We recently refactored the Orangefs debugfs code.

The refactor seemed to trigger dan.carpenter@oracle.com's static tester to find a possible double-free in the code. While designing the fix we saw a condition under which the buffer being freed could also be overflowed. We also realized how to rebuild the related debugfs file's "contents" (a string) without deleting and re-creating the file. This fix should eliminate the possible double-free, the potential overflow and improve code readability. -----BEGIN PGP SIGNATURE----- iQIcBAABAgAGBQJYI04nAAoJEM9EDqnrzg2+rT4P/1sN1ZUDwKgyJ3Qk3n5AAvlR PtbqeRhzUD7QdTR5yb/k/37rqYB7BBB5xd5VDlYKuD8luppjoAS2J4SRkngPFQiV NZMP1Sq5nWeEyeG8it+MzH364zBUGK+D94VqlhUDLHKa27WMWTB2vrcLq/DI06np 35r4dWnV3+2+lgg0zvJGP7QoQLlPByB5q7pwTA9TBaPnDHVh/Myq4jS70wfEYDqY NMxkq02vQHS7a2mysZbrE2fXC2OBRTCGP+9lsdvJx9XfYQkIHfe4qMAxu0XlqDSM 6POHEr5cPizENGSp7myV9G97FuF0UHZXnLEKe04DLbuGao2omMiNHvrnS/zPgKRQ zpCMsf4FVChjCipQzne1eLQbQskWVDy58ziURzefO+bV8aFe61KBOvAiNEZ+7i21 CeEBeU2A5brd1y6ELcFCf2SDjmyd/ScyYqwIIrsY0eK1D3GveeHX1tkMGH8y7hWD CoY/cKUSHwZ6ZwFpzeCs96wzZ19o7BLKogyIyYQWc1s09uijIHInxkRxUqtfVErj 2SpOXOqLkpjpU0Kga8beU6OtXLRv/ob518RPTPF5NAzjl08xn20pZckKL092uhVj k/VlJUE72Om2XJmBbta2Sz7iN8QfujJO0Ql/Nl51lX++pVbQIjFDaRhIYt6Yb0af y1XRJXqDJ3sh9J/od3fN =ELyS -----END PGP SIGNATURE----- Merge tag 'for-linus-4.9-rc4-ofs-1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux Pull orangefs fix from Mike Marshall: "We recently refactored the Orangefs debugfs code. The refactor seemed to trigger dan.carpenter@oracle.com's static tester to find a possible double-free in the code. While designing the fix we saw a condition under which the buffer being freed could also be overflowed. We also realized how to rebuild the related debugfs file's "contents" (a string) without deleting and re-creating the file. This fix should eliminate the possible double-free, the potential overflow and improve code readability" * tag 'for-linus-4.9-rc4-ofs-1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux: orangefs: clean up debugfs
2016-11-09 11:36:43 -08:00 · 2016-11-09 11:36:43 -08:00 · 3c6106da74
parent ae67e87f40 dc0336214e
commit 3c6106da74
2 changed files with 68 additions and 85 deletions
--- a/fs/orangefs/orangefs-debugfs.c
+++ b/fs/orangefs/orangefs-debugfs.c
@ -141,6 +141,9 @@ static struct client_debug_mask client_debug_mask;
 */
 static DEFINE_MUTEX(orangefs_debug_lock);
 /* Used to protect data in ORANGEFS_KMOD_DEBUG_HELP_FILE */
 static DEFINE_MUTEX(orangefs_help_file_lock);
 /*
 * initialize kmod debug operations, create orangefs debugfs dir and
 * ORANGEFS_KMOD_DEBUG_HELP_FILE.
@ -289,6 +292,8 @@ static void *help_start(struct seq_file *m, loff_t *pos)
 	gossip_debug(GOSSIP_DEBUGFS_DEBUG, "help_start: start\n");
 	mutex_lock(&orangefs_help_file_lock);
 	if (*pos == 0)
 		payload = m->private;
@ -305,6 +310,7 @@ static void *help_next(struct seq_file *m, void *v, loff_t *pos)
 static void help_stop(struct seq_file *m, void *p)
 {
 	gossip_debug(GOSSIP_DEBUGFS_DEBUG, "help_stop: start\n");
 	mutex_unlock(&orangefs_help_file_lock);
 }
 static int help_show(struct seq_file *m, void *v)
@ -610,32 +616,54 @@ static int orangefs_prepare_cdm_array(char *debug_array_string)
 * /sys/kernel/debug/orangefs/debug-help can be catted to
 * see all the available kernel and client debug keywords.
