rpms / glusterfs

Clone
Source Code
GIT

Blame SOURCES/0397-features-locks-add-buffer-overflow-checks-in-pl_getx.patch

c4 c5 c5-plus c6 c6-plus c6-sig-storage-gluster-5 c6-sig-storage-gluster-6 c6-sig-storage-gluster-7 c7 c7-alt c7-atomic c7-beta c7-sig-storage-gluster-5 c7-sig-storage-gluster-6 c7-sig-storage-gluster-7 c7-sig-storage-gluster-8 c7-sig-storage-gluster-9 c8 c8-beta c8-sig-storage-gluster-10 c8-sig-storage-gluster-6 c8-sig-storage-gluster-7 c8-sig-storage-gluster-8 c8-sig-storage-gluster-9 c8s c8s-sig-storage-gluster-10 c8s-sig-storage-gluster-11 c8s-sig-storage-gluster-8 c8s-sig-storage-gluster-9 c9 c9-beta c9s-sig-storage-gluster-10 c9s-sig-storage-gluster-11 c9s-sig-storage-gluster-9
  1.   38347345809a3c9d353b7225971688848978b2f7
  2.   SOURCES
  3.   0397-features-locks-add-buffer-overflow-checks-in-pl_getx.patch
Blob History Raw
887953 
From b29b4b4ec846861c975bfa580386d25d48eaa087 Mon Sep 17 00:00:00 2001
887953 
From: Ravishankar N <ravishankar@redhat.com>
887953 
Date: Mon, 8 Oct 2018 11:04:14 +0530
887953 
Subject: [PATCH 397/399] features/locks: add buffer overflow checks in
887953 
 pl_getxattr
887953
887953 
Problem:
887953 
A compromised client can send a variable length buffer value for the
887953 
GF_XATTR_CLRLK_CMD virtual xattr. If the length is greater than the
887953 
size of the "key" used to send the response back, locks xlator can
887953 
segfault when it tries to do a dict_set because of the buffer overflow
887953 
in strncpy of pl_getxattr().
887953
887953 
Fix:
887953 
Perform size checks while forming the 'key'.
887953
887953 
Note:
887953 
This fix is already there in the master branch upstream.
887953
887953 
Also, it looks like the size PATH_MAX used for 'key' array is not really
887953 
needed since the maximum length seems to be
887953 
"strlen(glusterfs.clrlk.tentry.kblocked) + NAME_MAX" where NAME_MAX is
887953 
used for the basename value in the clear-locks CLI:
887953
887953 
'gluster volume clear-locks VOLNAME path kind {blocked | granted | all} {inode range | entry basename | posix range}'
887953
887953 
But that can be done some other day.
887953
887953 
Fixes: CVE-2018-14652
887953 
BUG: 1634669
887953 
Change-Id: I101693e91f9ea2bd26cef6c0b7d82527fefcb3e2
887953 
Signed-off-by: Ravishankar N <ravishankar@redhat.com>
887953 
Reviewed-on: https://code.engineering.redhat.com/gerrit/152038
887953 
Reviewed-by: Amar Tumballi <amarts@redhat.com>
887953 
Reviewed-by: Krutika Dhananjay <kdhananj@redhat.com>
887953 
Reviewed-by: Sunil Kumar Heggodu Gopala Acharya <sheggodu@redhat.com>
887953 
---
887953 
 xlators/features/locks/src/posix.c | 5 ++++-
887953 
 1 file changed, 4 insertions(+), 1 deletion(-)
887953
887953 
diff --git a/xlators/features/locks/src/posix.c b/xlators/features/locks/src/posix.c
887953 
index 63bcf31..63f914c 100644
887953 
--- a/xlators/features/locks/src/posix.c
887953 
+++ b/xlators/features/locks/src/posix.c
887953 
@@ -1120,7 +1120,10 @@ pl_getxattr (call_frame_t *frame, xlator_t *this, loc_t *loc,
887953 
                 goto out;
887953 
         }
887953
887953 
-        strncpy (key, name, strlen (name));
887953 
+        if (snprintf(key, sizeof(key), "%s", name) >= sizeof(key)) {
887953 
+                op_ret = -1;
887953 
+                goto out;
887953 
+        }
887953 
         if (dict_set_dynstr (dict, key, lk_summary)) {
887953 
                 op_ret = -1;
887953 
                 op_errno = ENOMEM;
887953 
--
887953 
1.8.3.1
887953

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation