[meta-virtualization] [PATCH] glusterfs: Revert a CVE patch, CVE-2018-10924

Hongzhi, Song hongzhi.song at windriver.com
Tue Oct 30 19:30:07 PDT 2018


This is for meta-cloud-services.

--Hongzhi


On 10/31/2018 10:11 AM, Hongzhi.Song wrote:
> The CVE issue exists in v3.12 series and above.
> Introduced by:
> [http://git.gluster.org/cgit/glusterfs.git/commit/?
> id=51dfc9c789b8405f595a337eade938aedcb449c4]
>
> More infomation, please see:
> [https://security-tracker.debian.org/tracker/CVE-2018-10924]
>
> The version v3.11.1 doesn't have the issue.
> So we should revert the CVE-2018-10924.
>
> Signed-off-by: Hongzhi.Song <hongzhi.song at windriver.com>
> ---
>   .../0005-cluster-afr-Fix-dict-leak-in-pre-op.patch | 135 ---------------------
>   recipes-extended/glusterfs/glusterfs.inc           |   1 -
>   2 files changed, 136 deletions(-)
>   delete mode 100644 recipes-extended/glusterfs/files/0005-cluster-afr-Fix-dict-leak-in-pre-op.patch
>
> diff --git a/recipes-extended/glusterfs/files/0005-cluster-afr-Fix-dict-leak-in-pre-op.patch b/recipes-extended/glusterfs/files/0005-cluster-afr-Fix-dict-leak-in-pre-op.patch
> deleted file mode 100644
> index d218a22..0000000
> --- a/recipes-extended/glusterfs/files/0005-cluster-afr-Fix-dict-leak-in-pre-op.patch
> +++ /dev/null
> @@ -1,135 +0,0 @@
> -From f4dddd7727988b8077b2da577e195621d5bac9c7 Mon Sep 17 00:00:00 2001
> -From: Chen Qi <Qi.Chen at windriver.com>
> -Date: Tue, 25 Sep 2018 15:23:10 +0800
> -Subject: [PATCH 5/7] cluster/afr: Fix dict-leak in pre-op
> -
> -At the time of pre-op, pre_op_xdata is populted with the xattrs we get from the
> -disk and at the time of post-op it gets over-written without unreffing the
> -previous value stored leading to a leak.
> -This is a regression we missed in
> -https://review.gluster.org/#/q/ba149bac92d169ae2256dbc75202dc9e5d06538e
> -
> -BUG: 1550078
> -Change-Id: I0456f9ad6f77ce6248b747964a037193af3a3da7
> -Signed-off-by: Pranith Kumar K <pkarampu at redhat.com>
> -
> -Upstream-Status: Backport
> -
> -Fix CVE-2018-10924
> -
> -Modified for this old glusterfs version.
> -
> -Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
> ----
> - xlators/cluster/afr/src/afr-common.c      | 14 +++++++-------
> - xlators/cluster/afr/src/afr-transaction.c | 20 ++++++++++----------
> - xlators/cluster/afr/src/afr.h             |  4 ++--
> - 3 files changed, 19 insertions(+), 19 deletions(-)
> -
> -diff --git a/xlators/cluster/afr/src/afr-common.c b/xlators/cluster/afr/src/afr-common.c
> -index 0643204..85150a0 100644
> ---- a/xlators/cluster/afr/src/afr-common.c
> -+++ b/xlators/cluster/afr/src/afr-common.c
> -@@ -1673,13 +1673,13 @@ afr_local_transaction_cleanup (afr_local_t *local, xlator_t *this)
> -         GF_FREE (local->transaction.pre_op);
> -
> -         GF_FREE (local->transaction.pre_op_sources);
> --        if (local->transaction.pre_op_xdata) {
> -+        if (local->transaction.changelog_xdata) {
> -                 for (i = 0; i < priv->child_count; i++) {
> --                        if (!local->transaction.pre_op_xdata[i])
> -+                        if (!local->transaction.changelog_xdata[i])
> -                                 continue;
> --                        dict_unref (local->transaction.pre_op_xdata[i]);
> -+                        dict_unref (local->transaction.changelog_xdata[i]);
> -                 }
> --                GF_FREE (local->transaction.pre_op_xdata);
> -+                GF_FREE (local->transaction.changelog_xdata);
> -         }
> -
> -         GF_FREE (local->transaction.eager_lock);
> -@@ -5396,10 +5396,10 @@ afr_transaction_local_init (afr_local_t *local, xlator_t *this)
> -                 goto out;
> -
> -         if (priv->arbiter_count == 1) {
> --                local->transaction.pre_op_xdata =
> --                        GF_CALLOC (sizeof (*local->transaction.pre_op_xdata),
> -+                local->transaction.changelog_xdata =
> -+                        GF_CALLOC (sizeof (*local->transaction.changelog_xdata),
> -                                    priv->child_count, gf_afr_mt_dict_t);
> --                if (!local->transaction.pre_op_xdata)
