lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1448062576-23757-23-git-send-email-jsimmons@infradead.org>
Date:	Fri, 20 Nov 2015 18:35:58 -0500
From:	James Simmons <jsimmons@...radead.org>
To:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	devel@...verdev.osuosl.org, Oleg Drokin <oleg.drokin@...el.com>,
	Andreas Dilger <andreas.dilger@...el.com>
Cc:	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	lustre-devel@...ts.lustre.org,
	James Simmons <jsimmons@...radead.org>,
	James Simmons <uja.ornl@...il.com>
Subject: [PATCH 22/40] staging: lustre: Fixes to make lnetctl function as expected.

During testing of the lnetctl utility I ran into some
issues. One of the problems is when you print out help
for peer_credits you get help for stats. With this patch
the help option for peer_credits is set to return the
proper help message.

The second problem was for grabbing stats data. No data
was returned but instead it reported a error. The reason
for this is that libcfs_ioctl_getdata() test to see if the
size of the data passed in is less than the struct
libcfs_ioctl_data in size. For the stats function its
data structure struct lnet_ioctl_lnet_stats is smaller
than what is allowed. Instead of checking if the data
is less than libcfs_ioctl_data in size we check to ensure
that the data is not smaller than the ioctl hdr data which
is universal.

The bug in libcfs_ioctl_getdata() exposed a bunch of cases
with new ioctls that don't check to see if the data imported
from userland equals the size reported in the ioctl hdr
data. We address those cases in this patch as well.

Signed-off-by: James Simmons <uja.ornl@...il.com>
Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-5935
Reviewed-on: http://review.whamcloud.com/12782
Reviewed-by: Liang Zhen <liang.zhen@...el.com>
Reviewed-by: Doug Oucharek <doug.s.oucharek@...el.com>
Reviewed-by: Oleg Drokin <oleg.drokin@...el.com>
---
 drivers/staging/lustre/lnet/lnet/api-ni.c          |   36 ++++++++++++++++++++
 .../lustre/lustre/libcfs/linux/linux-module.c      |    2 +-
 2 files changed, 37 insertions(+), 1 deletions(-)

diff --git a/drivers/staging/lustre/lnet/lnet/api-ni.c b/drivers/staging/lustre/lnet/lnet/api-ni.c
index e40c657..7657f88 100644
--- a/drivers/staging/lustre/lnet/lnet/api-ni.c
+++ b/drivers/staging/lustre/lnet/lnet/api-ni.c
@@ -1872,6 +1872,10 @@ LNetCtl(unsigned int cmd, void *arg)
 
 	case IOC_LIBCFS_ADD_ROUTE:
 		config = arg;
+
+		if (config->cfg_hdr.ioc_len < sizeof(*config))
+			return -EINVAL;
+
 		mutex_lock(&the_lnet.ln_api_mutex);
 		rc = lnet_add_route(config->cfg_net,
 				    config->cfg_config_u.cfg_route.rtr_hop,
@@ -1883,6 +1887,10 @@ LNetCtl(unsigned int cmd, void *arg)
 
 	case IOC_LIBCFS_DEL_ROUTE:
 		config = arg;
+
+		if (config->cfg_hdr.ioc_len < sizeof(*config))
+			return -EINVAL;
+
 		mutex_lock(&the_lnet.ln_api_mutex);
 		rc = lnet_del_route(config->cfg_net, config->cfg_nid);
 		mutex_unlock(&the_lnet.ln_api_mutex);
@@ -1890,6 +1898,10 @@ LNetCtl(unsigned int cmd, void *arg)
 
 	case IOC_LIBCFS_GET_ROUTE:
 		config = arg;
+
+		if (config->cfg_hdr.ioc_len < sizeof(*config))
+			return -EINVAL;
+
 		return lnet_get_route(config->cfg_count,
 				      &config->cfg_net,
 				      &config->cfg_config_u.cfg_route.rtr_hop,
@@ -1900,8 +1912,13 @@ LNetCtl(unsigned int cmd, void *arg)
 
 	case IOC_LIBCFS_GET_NET: {
 		struct lnet_ioctl_net_config *net_config;
+		size_t total = sizeof(*config) + sizeof(*net_config);
 
 		config = arg;
+
+		if (config->cfg_hdr.ioc_len < total)
+			return -EINVAL;
+
 		net_config = (struct lnet_ioctl_net_config *)
 				config->cfg_bulk;
 		if (!config || !net_config)
@@ -1925,12 +1942,19 @@ LNetCtl(unsigned int cmd, void *arg)
 	{
 		struct lnet_ioctl_lnet_stats *lnet_stats = arg;
 
+		if (lnet_stats->st_hdr.ioc_len < sizeof(*lnet_stats))
+			return -EINVAL;
+
 		lnet_counters_get(&lnet_stats->st_cntrs);
 		return 0;
 	}
 
 	case IOC_LIBCFS_CONFIG_RTR:
 		config = arg;
+
+		if (config->cfg_hdr.ioc_len < sizeof(*config))
+			return -EINVAL;
+
 		mutex_lock(&the_lnet.ln_api_mutex);
 		if (config->cfg_config_u.cfg_buffers.buf_enable) {
 			rc = lnet_rtrpools_enable();
@@ -1943,6 +1967,10 @@ LNetCtl(unsigned int cmd, void *arg)
 
 	case IOC_LIBCFS_ADD_BUF:
 		config = arg;
+
+		if (config->cfg_hdr.ioc_len < sizeof(*config))
+			return -EINVAL;
+
 		mutex_lock(&the_lnet.ln_api_mutex);
 		rc = lnet_rtrpools_adjust(config->cfg_config_u.cfg_buffers.
 						buf_tiny,
@@ -1955,8 +1983,13 @@ LNetCtl(unsigned int cmd, void *arg)
 
 	case IOC_LIBCFS_GET_BUF: {
 		struct lnet_ioctl_pool_cfg *pool_cfg;
+		size_t total = sizeof(*config) + sizeof(*pool_cfg);
 
 		config = arg;
+
+		if (config->cfg_hdr.ioc_len < total)
+			return -EINVAL;
+
 		pool_cfg = (struct lnet_ioctl_pool_cfg *)config->cfg_bulk;
 		return lnet_get_rtr_pool_cfg(config->cfg_count, pool_cfg);
 	}
@@ -1964,6 +1997,9 @@ LNetCtl(unsigned int cmd, void *arg)
 	case IOC_LIBCFS_GET_PEER_INFO: {
 		struct lnet_ioctl_peer *peer_info = arg;
 
+		if (peer_info->pr_hdr.ioc_len < sizeof(*peer_info))
+			return -EINVAL;
+
 		return lnet_get_peer_info(peer_info->pr_count,
 			&peer_info->pr_nid,
 			peer_info->pr_lnd_u.pr_peer_credits.cr_aliveness,
diff --git a/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c b/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c
index 50a5464..9414746 100644
--- a/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c
+++ b/drivers/staging/lustre/lustre/libcfs/linux/linux-module.c
@@ -73,7 +73,7 @@ int libcfs_ioctl_getdata(struct libcfs_ioctl_hdr **hdr_pp,
 		return -EINVAL;
 	}
 
-	if (hdr.ioc_len < sizeof(struct libcfs_ioctl_data)) {
+	if (hdr.ioc_len < sizeof(struct libcfs_ioctl_hdr)) {
 		CERROR("libcfs ioctl: user buffer too small for ioctl\n");
 		return -EINVAL;
 	}
-- 
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