[LU-12613] Lustre lustre_msg_string() bug

Related — Thu, 16 Mar 2023 15:28:43 +0000

In the latest version of lustre file system, ptlrpc module has a out-of-access bug due to the lack of validation for specific fields of packets sent by client.

The kernel panic:

[ 190.198913] BUG: unable to handle kernel paging request at ffff96e50a9811e0 [ 190.201204] IP: [<ffffffff9d37fd8d>] strnlen+0xd/0x40 [ 190.203235] PGD 218a52067 PUD 0 [ 190.205073] Oops: 0000 [#1] SMP [ 190.206896] Modules linked in: ofd(OE) ost(OE) osp(OE) mdd(OE) lod(OE) mdt(OE) lfsck(OE) mgs(OE) osd_ldiskfs(OE) lquota(OE) ldiskfs(OE) loop lustre(OE) obdecho(OE) mgc(OE) lov(OE) mdc(OE) osc(OE) lmv(OE) fid(OE) fld(OE) ptlrpc(OE) obdclass(OE) crc_t10dif crct10dif_generic ksocklnd(OE) lnet(OE) libcfs(OE) dm_flakey dm_mod nfit libnvdimm iosf_mbi crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd ppdev joydev pcspkr virtio_balloon parport_pc parport i2c_piix4 ip_tables ext4 mbcache jbd2 ata_generic pata_acpi virtio_net virtio_console virtio_blk cirrus drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm ata_piix drm libata crct10dif_pclmul crct10dif_common crc32c_intel serio_raw virtio_pci virtio_ring virtio drm_panel_orientation_quirks floppy [ 190.225100] CPU: 3 PID: 3029 Comm: mdt00_000 Kdump: loaded Tainted: G OE ------------ 3.10.0-957.10.1.el7_lustre.x86_64 #1 [ 190.229212] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 3288b3c 04/01/2014 [ 190.231427] task: ffff96e41073b0c0 ti: ffff96e40ca78000 task.ti: ffff96e40ca78000 [ 190.233629] RIP: 0010:[<ffffffff9d37fd8d>] [<ffffffff9d37fd8d>] strnlen+0xd/0x40 [ 190.235840] RSP: 0018:ffff96e40ca7b948 EFLAGS: 00010202 [ 190.237836] RAX: 0000000000000006 RBX: ffff96e42ea47570 RCX: 0000000000000000 [ 190.240017] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff96e50a9811e0 [ 190.242169] RBP: ffff96e40ca7b948 R08: 0000000000000000 R09: 00000000dbf39c70 [ 190.244293] R10: 0000000000000002 R11: 0000000000000020 R12: 0000000000000001 [ 190.246405] R13: ffff96e50a9811e0 R14: 0000000000000006 R15: 0000000000000000 [ 190.248499] FS: 0000000000000000(0000) GS:ffff96e43fd80000(0000) knlGS:0000000000000000 [ 190.250671] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 190.252613] CR2: ffff96e50a9811e0 CR3: 0000000427bfa000 CR4: 00000000003606e0 [ 190.254692] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 190.256766] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 190.258818] Call Trace: [ 190.260502] [<ffffffffc09a6d72>] lustre_msg_string+0x52/0x280 [ptlrpc] [ 190.262506] [<ffffffffc05da395>] ? cfs_trace_unlock_tcd+0x35/0x90 [libcfs] [ 190.264588] [<ffffffffc09a6d20>] ? lustre_msg_bufcount+0x80/0x80 [ptlrpc] [ 190.266637] [<ffffffffc09cd47b>] __req_capsule_get+0x12b/0x740 [ptlrpc] [ 190.268633] [<ffffffffc09a5010>] ? lustre_msg_buf_v2+0x1b0/0x1b0 [ptlrpc] [ 