[LU-7625] gss_proc_write_secinit clobbers user buffer

Tue, 5 Jan 2016 04:21:17 +0000

This is a long standing issue that I am not sure how it got through.

gss_proc_write_secinit is a write function for /proc/fs/lustre/sptlrpc/gss/init_channel

It calls gss_do_ctx_init_rpc() that proceeds to read some data from the buffer passed (as designed) and then proceeds to write a reply back into that same buffer - HUH?!

So after some digging it looks like this really was supposed to be ioctl, see this fragment in lgss_keyring.c::do_nego_rpc():

        fd = open(INIT_CHANNEL, O_WRONLY);
        if (fd < 0) {
                logmsg(LL_ERR, "can't open " INIT_CHANNEL "\n");
                return -EACCES;
        }

        logmsg(LL_TRACE, "to down-write\n");

        ret = write(fd, &param, sizeof(param));
        if (ret != sizeof(param)) {
                logmsg(LL_ERR, "lustre ioctl err: %s\n", strerror(errno));
                close(fd);
                return -EACCES;
        }
        close(fd);

We really need to update this bit to become proper ioctl for it all to make sense.

Whamcloud Community JIRA

[LU-7625] gss_proc_write_secinit clobbers user buffer