packages/glusterfs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!61 [sync] PR-60: fix CVE-2022-48340

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @swf504 
Signed-off-by: @swf504
This commit is contained in:
openeuler-ci-bot 2024-03-12 11:44:31 +00:00 committed by Gitee
commit 02f5f3a680
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 94 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
0003-dht-fix-asan-use-after-free-bug-4248.patch Normal file
View File

@ -0,0 +1,89 @@
From 9c580285c32d1e8f684c51cdc3a023319f05b1f8 Mon Sep 17 00:00:00 2001
From: mohit84 <moagrawa@redhat.com>
Date: Wed, 25 Oct 2023 11:48:51 +0530
Subject: [PATCH] dht: fix asan use-after-free bug (#4248)
The client is throwing below stacktrace while asan is enabled. The client is facing
an issue while application is trying to call removexattr in 2x1 subvol and non-mds
subvol is down. As we can see in below stacktrace dht_setxattr_mds_cbk is calling
dht_setxattr_non_mds_cbk and dht_setxattr_non_mds_cbk is trying to wipe local because
call_cnt is 0 but dht_setxattr_mds_cbk is trying to access frame->local that;s why
it is crashed.
x621000051c34 is located 1844 bytes inside of 4164-byte region [0x621000051500,0x621000052544) freed by thread T7 here:
Solution: Use switch instead of using if statement to wind a operation, in case of switch
the code will not try to access local after wind a operation for last dht subvol.
> Fixes: #3732
> Change-Id: I031bc814d6df98058430ef4de7040e3370d1c677
> (Cherry picke from commit 11ff6f56a1e7ad740ffe46e39a5911c9e7367eb6)
> (Reviwed on upstream link https://github.com/gluster/glusterfs/pull/4242)
Fixes: #3732
Change-Id: I031bc814d6df98058430ef4de7040e3370d1c677
Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
---
xlators/cluster/dht/src/dht-common.c | 45 ++++++++++++++--------------
1 file changed, 23 insertions(+), 22 deletions(-)
diff --git a/xlators/cluster/dht/src/dht-common.c b/xlators/cluster/dht/src/dht-common.c
index b31b88296b..c5c83c20aa 100644
--- a/xlators/cluster/dht/src/dht-common.c
+++ b/xlators/cluster/dht/src/dht-common.c
@@ -3965,28 +3965,29 @@ dht_setxattr_mds_cbk(call_frame_t *frame, void *cookie, xlator_t *this,
for (i = 0; i < conf->subvolume_cnt; i++) {
if (mds_subvol && (mds_subvol == conf->subvolumes[i]))
continue;
- if (local->fop == GF_FOP_SETXATTR) {
- STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
- conf->subvolumes[i]->fops->setxattr, &local->loc,
- local->xattr, local->flags, local->xattr_req);
- }
-
- if (local->fop == GF_FOP_FSETXATTR) {
- STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
- conf->subvolumes[i]->fops->fsetxattr, local->fd,
- local->xattr, local->flags, local->xattr_req);
- }
-
- if (local->fop == GF_FOP_REMOVEXATTR) {
- STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
- conf->subvolumes[i]->fops->removexattr, &local->loc,
- local->key, local->xattr_req);
- }
-
- if (local->fop == GF_FOP_FREMOVEXATTR) {
- STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
- conf->subvolumes[i]->fops->fremovexattr, local->fd,
- local->key, local->xattr_req);
+ switch (local->fop) {
+ case GF_FOP_SETXATTR:
+ STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
+ conf->subvolumes[i]->fops->setxattr, &local->loc,
+ local->xattr, local->flags, local->xattr_req);
+ break;
+ case GF_FOP_FSETXATTR:
+ STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
+ conf->subvolumes[i]->fops->fsetxattr, local->fd,
+ local->xattr, local->flags, local->xattr_req);
+ break;
+ case GF_FOP_REMOVEXATTR:
+ STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
+ conf->subvolumes[i]->fops->removexattr, &local->loc,
+ local->key, local->xattr_req);
+ break;
+ case GF_FOP_FREMOVEXATTR:
+ STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
+ conf->subvolumes[i]->fops->fremovexattr, local->fd,
+ local->key, local->xattr_req);
+ break;
+ default:
+ break;
}
}
--
2.33.0

6
glusterfs.spec
View File

@ -224,7 +224,7 @@
Summary: Distributed File System Summary: Distributed File System
Name: glusterfs Name: glusterfs
Version: 10.0 Version: 10.0
Release: 8 Release: 9
License: GPLv3 or GPLv2+ or LGPLv3+ License: GPLv3 or GPLv2+ or LGPLv3+
URL: http://docs.gluster.org/ URL: http://docs.gluster.org/
%if ( 0%{_for_fedora_koji_builds} ) %if ( 0%{_for_fedora_koji_builds} )
@ -239,6 +239,7 @@ Source0: https://download.gluster.org/pub/gluster/glusterfs/10/10.0/glu
Patch1: 0001-SC2081-can-t-match-globs-Use-or-grep.patch Patch1: 0001-SC2081-can-t-match-globs-Use-or-grep.patch
Patch2: 0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch Patch2: 0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch
Patch3: 0003-dht-fix-asan-use-after-free-bug-4248.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: rpcgen gperftools-devel libunwind-devel BuildRequires: rpcgen gperftools-devel libunwind-devel
@ -1521,6 +1522,9 @@ exit 0
%{_mandir}/man8/*gluster*.8* %{_mandir}/man8/*gluster*.8*
%changelog %changelog
* Tue Mar 12 2024 wuguanghao <wuguanghao3@huawei.com> - 10.0-9
- fix CVE-2022-48340
* Thu Mar 9 2023 wuguanghao <wuguanghao3@huawei.com> - 10.0-8 * Thu Mar 9 2023 wuguanghao <wuguanghao3@huawei.com> - 10.0-8
- fix CVE-2023-26253 - fix CVE-2023-26253