Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DAOS-16251 mgmt: Fix use-after-free in pool_list #15014

Merged
merged 1 commit into from
Aug 28, 2024
Merged

Conversation

liw
Copy link
Contributor

@liw liw commented Aug 27, 2024

In dc_mgmt_pool_list, calling wipe_cred_iov on in->pli_cred after calling crt_req_decref on rpc is a use-after-free.

Before requesting gatekeeper:

  • Two review approvals and any prior change requests have been resolved.
  • Testing is complete and all tests passed or there is a reason documented in the PR why it should be force landed and forced-landing tag is set.
  • Features: (or Test-tag*) commit pragma was used or there is a reason documented that there are no appropriate tags for this PR.
  • Commit messages follows the guidelines outlined here.
  • Any tests skipped by the ticket being addressed have been run and passed in the PR.

Gatekeeper:

  • You are the appropriate gatekeeper to be landing the patch.
  • The PR has 2 reviews by people familiar with the code, including appropriate owners.
  • Githooks were used. If not, request that user install them and check copyright dates.
  • Checkpatch issues are resolved. Pay particular attention to ones that will show up on future PRs.
  • All builds have passed. Check non-required builds for any new compiler warnings.
  • Sufficient testing is done. Check feature pragmas and test tags and that tests skipped for the ticket are run and now pass with the changes.
  • If applicable, the PR has addressed any potential version compatibility issues.
  • Check the target branch. If it is master branch, should the PR go to a feature branch? If it is a release branch, does it have merge approval in the JIRA ticket.
  • Extra checks if forced landing is requested
    • Review comments are sufficiently resolved, particularly by prior reviewers that requested changes.
    • No new NLT or valgrind warnings. Check the classic view.
    • Quick-build or Quick-functional is not used.
  • Fix the commit message upon landing. Check the standard here. Edit it to create a single commit. If necessary, ask submitter for a new summary.

Copy link

github-actions bot commented Aug 27, 2024

Ticket title is 'DAOS 2.4.2-4: Errored DAOS engine 0 exited unexpectedly on daos_user'
Status is 'In Progress'
Labels: 'ALCF'
https://daosio.atlassian.net/browse/DAOS-16251

In dc_mgmt_pool_list, calling wipe_cred_iov on in->pli_cred after
calling crt_req_decref on rpc is a use-after-free.

Signed-off-by: Li Wei <[email protected]>
Required-githooks: true
@liw liw changed the title DAOS-16251: mgmt: Fix use-after-free in pool_list DAOS-16251 mgmt: Fix use-after-free in pool_list Aug 27, 2024
@daosbuild1
Copy link
Collaborator

Test stage Functional on EL 8.8 completed with status FAILURE. https://build.hpdd.intel.com//job/daos-stack/job/daos/view/change-requests/job/PR-15014/2/execution/node/1208/log

@liw liw requested review from mjmac, kccain and knard-intel August 27, 2024 23:33
@liw liw marked this pull request as ready for review August 27, 2024 23:33
Copy link
Contributor

@knard-intel knard-intel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@liw liw requested a review from a team August 28, 2024 22:49
@daltonbohning daltonbohning merged commit 663237c into master Aug 28, 2024
56 checks passed
@daltonbohning daltonbohning deleted the liw/fix-mgmt branch August 28, 2024 22:56
jolivier23 pushed a commit that referenced this pull request Aug 29, 2024
In dc_mgmt_pool_list, calling wipe_cred_iov on in->pli_cred after
calling crt_req_decref on rpc is a use-after-free.

Signed-off-by: Li Wei <[email protected]>
liw added a commit that referenced this pull request Sep 17, 2024
In dc_mgmt_pool_list, calling wipe_cred_iov on in->pli_cred after
calling crt_req_decref on rpc is a use-after-free.

Signed-off-by: Li Wei <[email protected]>
Required-githooks: true
@liw liw mentioned this pull request Sep 17, 2024
18 tasks
gnailzenh pushed a commit that referenced this pull request Sep 20, 2024
* DAOS-16251 object: Fix obj_ec_singv_split overflow (#15045)

It has been seen that obj_ec_singv_split may read beyond the end of
sgl->sg_iovs[0].iov_buf:

    iod_size=8569
    c_bytes=4288
    id_shard=0
    tgt_off=1
    iov_len=8569
    iov_buf_len=8569

The memmove read 4288 bytes from offset 4288, whereas the buffer only
had 8569 - 4288 = 4281 bytes from offset 4288. This patch fixes the
problem by adding the min(...) expression.

Signed-off-by: Li Wei <[email protected]>
Required-githooks: true

* DAOS-16251 dtx: Fix dtx_req_send user-after-free (#15035)

In dtx_req_send, since the crt_req_send releases the req reference, din
may have been freed when dereferenced for the DL_CDEBUG call.

Signed-off-by: Li Wei <[email protected]>
Required-githooks: true

* DAOS-16251 mgmt: Fix use-after-free in pool_list (#15014)

In dc_mgmt_pool_list, calling wipe_cred_iov on in->pli_cred after
calling crt_req_decref on rpc is a use-after-free.

Signed-off-by: Li Wei <[email protected]>
Required-githooks: true

* DAOS-16251 tests: Fix various buffer overflows (#15003)

 - vos: Fix vtx_pm buffer overflow
 - vos: Fix evt_ctl stack buffer overflow
 - object: Fix srv_checksum_tests buffer overflow
 - utils: Fix ddb_vos_tests buffer overflow etc

Signed-off-by: Li Wei <[email protected]>
Required-githooks: true

* DAOS-16251 engine: Misc fixes and cleanups (#14983)

- ivc_on_get stores random entry_priv_val into priv_entry for many
    ivc_ent_get implementations. Although not used, this should be
    avoided.

  - ds_iv_done stores pointer to stack variable rc in cb_info->future,
    which outlives the stack frame of ds_iv_done. Although not used,
    this pointer is confusing.

  - ds_pool_iv_map_update associates the input map buffer with the map
    version from ds_pool, rather than the input map version. Although
    this may be fine, we should really not ask for unnecessary
    trouble/concern.

Signed-off-by: Li Wei <[email protected]>
Required-githooks: true

---------

Signed-off-by: Li Wei <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

5 participants