From d5c5cbe82ef0f7bf8686e71cf08b92e7baf62f55 Mon Sep 17 00:00:00 2001 From: Ravishankar N Date: Sat, 6 Oct 2018 00:50:53 +0530 Subject: [PATCH 395/399] index: prevent arbitrary file creation outside entry-changes folder Problem: A compromised client can set arbitrary values for the GF_XATTROP_ENTRY_IN_KEY and GF_XATTROP_ENTRY_OUT_KEY during xattrop fop. These values are consumed by index as a filename to be created/deleted according to the key. Thus it is possible to create/delete random files even outside the gluster volume boundary. Fix: Index expects the filename to be a basename, i.e. it must not contain any pathname components like "/" or "../". Enforce this. Fixes: CVE-2018-14654 BUG: 1634671 Change-Id: Ib01c35414c36e3101af9e99a1ea17535ef8bd3b3 Signed-off-by: Ravishankar N Reviewed-on: https://code.engineering.redhat.com/gerrit/151985 Reviewed-by: Amar Tumballi Reviewed-by: Sunil Kumar Heggodu Gopala Acharya --- xlators/features/index/src/index.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/xlators/features/index/src/index.c b/xlators/features/index/src/index.c index bf3f4dd..89cdbda 100644 --- a/xlators/features/index/src/index.c +++ b/xlators/features/index/src/index.c @@ -852,6 +852,15 @@ index_entry_create (xlator_t *this, inode_t *inode, char *filename) ctx->state[ENTRY_CHANGES] = IN; } + if (strchr (filename, '/')) { + gf_msg (this->name, GF_LOG_ERROR, EINVAL, + INDEX_MSG_INDEX_ADD_FAILED, + "Got invalid entry (%s) for pargfid path (%s)", + filename, pgfid_path); + op_errno = EINVAL; + goto out; + } + op_errno = 0; snprintf (entry_path, sizeof(entry_path), "%s/%s", pgfid_path, @@ -886,6 +895,16 @@ index_entry_delete (xlator_t *this, uuid_t pgfid, char *filename) make_gfid_path (priv->index_basepath, ENTRY_CHANGES_SUBDIR, pgfid, pgfid_path, sizeof (pgfid_path)); + + if (strchr (filename, '/')) { + gf_msg (this->name, GF_LOG_ERROR, EINVAL, + INDEX_MSG_INDEX_DEL_FAILED, + "Got invalid entry (%s) for pargfid path (%s)", + filename, pgfid_path); + op_errno = EINVAL; + goto out; + } + snprintf (entry_path, sizeof(entry_path), "%s/%s", pgfid_path, filename); -- 1.8.3.1