190.270642] [<ffffffffc09cdaa5>] req_capsule_client_get+0x15/0x20 [ptlrpc] [ 190.272634] [<ffffffffc10510c3>] mdt_name_unpack+0x23/0xd0 [mdt] [ 190.274523] [<ffffffffc1052e96>] mdt_open_unpack+0x166/0x410 [mdt] [ 190.276410] [<ffffffffc10531eb>] mdt_reint_unpack+0xab/0x210 [mdt] [ 190.278284] [<ffffffffc103cd23>] mdt_reint_internal+0x43/0xb90 [mdt] [ 190.280151] [<ffffffffc10497b6>] ? mdt_intent_fixup_resent+0x36/0x220 [mdt] [ 190.282066] [<ffffffffc1049a22>] mdt_intent_open+0x82/0x3a0 [mdt] [ 190.283917] [<ffffffffc074cb49>] ? lprocfs_counter_add+0xf9/0x160 [obdclass] [ 190.285824] [<ffffffffc10479e4>] mdt_intent_policy+0x2d4/0xdd0 [mdt] [ 190.287657] [<ffffffffc10499a0>] ? mdt_intent_fixup_resent+0x220/0x220 [mdt] [ 190.289550] [<ffffffffc0958c66>] ldlm_lock_enqueue+0x356/0xa20 [ptlrpc] [ 190.291407] [<ffffffffc05e43d3>] ? cfs_hash_bd_add_locked+0x63/0x80 [libcfs] [ 190.293278] [<ffffffffc05e796e>] ? cfs_hash_add+0xbe/0x1a0 [libcfs] [ 190.295073] [<ffffffffc0981587>] ldlm_handle_enqueue0+0xa47/0x15a0 [ptlrpc] [ 190.296924] [<ffffffffc09a9520>] ? lustre_swab_ldlm_lock_desc+0x30/0x30 [ptlrpc] [ 190.298825] [<ffffffffc0a0a082>] tgt_enqueue+0x62/0x210 [ptlrpc] [ 190.300586] [<ffffffffc0a102ca>] tgt_request_handle+0x91a/0x15c0 [ptlrpc] [ 190.302399] [<ffffffffc05e0fa7>] ? libcfs_debug_msg+0x57/0x80 [libcfs] [ 190.304211] [<ffffffffc09b388e>] ptlrpc_server_handle_request+0x24e/0xab0 [ptlrpc] [ 190.306082] [<ffffffff9d0cbadb>] ? __wake_up_common+0x5b/0x90 [ 190.307775] [<ffffffffc09b7384>] ptlrpc_main+0xbb4/0x20f0 [ptlrpc] [ 190.309463] [<ffffffff9d0d08c0>] ? finish_task_switch+0x50/0x1c0 [ 190.311131] [<ffffffffc09b67d0>] ? ptlrpc_register_service+0xfa0/0xfa0 [ptlrpc] [ 190.312860] [<ffffffff9d0c1c71>] kthread+0xd1/0xe0 [ 190.314340] [<ffffffff9d0c1ba0>] ? insert_kthread_work+0x40/0x40 [ 190.315899] [<ffffffff9d775c1d>] ret_from_fork_nospec_begin+0x7/0x21 [ 190.317470] [<ffffffff9d0c1ba0>] ? insert_kthread_work+0x40/0x40 [ 190.318974] Code: c0 01 80 38 00 75 f7 48 29 f8 5d c3 31 c0 5d c3 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 85 f6 48 8d 4e ff 48 89 e5 74 2a <80> 3f 00 74 25 48 89 f8 31 d2 eb 10 0f 1f 80 00 00 00 00 48 83 [ 190.323574] RIP [<ffffffff9d37fd8d>] strnlen+0xd/0x40 [ 190.325038] RSP <ffff96e40ca7b948> [ 190.326320] CR2: ffff96e50a9811e0

In function lustre_msg_string(), there is no check about the value of blen derived from lustre_msg_buflen_v2(), and cause a out-of-access bug in strnlen.

 case LUSTRE_MSG_MAGIC_V2:                
      str = lustre_msg_buf_v2(m, index, 0);                
      blen = lustre_msg_buflen_v2(m, index);                
         break;        
      default:                
        LASSERTF(0, "incorrect message magic: %08x\n", m->lm_magic);        }
        ...
       slen = strnlen(str, blen);

Whamcloud Community JIRA

[LU-12613] Lustre lustre_msg_string() bug