.</li> <li>validate that individual buffer lengths and the total message lengths are not insane (i.e. integers &lt; <tt>INT_MAX/MAX_BUFFER_COUNT</tt> so that they are not treated as negative <tt>int</tt> values)</li> <li>validate that the individual buffer lengths are less than the total message length to avoid overflow when added</li> <li>validate that the provided lengths are not larger than the total message size</li> </ol> <p>Emoly</p> <p>Actually can you please work on this one</p> <p>Thanks</p> <p>Peter</p> <p>Hello <a href="https://jira.whamcloud.com/secure/ViewProfile.jspa?name=yunye.ry" class="user-hover" rel="yunye.ry">yunye.ry</a>,</p> <p>please register for an account on Gerrit <a href="https://review.whamcloud.com/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/</a> so that you can be added as a reviewer for the patches that are being developed for the various issues that you have filed.  Then you can verify that they are fixing the reported problems by adding your +1 to the patch (assuming it is correct).  This will result in a "<tt>Reviewed-by: Your Name &lt;your_email&gt;</tt>" label on the final patch, and Alibaba will also be listed in the Lustre contribution statistics in <a href="http://wiki.lustre.org/images/a/a1/LUG2019-Community-Release-Update-Jones.pdf" class="external-link" target="_blank" rel="nofollow noopener">Lustre presentations</a>.</p> <p>Ok, I will do it, thank you</p> <p>Hi Andreas,<br/> I tried to register in the <a href="https://review.whamcloud.com/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/</a> but failed. The register site ( <a href="https://review.whamcloud.com/login/%23%2Fregister%2Fq%2Fstatus%3Aopen" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/login/%23%2Fregister%2Fq%2Fstatus%3Aopen</a>) shows that I can log in with my whamcloud account, but it seems failed. The wrong message is 'Invalid authentication'. Do I have to register for an OpenID account? Thank you.</p> <p>Yes - as you are not part of the Whamcloud team you will need an account based on an OpenID identity. These kinds of questions are probably best handled via direct email rather than in JIRA (where anyone can read them)</p> <p>Emoly Liu (emoly@whamcloud.com) uploaded a new patch: <a href="https://review.whamcloud.com/35711" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/35711</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12605" title="Lustre target_handle_connect() bug" class="issue-link" data-issue-key="LU-12605"><del>LU-12605</del></a> tgt: check data size in target_handle_connect()<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: ba4979f6b25e64576e7906ec6cd559f3499adba7</p> <p>Oleg Drokin (green@whamcloud.com) merged in patch <a href="https://review.whamcloud.com/35711/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/35711/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12605" title="Lustre target_handle_connect() bug" class="issue-link" data-issue-key="LU-12605"><del>LU-12605</del></a> tgt: check client data size in target_handle_connect()<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 149f005a3199eee13fe6396671613a0f620ee0cc</p> <p>Landed for 2.13</p> <p>Minh Diep (mdiep@whamcloud.com) uploaded a new patch: <a href="https://review.whamcloud.com/35935" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/35935</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12605" title="Lustre target_handle_connect() bug" class="issue-link" data-issue-key="LU-12605"><del>LU-12605</del></a> tgt: check client data size in target_handle_connect()<br/> Project: fs/lustre-release<br/> Branch: b2_12<br/> Current Patch Set: 1<br/> Commit: c43893e5a876a180b321df714a61630ad4b7c03f</p> <p>Oleg Drokin (green@whamcloud.com) merged in patch <a href="https://review.whamcloud.com/35935/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/35935/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-12605" title="Lustre target_handle_connect() bug" class="issue-link" data-issue-key="LU-12605"><del>LU-12605</del></a> tgt: check client data size in target_handle_connect()<br/> Project: fs/lustre-release<br/> Branch: b2_12<br/> Current Patch Set: <br/> Commit: d70c45a124aa2580115111aa8a77648f073dc799</p> Related LU-12590 LU-12600 LU-12602 LU-12603 LU-12604 LU-12612 LU-12613 LU-12615 Development Rank 1|i00kbb: Rank (Obsolete) 9223372036854775807 Severity