Bug 1329726 - ipmitool firewall reset results in segmentation fault
Summary: ipmitool firewall reset results in segmentation fault
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipmitool
Version: 6.8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Josef Ridky
QA Contact: Rachel Sibley
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-22 18:18 UTC by Rachel Sibley
Modified: 2017-09-25 07:56 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-25 07:56:59 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Rachel Sibley 2016-04-22 18:18:05 UTC
Description of problem:
If ipmitool firewall reset is executed without specifying the parameters [<channel H>] [<lun L> [ <netfn N> [<command C [<subfn S>]]]],
it will print out a usage message for each lun/netfn pair for all 256 commands, this is a very long list and eventually
results in segmentation fault.  

Version-Release number of selected component (if applicable):
~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.8 (Santiago)
[root@dell-per210-01 ~]# uname -r
2.6.32-642.el6.i686
~]# rpm -q ipmitool
ipmitool-1.8.15-2.el6.i686

How reproducible:
Always

Steps to Reproduce:
1. ipmitool firewall reset
2.
3.

Actual results:
~]# ipmitool firewall reset
Get Command Support (LUN=0, NetFn=46, op=0) command failed: Request data length invalid
Get Configurable Command (LUN=0, NetFn=46, op=0) command failed: Request data length invalid
Get Command Support (LUN=2, NetFn=0, op=0) command failed: Invalid data field in request
Get Configurable Command (LUN=2, NetFn=0, op=0) command failed: Invalid data field in request
Get Command Enables (LUN=2, NetFn=0, op=0) command failed: Invalid data field in request
Get Command Support (LUN=2, NetFn=2, op=0) command failed: Invalid data field in request
Get Configurable Command (LUN=2, NetFn=2, op=0) command failed: Invalid data field in request
Get Command Enables (LUN=2, NetFn=2, op=0) command failed: Invalid data field in request
<snip>
Set Command Sub-function Enables (LUN=3, NetFn=34, command=253) command failed: Invalid data field in request
reset lun 3, netfn 34, command 254, subfn
Set Command Sub-function Enables (LUN=3, NetFn=34, command=254) command failed: Invalid data field in request
reset lun 3, netfn 34, command 255, subfn
Set Command Sub-function Enables (LUN=3, NetFn=34, command=255) command failed: Invalid data field in request
reset lun 3, netfn 34, command
Set Command Enables (LUN=3, NetFn=34, op=0) command failed: Invalid data field in request
reset lun 3, netfn 36, command 0, subfn
Segmentation fault (core dumped)


Expected results:
No segmentation fault, if unsupported a sing usage message should be printed

Additional info:

Comment 2 Boris Ranto 2016-05-31 16:49:02 UTC
I can hit this as well and it is not fixed upstream, yet. The issue seems to be that the cmd pointers for netfn 38 (and onwards) do not point to a valid memory area and once dereferenced lead to a segfault.

Looking further at the code, this is caused by dual meaning of n in the internal functions -- in the function that populates the structures (_gather_info), it means a natural number while in the function that processes it (ipmi_firewall_reset), it denotes an even number (2*n) -- hence, it tries to access memory that is simply out of bounds of what was allocated.

As for the amount of messages, we could limit this a bit if checked if it is supported. It did not work 100 % in my tests but it did took less time and produced less noise. However, I am not sure whether this is desired as 'ipmitool reset firewall' is supposed to reset all the firewall values and this is probably a best effort (albeit brute force) approach to it -- bmc could probably lie about the support, etc...

Comment 3 Boris Ranto 2016-06-01 07:08:42 UTC
Upstream PR:

https://sourceforge.net/p/ipmitool/bugs/446/

Comment 4 Josef Ridky 2017-09-25 07:56:59 UTC
Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the
Production 3 Phase, Critical impact Security Advisories (RHSAs) and
selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as
they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

This issue does not meet the inclusion criteria for the Production 3 Phase
and will be marked as CLOSED/WONTFIX. If this remains a critical
requirement, please contact Red Hat Customer Support to request
a re-evaluation of the issue, citing a clear business justification. Note
that a strong business justification will be required for re-evaluation.
Red Hat Customer Support can be contacted via the Red Hat Customer Portal
at the following URL:

https://access.redhat.com/


Note You need to log in before you can comment on or make changes to this bug.