LU-16157 lnet: lst read-outside of allocation

lnet_selftest want a some parameters from userspace,
but it never sends. It caused a read of outside of allocation
like
BUG: KASAN: slab-out-of-bounds in lstcon_testrpc_prep+0x19e7/0x1bb0
Read of size 4 at addr ffff8888bbaa866c by task lt-lst/6371

Signed-off-by: Alexey Lyashkov <alexey.lyashkov@hpe.com>
Change-Id: I2a98e60c4be65c49fa9da4b418e50f1c7309b69d
Reviewed-on: https://review.whamcloud.com/c/fs/lustre-release/+/48547
Reviewed-by: Andreas Dilger <adilger@whamcloud.com>
Reviewed-by: James Simmons <jsimmons@infradead.org>
Reviewed-by: Oleg Drokin <green@whamcloud.com>
Tested-by: jenkins <devops@whamcloud.com>
Tested-by: Maloo <maloo@whamcloud.com>

diff --git a/lnet/selftest/conrpc.c b/lnet/selftest/conrpc.c
index 927d099..d9ce964 100644 (file)
--- a/lnet/selftest/conrpc.c
+++ b/lnet/selftest/conrpc.c
@@ -780,10 +780,15 @@ lstcon_pingrpc_prep(struct lst_test_ping_param *param,
 {
        struct test_ping_req *prq = &req->tsr_u.ping;
 
-        prq->png_size   = param->png_size;
-        prq->png_flags  = param->png_flags;
-        /* TODO dest */
-        return 0;
+       if (param) {
+               prq->png_size   = param->png_size;
+               prq->png_flags  = param->png_flags;
+       } else {
+               prq->png_size   = 0;
+               prq->png_flags  = 0;
+       }
+       /* TODO dest */
+       return 0;
 }
 
 static int
@@ -898,12 +903,17 @@ lstcon_testrpc_prep(struct lstcon_node *nd, int transop, unsigned int feats,
         trq->tsr_stop_onerr = !!test->tes_stop_onerr;
 
         switch (test->tes_type) {
-        case LST_TEST_PING:
-                trq->tsr_service = SRPC_SERVICE_PING;
-               rc = lstcon_pingrpc_prep((struct lst_test_ping_param *)
-                                        &test->tes_param[0], trq);
-               break;
+       case LST_TEST_PING: {
+               struct lst_test_ping_param *data = NULL;
+
+               trq->tsr_service = SRPC_SERVICE_PING;
+               if (test->tes_paramlen)
+                       data = ((struct lst_test_ping_param *)
+                               &test->tes_param[0]);
 
+               rc = lstcon_pingrpc_prep(data, trq);
+               break;
+       }
        case LST_TEST_BULK:
                trq->tsr_service = SRPC_SERVICE_BRW;
                if ((feats & LST_FEAT_BULK_LEN) == 0) {

diff --git a/lnet/utils/lst.c b/lnet/utils/lst.c
index 1017b4e..efdbb50 100644 (file)
--- a/lnet/utils/lst.c
+++ b/lnet/utils/lst.c
@@ -3266,6 +3266,7 @@ int
 lst_get_test_param(char *test, int argc, char **argv, void **param, int *plen)
 {
        struct lst_test_bulk_param *bulk = NULL;
+       struct lst_test_ping_param *ping = NULL;
         int                    type;
 
         type = lst_test_name2type(test);
@@ -3276,7 +3277,18 @@ lst_get_test_param(char *test, int argc, char **argv, void **param, int *plen)
 
         switch (type) {
         case LST_TEST_PING:
-                break;
+               /* unused but needs for kernel part */
+               ping = malloc(sizeof(*ping));
+               if (ping == NULL) {
+                       fprintf(stderr, "Out of memory\n");
+                       return -1;
+               }
+               memset(ping, 0, sizeof(*ping));
+
+               *param = ping;
+               *plen  = sizeof(*ping);
+
+               break;
 
         case LST_TEST_BULK:
                 bulk = malloc(sizeof(*bulk));