diff options
| author | Soumya <soumya.sambu@windriver.com> | 2023-04-11 04:07:03 +0000 |
|---|---|---|
| committer | Bruce Ashfield <bruce.ashfield@gmail.com> | 2023-04-12 13:08:31 -0400 |
| commit | 589cdff6528b3b677b2a76a18d80694ccd9991fb (patch) | |
| tree | 76d6502422b6649ea88461bd036af1461776b74e | |
| parent | 911bc278afd98987f30cc41913bf051ee1576671 (diff) | |
| download | meta-cloud-services-589cdff6528b3b677b2a76a18d80694ccd9991fb.tar.gz | |
fuse: Fix CVE-2023-26253mickledore
Resolve asan bug in during receive event notification (#4024)
The fuse xlator notify function tries to assign data object to graph
object without checking an event. In case of upcall event data object
represents upcall object so during access of graph object the process
crashed for asan build.
Solution: Access the graph->id only while an event is associated
specifically to fuse xlator
Signed-off-by: Soumya <soumya.sambu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
| -rw-r--r-- | recipes-extended/glusterfs/files/CVE-2023-26253.patch | 76 | ||||
| -rw-r--r-- | recipes-extended/glusterfs/glusterfs.inc | 1 |
2 files changed, 77 insertions, 0 deletions
diff --git a/recipes-extended/glusterfs/files/CVE-2023-26253.patch b/recipes-extended/glusterfs/files/CVE-2023-26253.patch new file mode 100644 index 0000000..828c162 --- /dev/null +++ b/recipes-extended/glusterfs/files/CVE-2023-26253.patch | |||
| @@ -0,0 +1,76 @@ | |||
| 1 | commit 0cbf51a9827af0e3a35f5cfa823bfa39740bbc58 | ||
| 2 | Author: mohit84 <moagrawa@redhat.com> | ||
| 3 | Date: Thu Mar 30 13:02:19 2023 +0530 | ||
| 4 | Subject: [PATCH] fuse: Resolve asan bug in during receive event notification | ||
| 5 | (#4024) | ||
| 6 | |||
| 7 | The fuse xlator notify function tries to assign data object to graph | ||
| 8 | object without checking an event. In case of upcall event data object | ||
| 9 | represents upcall object so during access of graph object the process | ||
| 10 | crashed for asan build. | ||
| 11 | |||
| 12 | Solution: Access the graph->id only while an event is associated | ||
| 13 | specifically to fuse xlator | ||
| 14 | |||
| 15 | > Fixes: #3954 | ||
| 16 | > Change-Id: I6b2869256b26d22163879737dcf163510d1cd8bf | ||
| 17 | > Signed-off-by: Mohit Agrawal moagrawa@redhat.com | ||
| 18 | > (Reviewed on upstream link #4019) | ||
| 19 | |||
| 20 | Fixes: #3954 | ||
| 21 | Change-Id: I6b2869256b26d22163879737dcf163510d1cd8bf | ||
| 22 | |||
| 23 | CVE: CVE-2023-26253 | ||
| 24 | |||
| 25 | Upstream-Status: Backport [https://github.com/gluster/glusterfs/commit/0cbf51a9827af0e3a35f5cfa823bfa39740bbc58] | ||
| 26 | |||
| 27 | Signed-off-by: Soumya <soumya.sambu@windriver.com> | ||
| 28 | --- | ||
| 29 | xlators/mount/fuse/src/fuse-bridge.c | 14 +++++++++++--- | ||
| 30 | 1 file changed, 11 insertions(+), 3 deletions(-) | ||
| 31 | |||
| 32 | diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c | ||
| 33 | index c3945d7..0c01a43 100644 | ||
| 34 | --- a/xlators/mount/fuse/src/fuse-bridge.c | ||
| 35 | +++ b/xlators/mount/fuse/src/fuse-bridge.c | ||
| 36 | @@ -6198,6 +6198,7 @@ notify(xlator_t *this, int32_t event, void *data, ...) | ||
| 37 | int32_t ret = 0; | ||
| 38 | fuse_private_t *private = NULL; | ||
| 39 | gf_boolean_t start_thread = _gf_false; | ||
| 40 | + gf_boolean_t event_graph = _gf_true; | ||
| 41 | glusterfs_graph_t *graph = NULL; | ||
| 42 | |||
| 43 | private | ||
| 44 | @@ -6205,9 +6206,6 @@ notify(xlator_t *this, int32_t event, void *data, ...) | ||
| 45 | |||
| 46 | graph = data; | ||
| 47 | |||
| 48 | - gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event, | ||
| 49 | - ((graph) ? graph->id : 0)); | ||
| 50 | - | ||
| 51 | switch (event) { | ||
| 52 | case GF_EVENT_GRAPH_NEW: | ||
| 53 | break; | ||
| 54 | @@ -6271,9 +6269,19 @@ notify(xlator_t *this, int32_t event, void *data, ...) | ||
| 55 | } | ||
| 56 | |||
| 57 | default: | ||
| 58 | + /* Set the event_graph to false so that event | ||
| 59 | + debug msg would not try to access invalid graph->id | ||
| 60 | + while data object is not matched to graph object | ||
| 61 | + for ex in case of upcall event data object represents | ||
| 62 | + gf_upcall object | ||
| 63 | + */ | ||
| 64 | + event_graph = _gf_false; | ||
| 65 | break; | ||
| 66 | } | ||
| 67 | |||
| 68 | + gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event, | ||
| 69 | + ((graph && event_graph) ? graph->id : -1)); | ||
| 70 | + | ||
| 71 | return ret; | ||
| 72 | } | ||
| 73 | |||
| 74 | -- | ||
| 75 | 2.35.5 | ||
| 76 | |||
diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc index baa8962..e5bedca 100644 --- a/recipes-extended/glusterfs/glusterfs.inc +++ b/recipes-extended/glusterfs/glusterfs.inc | |||
| @@ -20,6 +20,7 @@ SRC_URI += "file://glusterd.init \ | |||
| 20 | file://glusterd-change-port-range.patch \ | 20 | file://glusterd-change-port-range.patch \ |
| 21 | file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \ | 21 | file://configure.ac-allow-PYTHON-values-to-be-passed-via-en.patch \ |
| 22 | file://0001-cli-duplicate-defns-of-cli_default_conn_timeout-and-.patch \ | 22 | file://0001-cli-duplicate-defns-of-cli_default_conn_timeout-and-.patch \ |
| 23 | file://CVE-2023-26253.patch \ | ||
| 23 | " | 24 | " |
| 24 | 25 | ||
| 25 | LICENSE = "(LGPL-3.0-or-later | GPL-2.0-only) & GPL-3.0-or-later & LGPL-3.0-or-later & GPL-2.0-or-later & LGPL-2.0-or-later & LGPL-2.1-or-later & Apache-2.0" | 26 | LICENSE = "(LGPL-3.0-or-later | GPL-2.0-only) & GPL-3.0-or-later & LGPL-3.0-or-later & GPL-2.0-or-later & LGPL-2.0-or-later & LGPL-2.1-or-later & Apache-2.0" |