Whamcloud Community JIRA https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 [LU-6674] struct lov_user_mds_data can be used uninitialized https://jira.whamcloud.com/browse/LU-6674 Lustre <p>In function cb_find_init():3003 requested the lmd structure but it filled partially and struct lov_user_mds_data becomes uninitialized because of following code in ll_dir_ioctl():</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> <span class="code-keyword">if</span> (cmd == IOC_MDC_GETFILEINFO || cmd == IOC_MDC_GETFILESTRIPE) { filename = ll_getname((<span class="code-keyword">const</span> <span class="code-object">char</span> __user *)arg); <span class="code-keyword">if</span> (IS_ERR(filename)) RETURN(PTR_ERR(filename)); rc = ll_lov_getstripe_ea_info(inode, filename, &amp;lmm, &amp;lmmsize, &amp;request); } <span class="code-keyword">else</span> { rc = ll_dir_getstripe(inode, (void **)&amp;lmm, &amp;lmmsize, &amp;request, 0); } [...] <span class="code-keyword">if</span> (rc &lt; 0) { <span class="code-keyword">if</span> (rc == -ENODATA &amp;&amp; (cmd == IOC_MDC_GETFILEINFO || cmd == LL_IOC_MDC_GETINFO)) GOTO(skip_lmm, rc = 0); <span class="code-keyword">else</span> GOTO(out_req, rc); } <span class="code-keyword">if</span> (cmd == IOC_MDC_GETFILESTRIPE || cmd == LL_IOC_LOV_GETSTRIPE) { lump = (struct lov_user_md __user *)arg; } <span class="code-keyword">else</span> { struct lov_user_mds_data __user *lmdp; lmdp = (struct lov_user_mds_data __user *)arg; lump = &amp;lmdp-&gt;lmd_lmm; } <span class="code-keyword">if</span> (copy_to_user(lump, lmm, lmmsize)) { <span class="code-keyword">if</span> (copy_to_user(lump, lmm, sizeof(*lump))) GOTO(out_req, rc = -EFAULT); rc = -EOVERFLOW; } skip_lmm: </pre> </div></div> LU-6674 struct lov_user_mds_data can be used uninitialized Bug Critical Resolved Fixed Dmitry Eremin Dmitry Eremin Tue, 2 Jun 2015 19:33:33 +0000 Fri, 24 Jul 2015 09:42:06 +0000 Fri, 24 Jul 2015 09:42:06 +0000 Lustre 2.8.0 0 4 <p>Dmitry Eremin (dmitry.eremin@intel.com) uploaded a new patch: <a href="http://review.whamcloud.com/15109" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/15109</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-6674" title="struct lov_user_mds_data can be used uninitialized" class="issue-link" data-issue-key="LU-6674"><del>LU-6674</del></a>: test: test of uninitilized structure used<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: 3f229741c9d5c5f8671fcbe953e19669cf222991</p> <p>After this patch I got 6 sanity tests failures:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"># grep <span class="code-quote">"FAIL "</span> sanity.log FAIL 56y (1s) FAIL 184c (18s) FAIL 200 (31s) FAIL 220 (18s) FAIL 244 (2s) FAIL 251 (1s) </pre> </div></div> <p>John</p> <p>Oleg thought that you might have some input to this one</p> <p>Peter</p> <p>This functionality was add by </p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java">commit d39b08def6512ee6ae883a0db62cebd808646208 Author: jcl &lt;jacques-charles.lafoucriere@cea.fr&gt; Date: Wed Feb 20 11:18:23 2013 +0100 LU-3363 api: HSM <span class="code-keyword">import</span> uses <span class="code-keyword">new</span> released pattern Import creates a released file using <span class="code-keyword">new</span> RAID pattern flag Import used a <span class="code-keyword">new</span> ioctl() to implement the <span class="code-keyword">import</span> in the client kernel. Add a -L|--layout option to lfs getstripe and lfs find Signed-off-by: JC Lafoucriere &lt;jacques-charles.lafoucriere@cea.fr&gt; Change-Id: I39103e6f90bd73dc09cde49086d223d717e41cd2 Reviewed-on: http:<span class="code-comment">//review.whamcloud.com/6536 </span> Tested-by: Hudson Reviewed-by: Andreas Dilger &lt;andreas.dilger@intel.com&gt; Reviewed-by: Jinshan Xiong &lt;jinshan.xiong@intel.com&gt; Tested-by: Maloo &lt;whamcloud.maloo@gmail.com&gt; </pre> </div></div> <p>It looks this issue was originally.</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> /* Request MDS <span class="code-keyword">for</span> the stat info <span class="code-keyword">if</span> some of these parameters need * to be compared. */ <span class="code-keyword">if</span> (param-&gt;fp_obd_uuid || param-&gt;fp_mdt_uuid || param-&gt;fp_check_uid || param-&gt;fp_check_gid || param-&gt;fp_atime || param-&gt;fp_mtime || param-&gt;fp_ctime || param-&gt;fp_check_pool || param-&gt;fp_check_size || param-&gt;fp_check_stripe_count || param-&gt;fp_check_stripe_size || param-&gt;fp_check_layout) decision = 0; <span class="code-keyword">if</span> (param-&gt;fp_type != 0 &amp;&amp; checked_type == 0) decision = 0; <span class="code-keyword">if</span> (decision == 0) { ret = get_lmd_info(path, parent, dir, param-&gt;fp_lmd, param-&gt;fp_lum_size); </pre> </div></div> <p>The issue is <em>get_lmd_info()</em> return <b>0</b> and nothing in <b>param-&gt;fp_lmd-&gt;lmd_lmm</b>. Therefore previous data or garbage is used for subsequent comparison:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> <span class="code-keyword">if</span> (param-&gt;fp_check_layout) { __u32 found; found = (param-&gt;fp_lmd-&gt;lmd_lmm.lmm_pattern &amp; param-&gt;fp_layout); <span class="code-keyword">if</span> ((param-&gt;fp_lmd-&gt;lmd_lmm.lmm_pattern == 0xFFFFFFFF) || (found &amp;&amp; param-&gt;fp_exclude_layout) || (!found &amp;&amp; !param-&gt;fp_exclude_layout)) { decision = -1; <span class="code-keyword">goto</span> decided; } } </pre> </div></div> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="http://review.whamcloud.com/15109/" class="external-link" target="_blank" rel="nofollow noopener">http://review.whamcloud.com/15109/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-6674" title="struct lov_user_mds_data can be used uninitialized" class="issue-link" data-issue-key="LU-6674"><del>LU-6674</del></a> utils: fix of uninitilized lmm structure usage<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 486d2797fc0d04e2482ecd4c7100919c55d07277</p> Development Rank 1|hzxeqv: Rank (Obsolete) 9223372036854775807 Severity