From 2334f5b162e81d81673b59555baaf0a26189e603 Mon Sep 17 00:00:00 2001
From: Susant Palai <spalai@redhat.com>
Date: Mon, 8 Oct 2018 11:38:09 +0530
Subject: [PATCH 398/399] lock: Do not allow meta-lock count to be more than
 one

In the current scheme of glusterfs where lock migration is
experimental, (ideally) the rebalance process which is migrating
the file should request for a metalock. Hence, the metalock count
should not be more than one for an inode. In future, if there is a
need for meta-lock from other clients, this patch can be reverted.

Since pl_metalk is called as part of setxattr operation, any client
process(non-rebalance) residing outside trusted network can exhaust
memory of the server node by issuing setxattr repetitively on the
metalock key. The current patch makes sure that more than
one metalock cannot be granted on an inode.

Fixes: CVE-2018-14660

Change-Id: I5a1dde0b24b0aedcfb29cc89dffc04ccc5a88bcb
BUG: 1636308
Signed-off-by: Susant Palai <spalai@redhat.com>
Reviewed-on: https://code.engineering.redhat.com/gerrit/152041
Reviewed-by: Amar Tumballi <amarts@redhat.com>
Tested-by: Amar Tumballi <amarts@redhat.com>
Reviewed-by: Sunil Kumar Heggodu Gopala Acharya <sheggodu@redhat.com>
---
 xlators/features/locks/src/posix.c | 36 +++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/xlators/features/locks/src/posix.c b/xlators/features/locks/src/posix.c
index 63f914c..c58e6ba 100644
--- a/xlators/features/locks/src/posix.c
+++ b/xlators/features/locks/src/posix.c
@@ -2938,6 +2938,40 @@ pl_metalk (call_frame_t *frame, xlator_t *this, inode_t *inode)
                 goto out;
         }
 
+        /* Non rebalance process trying to do metalock */
+        if (frame->root->pid != GF_CLIENT_PID_DEFRAG) {
+                ret = -1;
+                goto out;
+        }
+
+
+        /* Note: In the current scheme of glusterfs where lock migration is
+         * experimental, (ideally) the rebalance process which is migrating
+         * the file should request for a metalock. Hence, the metalock count
+         * should not be more than one for an inode. In future, if there is a
+         * need for meta-lock from other clients, the following block can be
+         * removed.
+         *
+         * Since pl_metalk is called as part of setxattr operation, any client
+         * process(non-rebalance) residing outside trusted network can exhaust
+         * memory of the server node by issuing setxattr repetitively on the
+         * metalock key. The following code makes sure that more than
+         * one metalock cannot be granted on an inode*/
+        pthread_mutex_lock (&pl_inode->mutex);
+        {
+                if (pl_metalock_is_active(pl_inode)) {
+                        gf_msg (this->name, GF_LOG_WARNING, EINVAL, 0,
+                                "More than one meta-lock can not be granted on"
+                                "the inode");
+                        ret = -1;
+                }
+        }
+        pthread_mutex_lock (&pl_inode->mutex);
+
+        if (ret == -1) {
+                goto out;
+        }
+
         if (frame->root->client) {
                 ctx = pl_ctx_get (frame->root->client, this);
                 if (!ctx) {
@@ -3118,7 +3152,7 @@ pl_setxattr (call_frame_t *frame, xlator_t *this,
              loc_t *loc, dict_t *dict, int flags, dict_t *xdata)
 {
         int             op_ret          = 0;
-        int             op_errno        = 0;
+        int             op_errno        = EINVAL;
         dict_t          *xdata_rsp      = NULL;
 
         PL_LOCAL_GET_REQUESTS (frame, this, xdata, NULL, loc, NULL);
-- 
1.8.3.1