!59 [sync] PR-57: fix CVE-2022-48340

From: @openeuler-sync-bot 
Reviewed-by: @swf504 
Signed-off-by: @swf504

0002-upcall-internal.c-fix-debug-log-message-3651.patch

@@ -0,0 +1,30 @@
+From 46c38878bfec3d4089cec193faef2a6cfec35463 Mon Sep 17 00:00:00 2001
+From: Yaniv Kaul <ykaul@redhat.com>
+Date: Tue, 19 Jul 2022 07:45:03 +0300
+Subject: [PATCH] upcall-internal.c: fix debug log message (#3651)
+
+It was meant to print linked_inode, not inode.
+
+Fixes: #3647
+Signed-off-by: Yaniv Kaul <ykaul@redhat.com>
+
+---
+ xlators/features/upcall/src/upcall-internal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/xlators/features/upcall/src/upcall-internal.c b/xlators/features/upcall/src/upcall-internal.c
+index 978825f..83aca92 100644
+--- a/xlators/features/upcall/src/upcall-internal.c
++++ b/xlators/features/upcall/src/upcall-internal.c
+@@ -500,7 +500,7 @@ upcall_cache_invalidate(call_frame_t *frame, xlator_t *this, client_t *client,
+         linked_inode = inode_find(inode->table, stbuf->ia_gfid);
+         if (linked_inode) {
+             gf_log("upcall", GF_LOG_DEBUG,
+-                   "upcall_inode_ctx_get of linked inode (%p)", inode);
++                   "upcall_inode_ctx_get of linked inode (%p)", linked_inode);
+             up_inode_ctx = upcall_inode_ctx_get(linked_inode, this);
+         }
+     }
+-- 
+2.23.0
+

0003-SC2081-can-t-match-globs-Use-or-grep.patch

@@ -0,0 +1,34 @@
+From 396f52a60bbe5eba0075b1658d84e46cbf7461ab Mon Sep 17 00:00:00 2001
+From: zhanchengbin <zhanchengbin1@huawei.com>
+Date: Thu, 13 Oct 2022 10:34:52 +0800
+Subject: [PATCH] SC2081: [ .. ] can't match globs. Use [[ .. ]] or grep.
+
+Shellcheck check out a problem.
+
+Signed-off-by: zhanchengbin <zhanchengbin1@huawei.com>
+---
+ .../add-brick/post/disabled-quota-root-xattr-heal.sh          | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/extras/hook-scripts/add-brick/post/disabled-quota-root-xattr-heal.sh b/extras/hook-scripts/add-brick/post/disabled-quota-root-xattr-heal.sh
+index ca17a90..969d6fc 100755
+--- a/extras/hook-scripts/add-brick/post/disabled-quota-root-xattr-heal.sh
++++ b/extras/hook-scripts/add-brick/post/disabled-quota-root-xattr-heal.sh
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/bash
+ 
+ ##---------------------------------------------------------------------------
+ ## This script updates the 'limit-set' xattr on the newly added node. Please
+@@ -106,7 +106,7 @@ ENABLED_STATE_1="${GLUSTERD_WORKDIR}/hooks/${VERSION}/${VOLUME_OP}/"
+ ENABLED_STATE_2="post/${ENABLED_NAME_PREFIX}${VOL_NAME}-${ENABLED_NAME}"
+ ENABLED_STATE="${ENABLED_STATE_1}${ENABLED_STATE_2}"
+ 
+-if [ "${THIS_SCRIPT}" != *"${VOL_NAME}"* ]; then
++if [[ "${THIS_SCRIPT}" != *"${VOL_NAME}"* ]]; then
+   exit 0
+ fi
+ 
+-- 
+2.37.3
+

0004-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch

@@ -0,0 +1,65 @@
+From fd8662d4bac4641a855fbb3edd316d2e60ac6c51 Mon Sep 17 00:00:00 2001
+From: mohit84 <moagrawa@redhat.com>
+Date: Thu, 2 Mar 2023 02:58:57 +0530
+Subject: [PATCH] fuse: Resolve asan bug in during receive event notification
+ (#4019)
+
+The fuse xlator notify function tries to assign data object
+to graph object without checking an event. In case of upcall
+event data object represents upcall object so during access
+of graph object the process is crashed for asan build.
+
+Solution: Access the graph->id only while event is associated
+          specific to fuse xlator
+
+Fixes: #3954
+Change-Id: I6b2869256b26d22163879737dcf163510d1cd8bf
+Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
+---
+ xlators/mount/fuse/src/fuse-bridge.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c
+index 11b38f6..ca21801 100644
+--- a/xlators/mount/fuse/src/fuse-bridge.c
++++ b/xlators/mount/fuse/src/fuse-bridge.c
+@@ -6262,6 +6262,7 @@ notify(xlator_t *this, int32_t event, void *data, ...)
+     int32_t ret = 0;
+     fuse_private_t *private = NULL;
+     gf_boolean_t start_thread = _gf_false;
++    gf_boolean_t event_graph = _gf_true;
+     glusterfs_graph_t *graph = NULL;
+ 
+    private
+@@ -6269,9 +6270,6 @@ notify(xlator_t *this, int32_t event, void *data, ...)
+ 
+     graph = data;
+ 
+-    gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event,
+-           ((graph) ? graph->id : 0));
+-
+     switch (event) {
+         case GF_EVENT_GRAPH_NEW:
+             break;
+@@ -6335,9 +6333,18 @@ notify(xlator_t *this, int32_t event, void *data, ...)
+         }
+ 
+         default:
++            /* Set the event_graph to false so that event
++               debug msg would not try to access invalid graph->id
++               while data object is not matched to graph object
++               for ex in case of upcall event data object represents
++               gf_upcall object
++            */
++            event_graph = _gf_false;
+             break;
+     }
+ 
++    gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event,
++           ((graph && event_graph) ? graph->id : -1));
+     return ret;
+ }
+ 
+-- 
+2.33.0
+

0005-timer-fix-event-destruction-race.patch

@@ -0,0 +1,62 @@
+From dde289ad39278a6a18f4141f61a08df9d7020b56 Mon Sep 17 00:00:00 2001
+From: Xavi Hernandez <xhernandez@redhat.com>
+Date: Thu, 19 Dec 2019 11:58:54 +0100
+Subject: [PATCH] timer: fix event destruction race
+
+In current timer implementation, each event has an absolute time at which
+it will be fired. When the first timer of the queue has not elapsed yet,
+a pthread_cond_timedwait() is used to wait until the expected time.
+
+Apparently that's fine. However the time passed to that function was a
+pointer to the timespec structure contained in the event itself. This is
+problematic because of how pthread_cond_timedwait() works internally.
+
+Simplifying a bit, pthread_cond_timedwait() basically queues itself as a
+waiter for the given condition variable and releases the mutex. Then it
+does the timed wait using the passed value.
+
+With that in mind, the follwing case is possible:
+
+   Timer Thread                            Other Thread
+   ------------                            ------------
+
+					   gf_timer_call_cancel()
+   pthread_mutex_lock()                    |
+                                           + pthread_mutex_lock()
+   event = current_event()                 |
+   pthread_cond_timedwait(&event->at)      |
+   + pthread_mutex_unlock()                |
+   |                                       + remove_event()
+   |                                       + destroy_event()
+   + timed_wait(&event->at)
+
+As we can see, the time is used after it has been destroyed, which means
+we have a use-after-free problem.
+
+This patch fixes the problem by copying the time to a local variable
+before calling pthread_cond_timedwait()
+
+Change-Id: I0f4e8eded24fe3a1276dc75c6cf093bae973d26b
+Signed-off-by: Xavi Hernandez <xhernandez@redhat.com>
+Fixes: bz#1785208
+---
+ libglusterfs/src/timer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libglusterfs/src/timer.c b/libglusterfs/src/timer.c
+index 1e19ffdff2..66c861b04c 100644
+--- a/libglusterfs/src/timer.c
++++ b/libglusterfs/src/timer.c
+@@ -137,7 +137,8 @@ gf_timer_proc(void *data)
+             timespec_now(&now);
+             event = list_first_entry(&reg->active, gf_timer_t, list);
+             if (TS(now) < TS(event->at)) {
+-                pthread_cond_timedwait(&reg->cond, &reg->lock, &event->at);
++                now = event->at;
++                pthread_cond_timedwait(&reg->cond, &reg->lock, &now);
+             } else {
+                 event->fired = _gf_true;
+                 list_del_init(&event->list);
+-- 
+2.33.0
+

0006-dht-fix-asan-use-after-free-bug-4248.patch

@@ -0,0 +1,89 @@
+From 9c580285c32d1e8f684c51cdc3a023319f05b1f8 Mon Sep 17 00:00:00 2001
+From: mohit84 <moagrawa@redhat.com>
+Date: Wed, 25 Oct 2023 11:48:51 +0530
+Subject: [PATCH] dht: fix asan use-after-free bug (#4248)
+
+The client is throwing below stacktrace while asan is enabled. The client is facing
+an issue while application is trying to call removexattr in 2x1 subvol and non-mds
+subvol is down. As we can see in below stacktrace dht_setxattr_mds_cbk is calling
+dht_setxattr_non_mds_cbk and dht_setxattr_non_mds_cbk is trying to wipe local because
+call_cnt is 0 but dht_setxattr_mds_cbk is trying to access frame->local that;s why
+it is crashed.
+
+x621000051c34 is located 1844 bytes inside of 4164-byte region [0x621000051500,0x621000052544) freed by thread T7 here:
+
+Solution: Use switch instead of using if statement to wind a operation, in case of switch
+          the code will not try to access local after wind a operation for last dht subvol.
+
+> Fixes: #3732
+> Change-Id: I031bc814d6df98058430ef4de7040e3370d1c677
+> (Cherry picke from commit 11ff6f56a1e7ad740ffe46e39a5911c9e7367eb6)
+> (Reviwed on upstream link https://github.com/gluster/glusterfs/pull/4242)
+
+Fixes: #3732
+Change-Id: I031bc814d6df98058430ef4de7040e3370d1c677
+
+Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
+---
+ xlators/cluster/dht/src/dht-common.c | 45 ++++++++++++++--------------
+ 1 file changed, 23 insertions(+), 22 deletions(-)
+
+diff --git a/xlators/cluster/dht/src/dht-common.c b/xlators/cluster/dht/src/dht-common.c
+index b31b88296b..c5c83c20aa 100644
+--- a/xlators/cluster/dht/src/dht-common.c
++++ b/xlators/cluster/dht/src/dht-common.c
+@@ -3965,28 +3965,29 @@ dht_setxattr_mds_cbk(call_frame_t *frame, void *cookie, xlator_t *this,
+     for (i = 0; i < conf->subvolume_cnt; i++) {
+         if (mds_subvol && (mds_subvol == conf->subvolumes[i]))
+             continue;
+-        if (local->fop == GF_FOP_SETXATTR) {
+-            STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
+-                       conf->subvolumes[i]->fops->setxattr, &local->loc,
+-                       local->xattr, local->flags, local->xattr_req);
+-        }
+-
+-        if (local->fop == GF_FOP_FSETXATTR) {
+-            STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
+-                       conf->subvolumes[i]->fops->fsetxattr, local->fd,
+-                       local->xattr, local->flags, local->xattr_req);
+-        }
+-
+-        if (local->fop == GF_FOP_REMOVEXATTR) {
+-            STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
+-                       conf->subvolumes[i]->fops->removexattr, &local->loc,
+-                       local->key, local->xattr_req);
+-        }
+-
+-        if (local->fop == GF_FOP_FREMOVEXATTR) {
+-            STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
+-                       conf->subvolumes[i]->fops->fremovexattr, local->fd,
+-                       local->key, local->xattr_req);
++        switch (local->fop) {
++            case GF_FOP_SETXATTR:
++                STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
++                           conf->subvolumes[i]->fops->setxattr, &local->loc,
++                           local->xattr, local->flags, local->xattr_req);
++                break;
++            case GF_FOP_FSETXATTR:
++                STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
++                           conf->subvolumes[i]->fops->fsetxattr, local->fd,
++                           local->xattr, local->flags, local->xattr_req);
++                break;
++            case GF_FOP_REMOVEXATTR:
++                STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
++                           conf->subvolumes[i]->fops->removexattr, &local->loc,
++                           local->key, local->xattr_req);
++                break;
++            case GF_FOP_FREMOVEXATTR:
++                STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i],
++                           conf->subvolumes[i]->fops->fremovexattr, local->fd,
++                           local->key, local->xattr_req);
++                break;
++            default:
++                break;
+         }
+     }
+ 
+-- 
+2.33.0
+

glusterfs.spec

@@ -3,7 +3,7 @@
 
 Name:             glusterfs
 Version:          7.0
-Release:          7
+Release:          12
 License:          GPLv2 and LGPLv3+
 Summary:          Aggregating distributed file system
 URL:              http://docs.gluster.org/
@@ -12,6 +12,11 @@ Source7:          glusterfsd.service
 
 Patch0:		  0000-core-fix-memory-pool-management-races.patch
 Patch1:		  0001-geo-rep-Fix-the-name-of-changelog-archive-file.patch
+Patch2:		  0002-upcall-internal.c-fix-debug-log-message-3651.patch
+Patch3:		  0003-SC2081-can-t-match-globs-Use-or-grep.patch
+Patch4:		  0004-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch
+Patch5:		  0005-timer-fix-event-destruction-race.patch
+Patch6:           0006-dht-fix-asan-use-after-free-bug-4248.patch
 
 BuildRequires:    systemd bison flex gcc make libtool ncurses-devel readline-devel libattr-devel
 BuildRequires:    libxml2-devel openssl-devel libaio-devel libacl-devel python3-devel git perl
@@ -460,6 +465,21 @@ exit 0
 %{_mandir}/man8/*gluster*.8*
 
 %changelog
+* Wed Nov 22 2023 wangxiaomeng <wangxiaomeng@kylinos.cn> - 7.0-12
+- fix CVE-2022-48340
+
+* Wed Jul 12 2023 wuguanghao <wuguanghao3@huawei.com> - 7.0-11
+- timer: fix event destruction race
+
+* Thu Mar 9 2023 wuguanghao <wuguanghao3@huawei.com> - 7.0-10
+- fix CVE-2023-26253
+
+* Wed Sep 7 2022 zhanchengbin <zhanchengbin1@huawei.com> - 7.0-9
+- SC2081: [ .. ] can't match globs. Use [[ .. ]] or grep.
+
+* Tue Aug 9 2022 liwenchong <liwenchong@kylinos.cn> - 7.0-8
+- fix debug log message
+
 * Tue Jun 8 2021 yanglongkang <yanglongkang@huawei.com> - 7.0-7
 - geo-rep fix the name of changelog archive file