[meta-virtualization] [m-c-s][PATCH 3/7] glusterfs: backport patch to fix a few CVEs
Chen Qi
Qi.Chen at windriver.com
Tue Sep 25 19:36:27 PDT 2018
Backport a patch to fix the following CVEs.
CVE: CVE-2018-10926
CVE: CVE-2018-10927
CVE: CVE-2018-10928
CVE: CVE-2018-10929
CVE: CVE-2018-10930
Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
---
...erver-protocol-don-t-allow-.-path-in-name.patch | 73 ++++++++++++++++++++++
recipes-extended/glusterfs/glusterfs.inc | 1 +
2 files changed, 74 insertions(+)
create mode 100644 recipes-extended/glusterfs/files/0003-server-protocol-don-t-allow-.-path-in-name.patch
diff --git a/recipes-extended/glusterfs/files/0003-server-protocol-don-t-allow-.-path-in-name.patch b/recipes-extended/glusterfs/files/0003-server-protocol-don-t-allow-.-path-in-name.patch
new file mode 100644
index 0000000..e6ef9e3
--- /dev/null
+++ b/recipes-extended/glusterfs/files/0003-server-protocol-don-t-allow-.-path-in-name.patch
@@ -0,0 +1,73 @@
+From b89658672d137ef56bd0694457b9125bf7d45ba4 Mon Sep 17 00:00:00 2001
+From: Amar Tumballi <amarts at redhat.com>
+Date: Thu, 9 Aug 2018 13:00:01 +0530
+Subject: [PATCH 3/7] server-protocol: don't allow '../' path in 'name'
+
+This will prevent any arbitrary file creation through glusterfs
+by modifying the client bits.
+
+Also check for the similar flaw inside posix too, so we prevent any
+changes in layers in-between.
+
+Fixes: bz#1625095
+
+Signed-off-by: Amar Tumballi <amarts at redhat.com>
+Change-Id: Id9fe0ef6e86459e8ed85ab947d977f058c5ae06e
+
+Upstream-Status: Backport
+
+Fix CVE-2018-10926
+Fix CVE-2018-10927
+Fix CVE-2018-10928
+Fix CVE-2018-10929
+Fix CVE-2018-10930
+
+Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
+---
+ xlators/protocol/server/src/server-resolve.c | 12 ++++++++++++
+ xlators/storage/posix/src/posix-handle.h | 6 ++++++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/xlators/protocol/server/src/server-resolve.c b/xlators/protocol/server/src/server-resolve.c
+index d0126aa..aa35685 100644
+--- a/xlators/protocol/server/src/server-resolve.c
++++ b/xlators/protocol/server/src/server-resolve.c
+@@ -294,6 +294,18 @@ resolve_entry_simple (call_frame_t *frame)
+ /* expected @parent was found from the inode cache */
+ gf_uuid_copy (state->loc_now->pargfid, resolve->pargfid);
+ state->loc_now->parent = inode_ref (parent);
++
++ if (strstr (resolve->bname, "../")) {
++ /* Resolving outside the parent's tree is not allowed */
++ gf_msg (this->name, GF_LOG_ERROR, EPERM,
++ PS_MSG_GFID_RESOLVE_FAILED,
++ "%s: path sent by client not allowed",
++ resolve->bname);
++ resolve->op_ret = -1;
++ resolve->op_errno = EPERM;
++ ret = 1;
++ goto out;
++ }
+ state->loc_now->name = resolve->bname;
+
+ inode = inode_grep (state->itable, parent, resolve->bname);
+diff --git a/xlators/storage/posix/src/posix-handle.h b/xlators/storage/posix/src/posix-handle.h
+index 9af6a7a..6e7a8d2 100644
+--- a/xlators/storage/posix/src/posix-handle.h
++++ b/xlators/storage/posix/src/posix-handle.h
+@@ -217,6 +217,12 @@
+ break; \
+ } \
+ \
++ if (strstr (loc->name, "../")) { \
++ gf_msg (this->name, GF_LOG_ERROR, 0, P_MSG_ENTRY_HANDLE_CREATE, \
++ "'../' in name not allowed: (%s)", loc->name); \
++ op_ret = -1; \
++ break; \
++ } \
+ if (LOC_HAS_ABSPATH (loc)) { \
+ MAKE_REAL_PATH (entp, this, loc->path); \
+ __parp = strdupa (entp); \
+--
+2.7.4
+
diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc
index e332872..9a92c30 100644
--- a/recipes-extended/glusterfs/glusterfs.inc
+++ b/recipes-extended/glusterfs/glusterfs.inc
@@ -25,6 +25,7 @@ SRC_URI += "file://glusterd.init \
file://0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch \
file://0001-dict-handle-negative-key-value-length-while-unserial.patch \
file://0002-posix-disable-open-read-write-on-special-files.patch \
+ file://0003-server-protocol-don-t-allow-.-path-in-name.patch \
"
LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0"
--
2.7.4
More information about the meta-virtualization
mailing list