All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: lustre-devel@lists.lustre.org
Subject: [lustre-devel] staging: add Lustre file system client support
Date: Thu, 15 Oct 2015 13:59:43 +0300	[thread overview]
Message-ID: <20151015105943.GA22833@mwanda> (raw)

Hello Lustre Devs,

The patch d7e09d0397e8: "staging: add Lustre file system client
support" from May 2, 2013, leads to the following static checker
warning:

	drivers/staging/lustre/lustre/libcfs/kernel_user_comm.c:150 libcfs_kkuc_group_rem()
	error: buffer overflow 'kkuc_groups' 3 <= s32max

drivers/staging/lustre/lustre/libcfs/kernel_user_comm.c
   146  int libcfs_kkuc_group_rem(int uid, int group)
   147  {
   148          struct kkuc_reg *reg, *next;
   149  
   150          if (kkuc_groups[group].next == NULL)

group doesn't appear to have been validated@all.  It comes from the
user.  The call tree is:

-> lmv_iocontrol()
   -> lmv_hsm_ct_unregister()
      -> libcfs_kkuc_group_rem()

It looks like this code could oops.

   151                  return 0;
   152  
   153          if (uid == 0) {
   154                  /* Broadcast a shutdown message */
   155                  struct kuc_hdr lh;
   156  
   157                  lh.kuc_magic = KUC_MAGIC;
   158                  lh.kuc_transport = KUC_TRANSPORT_GENERIC;
   159                  lh.kuc_msgtype = KUC_MSG_SHUTDOWN;
   160                  lh.kuc_msglen = sizeof(lh);
   161                  libcfs_kkuc_group_put(group, &lh);
   162          }
   163  
   164          down_write(&kg_sem);
   165          list_for_each_entry_safe(reg, next, &kkuc_groups[group], kr_chain) {
   166                  if ((uid == 0) || (uid == reg->kr_uid)) {
   167                          list_del(&reg->kr_chain);
   168                          CDEBUG(D_KUC, "Removed uid=%d fp=%p from group %d\n",
   169                                 reg->kr_uid, reg->kr_fp, group);
   170                          if (reg->kr_fp != NULL)
   171                                  fput(reg->kr_fp);
   172                          kfree(reg);
   173                  }
   174          }
   175          up_write(&kg_sem);
   176  
   177          return 0;
   178  }

regards,
dan carpenter

             reply	other threads:[~2015-10-15 10:59 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-15 10:59 Dan Carpenter [this message]
  -- strict thread matches above, loose matches on Subject: below --
2015-10-15 11:14 [lustre-devel] staging: add Lustre file system client support Dan Carpenter
2015-10-15 11:38 ` Dan Carpenter
2015-10-15 11:43   ` Dan Carpenter
2016-03-17 20:09 Dan Carpenter
2016-04-27 12:28 Dan Carpenter
2016-05-11 23:53 ` James Simmons
2016-05-13 16:18 ` Drokin, Oleg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20151015105943.GA22833@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=lustre-devel@lists.lustre.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.