[Linux-cluster] fence_tool problem, direct user pointer dereference in cman kernel code

Lennert Buytenhek buytenh at wantstofly.org
Sat Jun 26 23:00:30 UTC 2004

fence_tool gives me, on both of my test machines: 

	fence_domain_add: service register failed

relevant syscalls seem to be:

	(machine 1)
	socket(PF_BLUETOOTH, SOCK_DGRAM, 3)     = 1
	ioctl(1, 0x4001780e, 0x9c34050)         = -1 EINVAL (Invalid argument)

	(machine 2)
	socket(PF_BLUETOOTH, SOCK_DGRAM, 3)     = 1
	ioctl(1, 0x4001780e, 0x9505050)         = -1 ENAMETOOLONG (File name too long)

Looking at linux/cluster/cman/sm_user.c:sm_ioctl, it casts 'arg' to a
(char *) and then passes it into user_register, which does a direct
strlen() on it... which is bad coding style in general, but definitely
ain't gonna produce anything remotely useful on a 4G/4G kernel, like
the one that ships with Fedora Core 2.

I suspect there are more such bugs out there, sometimes I get really
unexpected behaviour or things that plain don't seem to work at all.
cman+dlm+gfs kernel code is ~2MB, but cman alone is only 400kb, so if
anyone else feels like some auditing work, we could do a rough pass over
cman in a few days with a few people.. anyone volunteering?

More information about the Linux-cluster mailing list