diff options
author | Chen Qi <Qi.Chen@windriver.com> | 2018-09-26 10:36:28 +0800 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@windriver.com> | 2018-09-30 21:34:09 -0400 |
commit | f6d23e4364a729006fd655c758e74f1c7e69cf94 (patch) | |
tree | db8a60207009623ebc7ef795bc6d0ab9765cb4d1 /recipes-extended/glusterfs | |
parent | 39e99a2096711591da2ee3379841108173c92d35 (diff) | |
download | meta-cloud-services-f6d23e4364a729006fd655c758e74f1c7e69cf94.tar.gz |
glusterfs: fix CVE-2018-10904
Backport patch to fix the following CVE.
CVE: CVE-2018-10904
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Diffstat (limited to 'recipes-extended/glusterfs')
-rw-r--r-- | recipes-extended/glusterfs/files/0004-io-stats-dump-io-stats-info-in-var-run-gluster.patch | 153 | ||||
-rw-r--r-- | recipes-extended/glusterfs/glusterfs.inc | 1 |
2 files changed, 154 insertions, 0 deletions
diff --git a/recipes-extended/glusterfs/files/0004-io-stats-dump-io-stats-info-in-var-run-gluster.patch b/recipes-extended/glusterfs/files/0004-io-stats-dump-io-stats-info-in-var-run-gluster.patch new file mode 100644 index 0000000..6fb261d --- /dev/null +++ b/recipes-extended/glusterfs/files/0004-io-stats-dump-io-stats-info-in-var-run-gluster.patch | |||
@@ -0,0 +1,153 @@ | |||
1 | From 0f9c26d5e3a0d0480ff31a800ca8f31966da10ff Mon Sep 17 00:00:00 2001 | ||
2 | From: Amar Tumballi <amarts@redhat.com> | ||
3 | Date: Tue, 24 Jul 2018 15:42:28 +0530 | ||
4 | Subject: [PATCH 4/7] io-stats: dump io-stats info in /var/run/gluster | ||
5 | |||
6 | It wouldn't make sense to allow iostats file to be written in | ||
7 | *any* directory. While the formating makes sure we try to append | ||
8 | io-stats-name for the file, so overwriting existing file is slim, | ||
9 | but in any case it makes sense to restrict dumping to one directory. | ||
10 | |||
11 | Below are the sample commands, and files created for the corresponding | ||
12 | values: | ||
13 | |||
14 | $ setfattr -n trusted.io-stats-dump -v file-for-dump $M0 | ||
15 | |||
16 | In this case, the file would be in /var/run/gluster/file-for-dump | ||
17 | |||
18 | $ setfattr -n trusted.io-stats-dump -v /dir1/dir2/file-for-dump $M0 | ||
19 | |||
20 | In this case, then the dump file is in /var/run/gluster/dir1-dir2-file-for-dump | ||
21 | |||
22 | Note that the value passed for this virtual xattr would be treated as a | ||
23 | file, and even if the value has '/' in it, it would be changed to '-' | ||
24 | for sanity. | ||
25 | |||
26 | Fixes: bz#1625106 | ||
27 | |||
28 | Change-Id: Id9ae6a40a190b8937c51662e6e1c2a0f6c86a0e0 | ||
29 | Signed-off-by: Amar Tumballi <amarts@redhat.com> | ||
30 | |||
31 | Upstream-Status: Backport | ||
32 | |||
33 | Fix CVE-2018-10904 | ||
34 | |||
35 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
36 | --- | ||
37 | tests/bugs/core/io-stats-1322825.t | 12 ++++++------ | ||
38 | xlators/debug/io-stats/src/io-stats.c | 34 +++++++++++++++++++++++++--------- | ||
39 | 2 files changed, 31 insertions(+), 15 deletions(-) | ||
40 | |||
41 | diff --git a/tests/bugs/core/io-stats-1322825.t b/tests/bugs/core/io-stats-1322825.t | ||
42 | index d232ecb..53f2d04 100755 | ||
43 | --- a/tests/bugs/core/io-stats-1322825.t | ||
44 | +++ b/tests/bugs/core/io-stats-1322825.t | ||
45 | @@ -23,7 +23,7 @@ TEST $CLI volume profile $V0 start | ||
46 | TEST mkdir $M0/dir1 | ||
47 | |||
48 | # Generate the stat dump across the io-stat instances | ||
49 | -TEST setfattr -n trusted.io-stats-dump -v /tmp/io-stats-1322825 $M0 | ||
50 | +TEST setfattr -n trusted.io-stats-dump -v io-stats-1322825 $M0 | ||
51 | |||
52 | # Check if $M0 is clean w.r.t xattr information | ||
53 | # TODO: if there are better ways to check we really get no attr error, please | ||
54 | @@ -42,12 +42,12 @@ ret=$(echo $?) | ||
55 | EXPECT 0 echo $ret | ||
56 | |||
57 | # Check if we have 5 io-stat files in /tmp | ||
58 | -EXPECT 5 ls -1 /tmp/io-stats-1322825* | ||
59 | +EXPECT 5 ls -1 /var/run/gluster/io-stats-1322825* | ||
60 | # Cleanup the 5 generated files | ||
61 | -rm -f /tmp/io-stats-1322825* | ||
62 | +rm -f /var/run/gluster/io-stats-1322825* | ||
63 | |||
64 | # Rinse and repeat above for a directory | ||
65 | -TEST setfattr -n trusted.io-stats-dump -v /tmp/io-stats-1322825 $M0/dir1 | ||
66 | +TEST setfattr -n trusted.io-stats-dump -v io-stats-1322825 $M0/dir1 | ||
67 | getfattr -n trusted.io-stats-dump $B0/${V0}1/dir1 2>&1 | grep -qi "no such attribute" | ||
68 | ret=$(echo $?) | ||
69 | EXPECT 0 echo $ret | ||
70 | @@ -61,7 +61,7 @@ getfattr -n trusted.io-stats-dump $B0/${V0}4/dir1 2>&1 | grep -qi "no such attri | ||
71 | ret=$(echo $?) | ||
72 | EXPECT 0 echo $ret | ||
73 | |||
74 | -EXPECT 5 ls -1 /tmp/io-stats-1322825* | ||
75 | -rm -f /tmp/io-stats-1322825* | ||
76 | +EXPECT 5 ls -1 /var/run/gluster/io-stats-1322825* | ||
77 | +rm -f /var/run/gluster/io-stats-1322825* | ||
78 | |||
79 | cleanup; | ||
80 | diff --git a/xlators/debug/io-stats/src/io-stats.c b/xlators/debug/io-stats/src/io-stats.c | ||
81 | index d9d1e1d..72fa39c 100644 | ||
82 | --- a/xlators/debug/io-stats/src/io-stats.c | ||
83 | +++ b/xlators/debug/io-stats/src/io-stats.c | ||
84 | @@ -45,6 +45,8 @@ | ||
85 | #define DEFAULT_GRP_BUF_SZ 16384 | ||
86 | #define IOS_BLOCK_COUNT_SIZE 32 | ||
87 | |||
88 | +#define IOS_STATS_DUMP_DIR DEFAULT_VAR_RUN_DIRECTORY | ||
89 | + | ||
90 | typedef enum { | ||
91 | IOS_STATS_TYPE_NONE, | ||
92 | IOS_STATS_TYPE_OPEN, | ||
93 | @@ -2999,7 +3001,6 @@ io_stats_fsync (call_frame_t *frame, xlator_t *this, | ||
94 | return 0; | ||
95 | } | ||
96 | |||
97 | - | ||
98 | int | ||
99 | conditional_dump (dict_t *dict, char *key, data_t *value, void *data) | ||
100 | { | ||
101 | @@ -3012,9 +3013,10 @@ conditional_dump (dict_t *dict, char *key, data_t *value, void *data) | ||
102 | char *filename = NULL; | ||
103 | FILE *logfp = NULL; | ||
104 | struct ios_dump_args args = {0}; | ||
105 | - int pid, namelen; | ||
106 | + int pid, namelen, dirlen; | ||
107 | char dump_key[100]; | ||
108 | char *slash_ptr = NULL; | ||
109 | + char *path_in_value = NULL; | ||
110 | |||
111 | stub = data; | ||
112 | this = stub->this; | ||
113 | @@ -3023,16 +3025,30 @@ conditional_dump (dict_t *dict, char *key, data_t *value, void *data) | ||
114 | name as well. This helps when there is more than a single io-stats | ||
115 | instance in the graph, or the client and server processes are running | ||
116 | on the same node */ | ||
117 | - /* hmmm... no check for this */ | ||
118 | - /* name format: <passed in path/filename>.<xlator name slashes to -> */ | ||
119 | - namelen = value->len + strlen (this->name) + 2; /* '.' and '\0' */ | ||
120 | + /* For the sanity of where the file should be located, we should make | ||
121 | + sure file is written only inside RUNDIR (ie, /var/run/gluster) */ | ||
122 | + /* TODO: provide an option to dump it to different directory of | ||
123 | + choice, based on options */ | ||
124 | + /* name format: /var/run/gluster/<passed in path/filename>.<xlator name slashes to -> */ | ||
125 | + | ||
126 | + path_in_value = data_to_str (value); | ||
127 | + | ||
128 | + if (strstr (path_in_value, "../")) { | ||
129 | + gf_log (this->name, GF_LOG_ERROR, | ||
130 | + "%s: no \"../\" allowed in path", path_in_value); | ||
131 | + return -1; | ||
132 | + } | ||
133 | + dirlen = strlen (IOS_STATS_DUMP_DIR); | ||
134 | + namelen = (dirlen + value->len + strlen (this->name) + 3); | ||
135 | + /* +3 for '/', '.' and '\0' added in snprintf below*/ | ||
136 | + | ||
137 | filename = alloca0 (namelen); | ||
138 | - memcpy (filename, data_to_str (value), value->len); | ||
139 | - memcpy (filename + value->len, ".", 1); | ||
140 | - memcpy (filename + value->len + 1, this->name, strlen(this->name)); | ||
141 | + | ||
142 | + snprintf (filename, namelen, "%s/%s.%s", IOS_STATS_DUMP_DIR, | ||
143 | + path_in_value, this->name); | ||
144 | |||
145 | /* convert any slashes to '-' so that fopen works correctly */ | ||
146 | - slash_ptr = strchr (filename + value->len + 1, '/'); | ||
147 | + slash_ptr = strchr (filename + dirlen + 1, '/'); | ||
148 | while (slash_ptr) { | ||
149 | *slash_ptr = '-'; | ||
150 | slash_ptr = strchr (slash_ptr, '/'); | ||
151 | -- | ||
152 | 2.7.4 | ||
153 | |||
diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc index 9a92c30..ce18fed 100644 --- a/recipes-extended/glusterfs/glusterfs.inc +++ b/recipes-extended/glusterfs/glusterfs.inc | |||
@@ -26,6 +26,7 @@ SRC_URI += "file://glusterd.init \ | |||
26 | file://0001-dict-handle-negative-key-value-length-while-unserial.patch \ | 26 | file://0001-dict-handle-negative-key-value-length-while-unserial.patch \ |
27 | file://0002-posix-disable-open-read-write-on-special-files.patch \ | 27 | file://0002-posix-disable-open-read-write-on-special-files.patch \ |
28 | file://0003-server-protocol-don-t-allow-.-path-in-name.patch \ | 28 | file://0003-server-protocol-don-t-allow-.-path-in-name.patch \ |
29 | file://0004-io-stats-dump-io-stats-info-in-var-run-gluster.patch \ | ||
29 | " | 30 | " |
30 | 31 | ||
31 | LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0" | 32 | LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0" |