rpms / glusterfs

Clone
Source Code
GIT

Blame SOURCES/0395-index-prevent-arbitrary-file-creation-outside-entry-.patch

c4 c5 c5-plus c6 c6-plus c6-sig-storage-gluster-5 c6-sig-storage-gluster-6 c6-sig-storage-gluster-7 c7 c7-alt c7-atomic c7-beta c7-sig-storage-gluster-5 c7-sig-storage-gluster-6 c7-sig-storage-gluster-7 c7-sig-storage-gluster-8 c7-sig-storage-gluster-9 c8 c8-beta c8-sig-storage-gluster-10 c8-sig-storage-gluster-6 c8-sig-storage-gluster-7 c8-sig-storage-gluster-8 c8-sig-storage-gluster-9 c8s c8s-sig-storage-gluster-10 c8s-sig-storage-gluster-11 c8s-sig-storage-gluster-8 c8s-sig-storage-gluster-9 c9 c9-beta c9s-sig-storage-gluster-10 c9s-sig-storage-gluster-11 c9s-sig-storage-gluster-9
  1.   95c1caaa9714d055b68f8c65c5efc8e84d2991da
  2.   SOURCES
  3.   0395-index-prevent-arbitrary-file-creation-outside-entry-.patch
Blob History Raw
e7a346 
From d5c5cbe82ef0f7bf8686e71cf08b92e7baf62f55 Mon Sep 17 00:00:00 2001
e7a346 
From: Ravishankar N <ravishankar@redhat.com>
e7a346 
Date: Sat, 6 Oct 2018 00:50:53 +0530
e7a346 
Subject: [PATCH 395/399] index: prevent arbitrary file creation outside
e7a346 
 entry-changes folder
e7a346
e7a346 
Problem:
e7a346 
A compromised client can set arbitrary values for the GF_XATTROP_ENTRY_IN_KEY
e7a346 
and GF_XATTROP_ENTRY_OUT_KEY during xattrop fop. These values are
e7a346 
consumed by index as a filename to be created/deleted according to the key.
e7a346 
Thus it is possible to create/delete random files even outside the gluster
e7a346 
volume boundary.
e7a346
e7a346 
Fix:
e7a346 
Index expects the filename to be a basename, i.e. it must not contain any
e7a346 
pathname components like "/" or "../". Enforce this.
e7a346
e7a346 
Fixes: CVE-2018-14654
e7a346 
BUG: 1634671
e7a346 
Change-Id: Ib01c35414c36e3101af9e99a1ea17535ef8bd3b3
e7a346 
Signed-off-by: Ravishankar N <ravishankar@redhat.com>
e7a346 
Reviewed-on: https://code.engineering.redhat.com/gerrit/151985
e7a346 
Reviewed-by: Amar Tumballi <amarts@redhat.com>
e7a346 
Reviewed-by: Sunil Kumar Heggodu Gopala Acharya <sheggodu@redhat.com>
e7a346 
---
e7a346 
 xlators/features/index/src/index.c | 19 +++++++++++++++++++
e7a346 
 1 file changed, 19 insertions(+)
e7a346
e7a346 
diff --git a/xlators/features/index/src/index.c b/xlators/features/index/src/index.c
e7a346 
index bf3f4dd..89cdbda 100644
e7a346 
--- a/xlators/features/index/src/index.c
e7a346 
+++ b/xlators/features/index/src/index.c
e7a346 
@@ -852,6 +852,15 @@ index_entry_create (xlator_t *this, inode_t *inode, char *filename)
e7a346 
                 ctx->state[ENTRY_CHANGES] = IN;
e7a346 
         }
e7a346
e7a346 
+        if  (strchr (filename, '/')) {
e7a346 
+                gf_msg (this->name, GF_LOG_ERROR, EINVAL,
e7a346 
+                        INDEX_MSG_INDEX_ADD_FAILED,
e7a346 
+                        "Got invalid entry (%s) for pargfid path (%s)",
e7a346 
+                        filename, pgfid_path);
e7a346 
+                op_errno = EINVAL;
e7a346 
+                goto out;
e7a346 
+        }
e7a346 
+
e7a346 
         op_errno = 0;
e7a346
e7a346 
         snprintf (entry_path, sizeof(entry_path), "%s/%s", pgfid_path,
e7a346 
@@ -886,6 +895,16 @@ index_entry_delete (xlator_t *this, uuid_t pgfid, char *filename)
e7a346
e7a346 
         make_gfid_path (priv->index_basepath, ENTRY_CHANGES_SUBDIR, pgfid,
e7a346 
                         pgfid_path, sizeof (pgfid_path));
e7a346 
+
e7a346 
+        if  (strchr (filename, '/')) {
e7a346 
+                gf_msg (this->name, GF_LOG_ERROR, EINVAL,
e7a346 
+                        INDEX_MSG_INDEX_DEL_FAILED,
e7a346 
+                        "Got invalid entry (%s) for pargfid path (%s)",
e7a346 
+                        filename, pgfid_path);
e7a346 
+                op_errno = EINVAL;
e7a346 
+                goto out;
e7a346 
+        }
e7a346 
+
e7a346 
         snprintf (entry_path, sizeof(entry_path), "%s/%s", pgfid_path,
e7a346 
                   filename);
e7a346
e7a346 
--
e7a346 
1.8.3.1
e7a346

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation