https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-4984 Lustre <p>There's an integer overflow in LL_IOC_HSM_REQUEST handler</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> <span class="code-keyword">case</span> LL_IOC_HSM_REQUEST: { struct hsm_user_request *hur; <span class="code-object">int</span> totalsize; OBD_ALLOC_PTR(hur); <span class="code-keyword">if</span> (hur == NULL) RETURN(-ENOMEM); <span class="code-comment">/* We don't know the <span class="code-keyword">true</span> size yet; copy the fixed-size part */</span> <span class="code-keyword">if</span> (copy_from_user(hur, (void *)arg, sizeof(*hur))) { OBD_FREE_PTR(hur); RETURN(-EFAULT); } <span class="code-comment">/* Compute the whole struct size */</span> totalsize = hur_len(hur); OBD_FREE_PTR(hur); <span class="code-comment">/* Make sure the size is reasonable */</span> <span class="code-keyword">if</span> (totalsize &gt;= MDS_MAXREQSIZE) RETURN(-E2BIG); </pre> </div></div> <p>Instead of checking totalsize which is past multiplication and is subject to overflow already, what we must do is we must ensure hur-&gt;hur_request.hr_itemcount is safe first.<br/> Then it's safe to call hur_len</p> LU-4984

Integer overflow in LL_IOC_HSM_REQUEST handler

Bug Critical Resolved Fixed Nathaniel Clark Oleg Drokin mq115 Wed, 30 Apr 2014 03:36:33 +0000 Mon, 1 Dec 2014 08:41:27 +0000 Tue, 1 Jul 2014 14:53:14 +0000 Lustre 2.5.0 Lustre 2.6.0 Lustre 2.6.0 0 9 <p>James,<br/> Could you please take this one?<br/> Thank you!</p> <p>John, I suspect we should also annotate some of these fields with __user as well, could you please comment.</p> <p>John,<br/> is there any chance you would have time to look at this?</p> <p><a href="http://review.whamcloud.com/10615" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/10615</a></p> <p>Landed for 2.6</p> <p>The committed patch still has the memory leak mentioned here: <a href="http://review.whamcloud.com/#/c/10615/5/lustre/utils/lfs.c,cm" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/#/c/10615/5/lustre/utils/lfs.c,cm</a></p> <p>The leak is in a short-lived lfs tool, not any sort of a library that can for extended periods of time, so I don't see this is a very important leak (still a bug, of course).</p> <p>Please open a separate ticket about it so that it's not forgotten.</p> <p>Oleg</p> <p>I think that Andreas did this on Frank's behalf under <a href="https://jira.whamcloud.com/browse/LU-5323" title="memory leak in lfs_hsm_request()" class="issue-link" data-issue-key="LU-5323"><del>LU-5323</del></a></p> <p>Peter</p> <p>Patch for b2_5 at <a href="http://review.whamcloud.com/12369" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/12369</a></p> Related LU-5323 Development Rank 1|hzwlhb: Rank (Obsolete) 13804 Severity