fix CVE-2023-26253

(cherry picked from commit e1f24dfb36ec135204da1c201f4c2c6af51a5e52)
2023-03-09 11:06:13 +08:00 · 2023-03-09 11:06:13 +08:00 · 47b8dfe705
commit 47b8dfe705
parent 26e82bf5d8
2 changed files with 70 additions and 1 deletions
--- a/0004-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch
+++ b/0004-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch
@ -0,0 +1,65 @@
 From fd8662d4bac4641a855fbb3edd316d2e60ac6c51 Mon Sep 17 00:00:00 2001
 From: mohit84 <moagrawa@redhat.com>
 Date: Thu, 2 Mar 2023 02:58:57 +0530
 Subject: [PATCH] fuse: Resolve asan bug in during receive event notification
 (#4019)
 The fuse xlator notify function tries to assign data object
 to graph object without checking an event. In case of upcall
 event data object represents upcall object so during access
 of graph object the process is crashed for asan build.
 Solution: Access the graph->id only while event is associated
          specific to fuse xlator
 Fixes: #3954
 Change-Id: I6b2869256b26d22163879737dcf163510d1cd8bf
 Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
 ---
 xlators/mount/fuse/src/fuse-bridge.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)
 diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c
 index 11b38f6..ca21801 100644
 --- a/xlators/mount/fuse/src/fuse-bridge.c
 +++ b/xlators/mount/fuse/src/fuse-bridge.c
@@ -6262,6 +6262,7 @@ notify(xlator_t *this, int32_t event, void *data, ...)
     int32_t ret = 0;
     fuse_private_t *private = NULL;
     gf_boolean_t start_thread = _gf_false;
 +    gf_boolean_t event_graph = _gf_true;
     glusterfs_graph_t *graph = NULL;
    private
@@ -6269,9 +6270,6 @@ notify(xlator_t *this, int32_t event, void *data, ...)
     graph = data;
 -    gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event,
 -           ((graph) ? graph->id : 0));
 -
     switch (event) {
         case GF_EVENT_GRAPH_NEW:
             break;
@@ -6335,9 +6333,18 @@ notify(xlator_t *this, int32_t event, void *data, ...)
         }
         default:
 +            /* Set the event_graph to false so that event
 +               debug msg would not try to access invalid graph->id
 +               while data object is not matched to graph object
 +               for ex in case of upcall event data object represents
 +               gf_upcall object
 +            */
 +            event_graph = _gf_false;
             break;
     }
 +    gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event,
 +           ((graph && event_graph) ? graph->id : -1));
     return ret;
 }
 -- 
 2.33.0
--- a/glusterfs.spec
+++ b/glusterfs.spec
@ -3,7 +3,7 @@
 Name:             glusterfs
 Version:          7.0
-Release:          9
+Release:          10
 License:          GPLv2 and LGPLv3+
 Summary:          Aggregating distributed file system
 URL:              http://docs.gluster.org/
@ -14,6 +14,7 @@ Patch0:		  0000-core-fix-memory-pool-management-races.patch
 Patch1:		  0001-geo-rep-Fix-the-name-of-changelog-archive-file.patch
 Patch2:		  0002-upcall-internal.c-fix-debug-log-message-3651.patch
 Patch3:		  0003-SC2081-can-t-match-globs-Use-or-grep.patch
 Patch4:           0004-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch
 BuildRequires:    systemd bison flex gcc make libtool ncurses-devel readline-devel libattr-devel
 BuildRequires:    libxml2-devel openssl-devel libaio-devel libacl-devel python3-devel git perl
@ -462,6 +463,9 @@ exit 0
 %{_mandir}/man8/*gluster*.8*
 %changelog
 * Thu Mar 9 2023 wuguanghao <wuguanghao3@huawei.com> - 7.0-10
 - fix CVE-2023-26253
 * Wed Sep 7 2022 zhanchengbin <zhanchengbin1@huawei.com> - 7.0-9
 - SC2081: [ .. ] can't match globs. Use [[ .. ]] or grep.