[lustre-devel] staging: add Lustre file system client support

Dan Carpenter dan.carpenter at oracle.com
Thu Oct 15 04:14:19 PDT 2015 

Hello Lustre Devs,

The patch d7e09d0397e8: "staging: add Lustre file system client
support" from May 2, 2013, leads to the following static checker
warning:

	drivers/staging/lustre/lnet/selftest/console.c:1330 lstcon_test_add()
	error: 'paramlen' from user is not capped properly

drivers/staging/lustre/lnet/selftest/console.c
  1273  int
  1274  lstcon_test_add(char *batch_name, int type, int loop,
  1275                  int concur, int dist, int span,
  1276                  char *src_name, char *dst_name,
  1277                  void *param, int paramlen, int *retp,
  1278                  struct list_head *result_up)
  1279  {
  1280          lstcon_test_t    *test   = NULL;
  1281          int              rc;
  1282          lstcon_group_t   *src_grp = NULL;
  1283          lstcon_group_t   *dst_grp = NULL;
  1284          lstcon_batch_t   *batch = NULL;
  1285  
  1286          /*
  1287           * verify that a batch of the given name exists, and the groups
  1288           * that will be part of the batch exist and have at least one
  1289           * active node
  1290           */
  1291          rc = lstcon_verify_batch(batch_name, &batch);
  1292          if (rc != 0)
  1293                  goto out;
  1294  
  1295          rc = lstcon_verify_group(src_name, &src_grp);
  1296          if (rc != 0)
  1297                  goto out;
  1298  
  1299          rc = lstcon_verify_group(dst_name, &dst_grp);
  1300          if (rc != 0)
  1301                  goto out;
  1302  
  1303          if (dst_grp->grp_userland)
  1304                  *retp = 1;
  1305  
  1306          LIBCFS_ALLOC(test, offsetof(lstcon_test_t, tes_param[paramlen]));

There is an underflow and integer overflow bug here.

  1307          if (!test) {
  1308                  CERROR("Can't allocate test descriptor\n");
  1309                  rc = -ENOMEM;
  1310  
  1311                  goto out;
  1312          }
  1313  
  1314          test->tes_hdr.tsb_id    = batch->bat_hdr.tsb_id;
  1315          test->tes_batch         = batch;
  1316          test->tes_type          = type;
  1317          test->tes_oneside       = 0; /* TODO */
  1318          test->tes_loop          = loop;
  1319          test->tes_concur        = concur;
  1320          test->tes_stop_onerr    = 1; /* TODO */
  1321          test->tes_span          = span;
  1322          test->tes_dist          = dist;
  1323          test->tes_cliidx        = 0; /* just used for creating RPC */
  1324          test->tes_src_grp       = src_grp;
  1325          test->tes_dst_grp       = dst_grp;
  1326          INIT_LIST_HEAD(&test->tes_trans_list);
  1327  
  1328          if (param != NULL) {
  1329                  test->tes_paramlen = paramlen;
  1330                  memcpy(&test->tes_param[0], param, paramlen);
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This is the warning.

  1331          }

The warning here is a false positive because the caller validates
"paramlen" when "param" is non-NULL.  Unfortunately, on line 1306, we
use "paramlen" even when param is NULL.  "paramlen" is signed so this
can mean "test" is smaller than expected leading to memory corruption.

regards,
dan carpenter

More information about the lustre-devel mailing list