[Linux-cluster] fence_tool problem, direct user pointer dereference in cman kernel code
Lennert Buytenhek
buytenh at wantstofly.org
Sat Jun 26 23:00:30 UTC 2004
fence_tool gives me, on both of my test machines:
fence_domain_add: service register failed
relevant syscalls seem to be:
(machine 1)
socket(PF_BLUETOOTH, SOCK_DGRAM, 3) = 1
ioctl(1, 0x4001780e, 0x9c34050) = -1 EINVAL (Invalid argument)
(machine 2)
socket(PF_BLUETOOTH, SOCK_DGRAM, 3) = 1
ioctl(1, 0x4001780e, 0x9505050) = -1 ENAMETOOLONG (File name too long)
Looking at linux/cluster/cman/sm_user.c:sm_ioctl, it casts 'arg' to a
(char *) and then passes it into user_register, which does a direct
strlen() on it... which is bad coding style in general, but definitely
ain't gonna produce anything remotely useful on a 4G/4G kernel, like
the one that ships with Fedora Core 2.
I suspect there are more such bugs out there, sometimes I get really
unexpected behaviour or things that plain don't seem to work at all.
cman+dlm+gfs kernel code is ~2MB, but cman alone is only 400kb, so if
anyone else feels like some auditing work, we could do a rough pass over
cman in a few days with a few people.. anyone volunteering?
More information about the Linux-cluster
mailing list