 *
- * When the kernel boots, we have no idea what keywords the
+ * When orangefs.ko initializes, we have no idea what keywords the
 * client supports, nor their associated masks.
 *
- * We pass through this function once at boot and stamp a
+ * We pass through this function once at module-load and stamp a
 * boilerplate "we don't know" message for the client in the
 * debug-help file. We pass through here again when the client
 * starts and then we can fill out the debug-help file fully.
 *
 * The client might be restarted any number of times between
- * reboots, we only build the debug-help file the first time.
+ * module reloads, we only build the debug-help file the first time.
 */
 int orangefs_prepare_debugfs_help_string(int at_boot)
 {
 	int rc = -EINVAL;
 	int i;
 	int byte_count = 0;
 	char *client_title = "Client Debug Keywords:\n";
 	char *kernel_title = "Kernel Debug Keywords:\n";
 	size_t string_size =  DEBUG_HELP_STRING_SIZE;
 	size_t result_size;
 	size_t i;
 	char *new;
 	int rc = -EINVAL;
 	gossip_debug(GOSSIP_UTILS_DEBUG, "%s: start\n", __func__);
-	if (at_boot) {
+	if (at_boot)
 		byte_count += strlen(HELP_STRING_UNINITIALIZED);
 		client_title = HELP_STRING_UNINITIALIZED;
-	} else {
+
-		/*
+	/* build a new debug_help_string. */
 	new = kzalloc(DEBUG_HELP_STRING_SIZE, GFP_KERNEL);
 	if (!new) {
 		rc = -ENOMEM;
 		goto out;
 	}
 	/*
 	 * strlcat(dst, src, size) will append at most
 	 * "size - strlen(dst) - 1" bytes of src onto dst,
 	 * null terminating the result, and return the total
 	 * length of the string it tried to create.
 	 *
 	 * We'll just plow through here building our new debug
 	 * help string and let strlcat take care of assuring that
 	 * dst doesn't overflow.
 	 */
 	strlcat(new, client_title, string_size);
 	if (!at_boot) {
                /*
 		 * fill the client keyword/mask array and remember
 		 * how many elements there were.
 		 */
@ -644,64 +672,40 @@ int orangefs_prepare_debugfs_help_string(int at_boot)
 		if (cdm_element_count <= 0)
 			goto out;
 		/* Count the bytes destined for debug_help_string. */
 		byte_count += strlen(client_title);
 		for (i = 0; i < cdm_element_count; i++) {
-			byte_count += strlen(cdm_array[i].keyword + 2);
+			strlcat(new, "\t", string_size);
-			if (byte_count >= DEBUG_HELP_STRING_SIZE) {
+			strlcat(new, cdm_array[i].keyword, string_size);
-				pr_info("%s: overflow 1!\n", __func__);
+			strlcat(new, "\n", string_size);
 				goto out;
 			}
 		}
 		gossip_debug(GOSSIP_UTILS_DEBUG,
 			     "%s: cdm_element_count:%d:\n",
 			     __func__,
 			     cdm_element_count);
 	}
-	byte_count += strlen(kernel_title);
+	strlcat(new, "\n", string_size);
 	strlcat(new, kernel_title, string_size);
 	for (i = 0; i < num_kmod_keyword_mask_map; i++) {
-		byte_count +=
+		strlcat(new, "\t", string_size);
-			strlen(s_kmod_keyword_mask_map[i].keyword + 2);
+		strlcat(new, s_kmod_keyword_mask_map[i].keyword, string_size);
-		if (byte_count >= DEBUG_HELP_STRING_SIZE) {
+		result_size = strlcat(new, "\n", string_size);
 			pr_info("%s: overflow 2!\n", __func__);
 			goto out;
 		}
 	}
-	/* build debug_help_string. */
+	/* See if we tried to put too many bytes into "new"... */
-	debug_help_string = kzalloc(DEBUG_HELP_STRING_SIZE, GFP_KERNEL);
+	if (result_size >= string_size) {
