fix CVE-2023-26253

(cherry picked from commit e1f24dfb36ec135204da1c201f4c2c6af51a5e52)
2023-03-09 11:06:13 +08:00 · 2023-03-09 11:06:13 +08:00 · 47b8dfe705
commit 47b8dfe705
parent 26e82bf5d8
2 changed files with 70 additions and 1 deletions
--- a/0004-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch
+++ b/0004-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch
@ -0,0 +1,65 @@
+From fd8662d4bac4641a855fbb3edd316d2e60ac6c51 Mon Sep 17 00:00:00 2001
+From: mohit84 <moagrawa@redhat.com>
+Date: Thu, 2 Mar 2023 02:58:57 +0530
+Subject: [PATCH] fuse: Resolve asan bug in during receive event notification
+ (#4019)
+
+The fuse xlator notify function tries to assign data object
+to graph object without checking an event. In case of upcall
+event data object represents upcall object so during access
+of graph object the process is crashed for asan build.
+
+Solution: Access the graph->id only while event is associated
+          specific to fuse xlator
+
+Fixes: #3954
+Change-Id: I6b2869256b26d22163879737dcf163510d1cd8bf
+Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
+---
+ xlators/mount/fuse/src/fuse-bridge.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c
+index 11b38f6..ca21801 100644
+--- a/xlators/mount/fuse/src/fuse-bridge.c
+++ b/xlators/mount/fuse/src/fuse-bridge.c
+@@ -6262,6 +6262,7 @@ notify(xlator_t *this, int32_t event, void *data, ...)
+     int32_t ret = 0;
+     fuse_private_t *private = NULL;
+     gf_boolean_t start_thread = _gf_false;
+    gf_boolean_t event_graph = _gf_true;
+     glusterfs_graph_t *graph = NULL;
+ 
+    private
+@@ -6269,9 +6270,6 @@ notify(xlator_t *this, int32_t event, void *data, ...)
+ 
+     graph = data;
+ 
+-    gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event,
+-           ((graph) ? graph->id : 0));
+-
+     switch (event) {
+         case GF_EVENT_GRAPH_NEW:
+             break;
+@@ -6335,9 +6333,18 @@ notify(xlator_t *this, int32_t event, void *data, ...)
+         }
+ 
+         default:
+            /* Set the event_graph to false so that event
+               debug msg would not try to access invalid graph->id
+               while data object is not matched to graph object
+               for ex in case of upcall event data object represents
+               gf_upcall object
+            */
+            event_graph = _gf_false;
+             break;
+     }
+ 
+    gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event,
+           ((graph && event_graph) ? graph->id : -1));
+     return ret;
+ }
+ 
+-- 
+2.33.0
+
--- a/glusterfs.spec
+++ b/glusterfs.spec
@ -3,7 +3,7 @@

 Name:             glusterfs
 Version:          7.0
-Release:          9
+Release:          10
 License:          GPLv2 and LGPLv3+
 Summary:          Aggregating distributed file system
 URL:              http://docs.gluster.org/
@ -14,6 +14,7 @@ Patch0:		  0000-core-fix-memory-pool-management-races.patch
 Patch1:		  0001-geo-rep-Fix-the-name-of-changelog-archive-file.patch
 Patch2:		  0002-upcall-internal.c-fix-debug-log-message-3651.patch
 Patch3:		  0003-SC2081-can-t-match-globs-Use-or-grep.patch
+Patch4:           0004-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch

 BuildRequires:    systemd bison flex gcc make libtool ncurses-devel readline-devel libattr-devel
 BuildRequires:    libxml2-devel openssl-devel libaio-devel libacl-devel python3-devel git perl
@ -462,6 +463,9 @@ exit 0
 %{_mandir}/man8/*gluster*.8*

 %changelog
+* Thu Mar 9 2023 wuguanghao <wuguanghao3@huawei.com> - 7.0-10
+- fix CVE-2023-26253
+
 * Wed Sep 7 2022 zhanchengbin <zhanchengbin1@huawei.com> - 7.0-9
 - SC2081: [ .. ] can't match globs. Use [[ .. ]] or grep.