Bug 1329726

Summary:	ipmitool firewall reset results in segmentation fault
Product:	Red Hat Enterprise Linux 6	Reporter:	Rachel Sibley <rasibley>
Component:	ipmitool	Assignee:	Josef Ridky <jridky>
Status:	CLOSED WONTFIX	QA Contact:	Rachel Sibley <rasibley>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	6.8
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-09-25 07:56:59 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Rachel Sibley 2016-04-22 18:18:05 UTC

Description of problem:
If ipmitool firewall reset is executed without specifying the parameters [<channel H>] [<lun L> [ <netfn N> [<command C [<subfn S>]]]],
it will print out a usage message for each lun/netfn pair for all 256 commands, this is a very long list and eventually
results in segmentation fault.  

Version-Release number of selected component (if applicable):
~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.8 (Santiago)
[root@dell-per210-01 ~]# uname -r
2.6.32-642.el6.i686
~]# rpm -q ipmitool
ipmitool-1.8.15-2.el6.i686

How reproducible:
Always

Steps to Reproduce:
1. ipmitool firewall reset
2.
3.

Actual results:
~]# ipmitool firewall reset
Get Command Support (LUN=0, NetFn=46, op=0) command failed: Request data length invalid
Get Configurable Command (LUN=0, NetFn=46, op=0) command failed: Request data length invalid
Get Command Support (LUN=2, NetFn=0, op=0) command failed: Invalid data field in request
Get Configurable Command (LUN=2, NetFn=0, op=0) command failed: Invalid data field in request
Get Command Enables (LUN=2, NetFn=0, op=0) command failed: Invalid data field in request
Get Command Support (LUN=2, NetFn=2, op=0) command failed: Invalid data field in request
Get Configurable Command (LUN=2, NetFn=2, op=0) command failed: Invalid data field in request
Get Command Enables (LUN=2, NetFn=2, op=0) command failed: Invalid data field in request
<snip>
Set Command Sub-function Enables (LUN=3, NetFn=34, command=253) command failed: Invalid data field in request
reset lun 3, netfn 34, command 254, subfn
Set Command Sub-function Enables (LUN=3, NetFn=34, command=254) command failed: Invalid data field in request
reset lun 3, netfn 34, command 255, subfn
Set Command Sub-function Enables (LUN=3, NetFn=34, command=255) command failed: Invalid data field in request
reset lun 3, netfn 34, command
Set Command Enables (LUN=3, NetFn=34, op=0) command failed: Invalid data field in request
reset lun 3, netfn 36, command 0, subfn
Segmentation fault (core dumped)


Expected results:
No segmentation fault, if unsupported a sing usage message should be printed

Additional info:

Comment 2 Boris Ranto 2016-05-31 16:49:02 UTC

I can hit this as well and it is not fixed upstream, yet. The issue seems to be that the cmd pointers for netfn 38 (and onwards) do not point to a valid memory area and once dereferenced lead to a segfault.

Looking further at the code, this is caused by dual meaning of n in the internal functions -- in the function that populates the structures (_gather_info), it means a natural number while in the function that processes it (ipmi_firewall_reset), it denotes an even number (2*n) -- hence, it tries to access memory that is simply out of bounds of what was allocated.

As for the amount of messages, we could limit this a bit if checked if it is supported. It did not work 100 % in my tests but it did took less time and produced less noise. However, I am not sure whether this is desired as 'ipmitool reset firewall' is supposed to reset all the firewall values and this is probably a best effort (albeit brute force) approach to it -- bmc could probably lie about the support, etc...

Comment 3 Boris Ranto 2016-06-01 07:08:42 UTC

Upstream PR:

https://sourceforge.net/p/ipmitool/bugs/446/

Comment 4 Josef Ridky 2017-09-25 07:56:59 UTC

Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the
Production 3 Phase, Critical impact Security Advisories (RHSAs) and
selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as
they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase
and will be marked as CLOSED/WONTFIX. If this remains a critical
requirement, please contact Red Hat Customer Support to request
a re-evaluation of the issue, citing a clear business justification. Note
that a strong business justification will be required for re-evaluation.
Red Hat Customer Support can be contacted via the Red Hat Customer Portal
at the following URL:

https://access.redhat.com/