-	if (!debug_help_string) {
+		kfree(new);
 		rc = -ENOMEM;
 		goto out;
 	}
-	strcat(debug_help_string, client_title);
+	if (at_boot) {
-
+		debug_help_string = new;
-	if (!at_boot) {
+	} else {
-		for (i = 0; i < cdm_element_count; i++) {
+		mutex_lock(&orangefs_help_file_lock);
-			strcat(debug_help_string, "\t");
+		memset(debug_help_string, 0, DEBUG_HELP_STRING_SIZE);
-			strcat(debug_help_string, cdm_array[i].keyword);
+		strlcat(debug_help_string, new, string_size);
-			strcat(debug_help_string, "\n");
+		mutex_unlock(&orangefs_help_file_lock);
 		}
 	}
 	strcat(debug_help_string, "\n");
 	strcat(debug_help_string, kernel_title);
 	for (i = 0; i < num_kmod_keyword_mask_map; i++) {
 		strcat(debug_help_string, "\t");
 		strcat(debug_help_string, s_kmod_keyword_mask_map[i].keyword);
 		strcat(debug_help_string, "\n");
 	}
 	rc = 0;
-out:
+out:	return rc;
 	return rc;
 }
@ -959,8 +963,12 @@ int orangefs_debugfs_new_client_string(void __user *arg)
 	ret = copy_from_user(&client_debug_array_string,
                                     (void __user *)arg,
                                     ORANGEFS_MAX_DEBUG_STRING_LEN);
-	if (ret != 0)
+
 	if (ret != 0) {
 		pr_info("%s: CLIENT_STRING: copy_from_user failed\n",
 			__func__);
 		return -EIO;
 	}
 	/*
 	 * The real client-core makes an effort to ensure
@ -975,45 +983,18 @@ int orangefs_debugfs_new_client_string(void __user *arg)
 	client_debug_array_string[ORANGEFS_MAX_DEBUG_STRING_LEN - 1] =
 		'\0';
 	if (ret != 0) {
 		pr_info("%s: CLIENT_STRING: copy_from_user failed\n",
 			__func__);
 		return -EIO;
 	}
 	pr_info("%s: client debug array string has been received.\n",
 		__func__);
 	if (!help_string_initialized) {
-		/* Free the "we don't know yet" default string... */
+		/* Build a proper debug help string. */
 		kfree(debug_help_string);
 		/* build a proper debug help string */
 		if (orangefs_prepare_debugfs_help_string(0)) {
 			gossip_err("%s: no debug help string \n",
 				   __func__);
 			return -EIO;
 		}
 		/* Replace the boilerplate boot-time debug-help file. */
 		debugfs_remove(help_file_dentry);
 		help_file_dentry =
 			debugfs_create_file(
 				ORANGEFS_KMOD_DEBUG_HELP_FILE,
 				0444,
 				debug_dir,
 				debug_help_string,
 				&debug_help_fops);
 		if (!help_file_dentry) {
 			gossip_err("%s: debugfs_create_file failed for"
 				   " :%s:!\n",
 				   __func__,
 				   ORANGEFS_KMOD_DEBUG_HELP_FILE);
 			return -EIO;
 		}
 	}
 	debug_mask_to_string(&client_debug_mask, 1);
--- a/fs/orangefs/orangefs-mod.c
+++ b/fs/orangefs/orangefs-mod.c
@ -124,7 +124,7 @@ static int __init orangefs_init(void)
 	 * unknown at boot time.
 	 *
 	 * orangefs_prepare_debugfs_help_string will be used again
-	 * later to rebuild the debug-help file after the client starts
+	 * later to rebuild the debug-help-string after the client starts
 	 * and passes along the needed info. The argument signifies
 	 * which time orangefs_prepare_debugfs_help_string is being
 	 * called.
@ -152,7 +152,9 @@ static int __init orangefs_init(void)
 	ret = register_filesystem(&orangefs_fs_type);
 	if (ret == 0) {
-		pr_info("orangefs: module version %s loaded\n", ORANGEFS_VERSION);
+		pr_info("%s: module version %s loaded\n",
 			__func__,
 			ORANGEFS_VERSION);
 		ret = 0;
 		goto out;
 	}