rpms / glusterfs

Clone
Source Code
GIT

Blame SOURCES/0397-features-locks-add-buffer-overflow-checks-in-pl_getx.patch

c4 c5 c5-plus c6 c6-plus c6-sig-storage-gluster-5 c6-sig-storage-gluster-6 c6-sig-storage-gluster-7 c7 c7-alt c7-atomic c7-beta c7-sig-storage-gluster-5 c7-sig-storage-gluster-6 c7-sig-storage-gluster-7 c7-sig-storage-gluster-8 c7-sig-storage-gluster-9 c8 c8-beta c8-sig-storage-gluster-10 c8-sig-storage-gluster-6 c8-sig-storage-gluster-7 c8-sig-storage-gluster-8 c8-sig-storage-gluster-9 c8s c8s-sig-storage-gluster-10 c8s-sig-storage-gluster-11 c8s-sig-storage-gluster-8 c8s-sig-storage-gluster-9 c9 c9-beta c9s-sig-storage-gluster-10 c9s-sig-storage-gluster-11 c9s-sig-storage-gluster-9
  1.   95c1caaa9714d055b68f8c65c5efc8e84d2991da
  2.   SOURCES
  3.   0397-features-locks-add-buffer-overflow-checks-in-pl_getx.patch
Blob History Raw
e7a346 
From b29b4b4ec846861c975bfa580386d25d48eaa087 Mon Sep 17 00:00:00 2001
e7a346 
From: Ravishankar N <ravishankar@redhat.com>
e7a346 
Date: Mon, 8 Oct 2018 11:04:14 +0530
e7a346 
Subject: [PATCH 397/399] features/locks: add buffer overflow checks in
e7a346 
 pl_getxattr
e7a346
e7a346 
Problem:
e7a346 
A compromised client can send a variable length buffer value for the
e7a346 
GF_XATTR_CLRLK_CMD virtual xattr. If the length is greater than the
e7a346 
size of the "key" used to send the response back, locks xlator can
e7a346 
segfault when it tries to do a dict_set because of the buffer overflow
e7a346 
in strncpy of pl_getxattr().
e7a346
e7a346 
Fix:
e7a346 
Perform size checks while forming the 'key'.
e7a346
e7a346 
Note:
e7a346 
This fix is already there in the master branch upstream.
e7a346
e7a346 
Also, it looks like the size PATH_MAX used for 'key' array is not really
e7a346 
needed since the maximum length seems to be
e7a346 
"strlen(glusterfs.clrlk.tentry.kblocked) + NAME_MAX" where NAME_MAX is
e7a346 
used for the basename value in the clear-locks CLI:
e7a346
e7a346 
'gluster volume clear-locks VOLNAME path kind {blocked | granted | all} {inode range | entry basename | posix range}'
e7a346
e7a346 
But that can be done some other day.
e7a346
e7a346 
Fixes: CVE-2018-14652
e7a346 
BUG: 1634669
e7a346 
Change-Id: I101693e91f9ea2bd26cef6c0b7d82527fefcb3e2
e7a346 
Signed-off-by: Ravishankar N <ravishankar@redhat.com>
e7a346 
Reviewed-on: https://code.engineering.redhat.com/gerrit/152038
e7a346 
Reviewed-by: Amar Tumballi <amarts@redhat.com>
e7a346 
Reviewed-by: Krutika Dhananjay <kdhananj@redhat.com>
e7a346 
Reviewed-by: Sunil Kumar Heggodu Gopala Acharya <sheggodu@redhat.com>
e7a346 
---
e7a346 
 xlators/features/locks/src/posix.c | 5 ++++-
e7a346 
 1 file changed, 4 insertions(+), 1 deletion(-)
e7a346
e7a346 
diff --git a/xlators/features/locks/src/posix.c b/xlators/features/locks/src/posix.c
e7a346 
index 63bcf31..63f914c 100644
e7a346 
--- a/xlators/features/locks/src/posix.c
e7a346 
+++ b/xlators/features/locks/src/posix.c
e7a346 
@@ -1120,7 +1120,10 @@ pl_getxattr (call_frame_t *frame, xlator_t *this, loc_t *loc,
e7a346 
                 goto out;
e7a346 
         }
e7a346
e7a346 
-        strncpy (key, name, strlen (name));
e7a346 
+        if (snprintf(key, sizeof(key), "%s", name) >= sizeof(key)) {
e7a346 
+                op_ret = -1;
e7a346 
+                goto out;
e7a346 
+        }
e7a346 
         if (dict_set_dynstr (dict, key, lk_summary)) {
e7a346 
                 op_ret = -1;
e7a346 
                 op_errno = ENOMEM;
e7a346 
--
e7a346 
1.8.3.1
e7a346

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation