887953
From c93ade55ce9794952b372b91aff7bc380b49fd52 Mon Sep 17 00:00:00 2001
887953
From: Amar Tumballi <amarts@redhat.com>
887953
Date: Sun, 7 Oct 2018 11:45:35 +0530
887953
Subject: [PATCH 394/399] io-stats: prevent taking file dump on server side
887953
887953
By allowing clients taking dump in a file on brick process, we are
887953
allowing compromised clients to create io-stats dumps on server,
887953
which can exhaust all the available inodes.
887953
887953
Fixes: CVE-2018-14659
887953
887953
BUG: 1636305
887953
Change-Id: I64fc530363b78f849011eb3c91355566ee0c485b
887953
Signed-off-by: Amar Tumballi <amarts@redhat.com>
887953
Reviewed-on: https://code.engineering.redhat.com/gerrit/152024
887953
Reviewed-by: Sunil Kumar Heggodu Gopala Acharya <sheggodu@redhat.com>
887953
---
887953
 xlators/debug/io-stats/src/io-stats.c | 9 +++++++++
887953
 1 file changed, 9 insertions(+)
887953
887953
diff --git a/xlators/debug/io-stats/src/io-stats.c b/xlators/debug/io-stats/src/io-stats.c
887953
index 16a11df..0f71334 100644
887953
--- a/xlators/debug/io-stats/src/io-stats.c
887953
+++ b/xlators/debug/io-stats/src/io-stats.c
887953
@@ -3022,6 +3022,15 @@ conditional_dump (dict_t *dict, char *key, data_t *value, void *data)
887953
         stub  = data;
887953
         this  = stub->this;
887953
 
887953
+        /* Don't do this on 'brick-side', only do this on client side */
887953
+        /* Addresses CVE-2018-14659 */
887953
+        if (this->ctx->process_mode != GF_CLIENT_PROCESS) {
887953
+                gf_log(this->name, GF_LOG_DEBUG,
887953
+                       "taking io-stats dump using setxattr not permitted on brick."
887953
+                       " Use 'gluster profile' instead");
887953
+                return -1;
887953
+        }
887953
+
887953
         /* Create a file name that is appended with the io-stats instance
887953
         name as well. This helps when there is more than a single io-stats
887953
         instance in the graph, or the client and server processes are running
887953
-- 
887953
1.8.3.1
887953