> -+                if (!local->transaction.changelog_xdata)
> -                         goto out;
> -
> -                 local->transaction.pre_op_sources =
> -diff --git a/xlators/cluster/afr/src/afr-transaction.c b/xlators/cluster/afr/src/afr-transaction.c
> -index 35621d9..c9a4474 100644
> ---- a/xlators/cluster/afr/src/afr-transaction.c
> -+++ b/xlators/cluster/afr/src/afr-transaction.c
> -@@ -276,9 +276,9 @@ afr_compute_pre_op_sources (call_frame_t *frame, xlator_t *this)
> -         matrix = ALLOC_MATRIX (priv->child_count, int);
> -
> -         for (i = 0; i < priv->child_count; i++) {
> --                if (!local->transaction.pre_op_xdata[i])
> -+                if (!local->transaction.changelog_xdata[i])
> -                         continue;
> --                xdata = local->transaction.pre_op_xdata[i];
> -+                xdata = local->transaction.changelog_xdata[i];
> -                 afr_selfheal_fill_matrix (this, matrix, i, idx, xdata);
> -         }
> -
> -@@ -295,13 +295,6 @@ afr_compute_pre_op_sources (call_frame_t *frame, xlator_t *this)
> -                 for (j = 0; j < priv->child_count; j++)
> -                         if (matrix[i][j] != 0)
> -                                 local->transaction.pre_op_sources[j] = 0;
> --
> --        /*We don't need the xattrs any more. */
> --        for (i = 0; i < priv->child_count; i++)
> --                if (local->transaction.pre_op_xdata[i]) {
> --                        dict_unref (local->transaction.pre_op_xdata[i]);
> --                        local->transaction.pre_op_xdata[i] = NULL;
> --                }
> - }
> -
> - gf_boolean_t
> -@@ -1175,7 +1168,7 @@ afr_changelog_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
> -
> -         if (priv->arbiter_count == 1 && !op_ret) {
> -                 if (xattr)
> --                        local->transaction.pre_op_xdata[child_index] =
> -+                        local->transaction.changelog_xdata[child_index] =
> -                                                                dict_ref (xattr);
> -         }
> -
> -@@ -1608,6 +1601,13 @@ afr_changelog_do (call_frame_t *frame, xlator_t *this, dict_t *xattr,
> - 	local = frame->local;
> - 	priv = this->private;
> -
> -+        for (i = 0; i < priv->child_count; i++) {
> -+                if (local->transaction.changelog_xdata[i]) {
> -+                        dict_unref (local->transaction.changelog_xdata[i]);
> -+                        local->transaction.changelog_xdata[i] = NULL;
> -+                }
> -+        }
> -+
> -         ret = afr_changelog_prepare (this, frame, &call_count, changelog_resume,
> -                                      op, &xdata, &newloc_xdata);
> -
> -diff --git a/xlators/cluster/afr/src/afr.h b/xlators/cluster/afr/src/afr.h
> -index cf736ed..2854153 100644
> ---- a/xlators/cluster/afr/src/afr.h
> -+++ b/xlators/cluster/afr/src/afr.h
> -@@ -737,8 +737,8 @@ typedef struct _afr_local {
> -
> -                 unsigned char   *pre_op;
> -
> --                /* For arbiter configuration only. */
> --                dict_t **pre_op_xdata;
> -+                /* Changelog xattr dict for [f]xattrop*/
> -+                dict_t **changelog_xdata;
> -                 unsigned char *pre_op_sources;
> -
> - 		/* @failed_subvols: subvolumes on which a pre-op or a
> ---
> -2.7.4
> -
> diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc
> index 8243f28..f7d3cc3 100644
> --- a/recipes-extended/glusterfs/glusterfs.inc
> +++ b/recipes-extended/glusterfs/glusterfs.inc
> @@ -27,7 +27,6 @@ SRC_URI += "file://glusterd.init \
>               file://0002-posix-disable-open-read-write-on-special-files.patch \
>               file://0003-server-protocol-don-t-allow-.-path-in-name.patch \
>               file://0004-io-stats-dump-io-stats-info-in-var-run-gluster.patch \
> -            file://0005-cluster-afr-Fix-dict-leak-in-pre-op.patch \
>               file://0006-posix-remove-not-supported-get-set-content.patch \
>               file://0007-protocol-don-t-use-alloca.patch \
>              "



More information about the meta-virtualization mailing list