diff --git a/0002-dht-fix-use-after-free-issue-in-dht_setxattr_mds_cbk.patch b/0002-dht-fix-use-after-free-issue-in-dht_setxattr_mds_cbk.patch new file mode 100644 index 0000000000000000000000000000000000000000..7bccd677cce93859ad11bfa140ff13ab4643cbc1 --- /dev/null +++ b/0002-dht-fix-use-after-free-issue-in-dht_setxattr_mds_cbk.patch @@ -0,0 +1,156 @@ +From c4ea4b415142e2f79df4cef0d32c43cb66200e83 Mon Sep 17 00:00:00 2001 +From: Mohit Agrawal +Date: Thu, 25 Aug 2022 18:37:32 +0530 +Subject: [PATCH] dht: fix use after free issue in dht_setxattr_mds_cbk + +It is a day one bug when a feature was implemented, the +issue was not caught earlier because the client crash +depends on the environment.The client was crashing because +during wind it was not passing cookie and in cbk it +was trying to access cookie. + +Solution: Pass a xlator_t as a cookie during STACK_WIND_COOKIE + to avoid a crash. + +Fixes: #3732 +Change-Id: I5fd75e90a94d852093dfa40fb37d4211b4e9fdfb +Signed-off-by: Mohit Agrawal +--- + xlators/cluster/dht/src/dht-common.c | 80 +++++++++++++++------------- + 1 file changed, 44 insertions(+), 36 deletions(-) + +diff --git a/xlators/cluster/dht/src/dht-common.c b/xlators/cluster/dht/src/dht-common.c +index 8f671d213..cbba1ff1b 100644 +--- a/xlators/cluster/dht/src/dht-common.c ++++ b/xlators/cluster/dht/src/dht-common.c +@@ -3868,13 +3868,15 @@ post_unlock: + } + if ((local->fop == GF_FOP_SETXATTR) || + (local->fop == GF_FOP_REMOVEXATTR)) { +- STACK_WIND(frame, dht_common_mds_xattrop_cbk, local->mds_subvol, +- local->mds_subvol->fops->xattrop, &local->loc, +- GF_XATTROP_ADD_ARRAY, xattrop, NULL); ++ STACK_WIND_COOKIE(frame, dht_common_mds_xattrop_cbk, frame, ++ local->mds_subvol, ++ local->mds_subvol->fops->xattrop, &local->loc, ++ GF_XATTROP_ADD_ARRAY, xattrop, NULL); + } else { +- STACK_WIND(frame, dht_common_mds_xattrop_cbk, local->mds_subvol, +- local->mds_subvol->fops->fxattrop, local->fd, +- GF_XATTROP_ADD_ARRAY, xattrop, NULL); ++ STACK_WIND_COOKIE(frame, dht_common_mds_xattrop_cbk, frame, ++ local->mds_subvol, ++ local->mds_subvol->fops->fxattrop, local->fd, ++ GF_XATTROP_ADD_ARRAY, xattrop, NULL); + } + } else { + if (local->fop == GF_FOP_SETXATTR) { +@@ -3963,27 +3965,31 @@ dht_setxattr_mds_cbk(call_frame_t *frame, void *cookie, xlator_t *this, + if (mds_subvol && (mds_subvol == conf->subvolumes[i])) + continue; + if (local->fop == GF_FOP_SETXATTR) { +- STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i], +- conf->subvolumes[i]->fops->setxattr, &local->loc, +- local->xattr, local->flags, local->xattr_req); ++ STACK_WIND_COOKIE(frame, dht_setxattr_non_mds_cbk, frame, ++ conf->subvolumes[i], ++ conf->subvolumes[i]->fops->setxattr, &local->loc, ++ local->xattr, local->flags, local->xattr_req); + } + + if (local->fop == GF_FOP_FSETXATTR) { +- STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i], +- conf->subvolumes[i]->fops->fsetxattr, local->fd, +- local->xattr, local->flags, local->xattr_req); ++ STACK_WIND_COOKIE(frame, dht_setxattr_non_mds_cbk, frame, ++ conf->subvolumes[i], ++ conf->subvolumes[i]->fops->fsetxattr, local->fd, ++ local->xattr, local->flags, local->xattr_req); + } + + if (local->fop == GF_FOP_REMOVEXATTR) { +- STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i], +- conf->subvolumes[i]->fops->removexattr, &local->loc, +- local->key, local->xattr_req); ++ STACK_WIND_COOKIE(frame, dht_setxattr_non_mds_cbk, frame, ++ conf->subvolumes[i], ++ conf->subvolumes[i]->fops->removexattr, ++ &local->loc, local->key, local->xattr_req); + } + + if (local->fop == GF_FOP_FREMOVEXATTR) { +- STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i], +- conf->subvolumes[i]->fops->fremovexattr, local->fd, +- local->key, local->xattr_req); ++ STACK_WIND_COOKIE(frame, dht_setxattr_non_mds_cbk, frame, ++ conf->subvolumes[i], ++ conf->subvolumes[i]->fops->fremovexattr, ++ local->fd, local->key, local->xattr_req); + } + } + +@@ -4038,27 +4044,27 @@ dht_xattrop_mds_cbk(call_frame_t *frame, void *cookie, xlator_t *this, + } + + if (local->fop == GF_FOP_SETXATTR) { +- STACK_WIND(frame, dht_setxattr_mds_cbk, local->mds_subvol, +- local->mds_subvol->fops->setxattr, &local->loc, local->xattr, +- local->flags, local->xattr_req); ++ STACK_WIND_COOKIE(frame, dht_setxattr_mds_cbk, frame, local->mds_subvol, ++ local->mds_subvol->fops->setxattr, &local->loc, ++ local->xattr, local->flags, local->xattr_req); + } + + if (local->fop == GF_FOP_FSETXATTR) { +- STACK_WIND(frame, dht_setxattr_mds_cbk, local->mds_subvol, +- local->mds_subvol->fops->fsetxattr, local->fd, local->xattr, +- local->flags, local->xattr_req); ++ STACK_WIND_COOKIE(frame, dht_setxattr_mds_cbk, frame, local->mds_subvol, ++ local->mds_subvol->fops->fsetxattr, local->fd, ++ local->xattr, local->flags, local->xattr_req); + } + + if (local->fop == GF_FOP_REMOVEXATTR) { +- STACK_WIND(frame, dht_setxattr_mds_cbk, local->mds_subvol, +- local->mds_subvol->fops->removexattr, &local->loc, +- local->key, local->xattr_req); ++ STACK_WIND_COOKIE(frame, dht_setxattr_mds_cbk, frame, local->mds_subvol, ++ local->mds_subvol->fops->removexattr, &local->loc, ++ local->key, local->xattr_req); + } + + if (local->fop == GF_FOP_FREMOVEXATTR) { +- STACK_WIND(frame, dht_setxattr_mds_cbk, local->mds_subvol, +- local->mds_subvol->fops->fremovexattr, local->fd, local->key, +- local->xattr_req); ++ STACK_WIND_COOKIE(frame, dht_setxattr_mds_cbk, frame, local->mds_subvol, ++ local->mds_subvol->fops->fremovexattr, local->fd, ++ local->key, local->xattr_req); + } + + return 0; +@@ -5581,13 +5587,15 @@ dht_dir_common_set_remove_xattr(call_frame_t *frame, xlator_t *this, loc_t *loc, + xattr on all non hashed subvol + */ + if (fd) { +- STACK_WIND(frame, dht_xattrop_mds_cbk, local->mds_subvol, +- local->mds_subvol->fops->fxattrop, fd, +- GF_XATTROP_ADD_ARRAY, xattrop, NULL); ++ STACK_WIND_COOKIE(frame, dht_xattrop_mds_cbk, frame, ++ local->mds_subvol, ++ local->mds_subvol->fops->fxattrop, fd, ++ GF_XATTROP_ADD_ARRAY, xattrop, NULL); + } else { +- STACK_WIND(frame, dht_xattrop_mds_cbk, local->mds_subvol, +- local->mds_subvol->fops->xattrop, loc, +- GF_XATTROP_ADD_ARRAY, xattrop, NULL); ++ STACK_WIND_COOKIE(frame, dht_xattrop_mds_cbk, frame, ++ local->mds_subvol, ++ local->mds_subvol->fops->xattrop, loc, ++ GF_XATTROP_ADD_ARRAY, xattrop, NULL); + } + if (xattrop) + dict_unref(xattrop); +-- +2.37.1 (Apple Git-137.1) + diff --git a/glusterfs.spec b/glusterfs.spec index 0e5c7a55916a49cfd132da6632e8a2e409287eeb..eca8246b985c4fbdbcd796869e6bb680bcb0d9a5 100644 --- a/glusterfs.spec +++ b/glusterfs.spec @@ -224,7 +224,7 @@ Summary: Distributed File System Name: glusterfs Version: 10.3 -Release: 1 +Release: 2 License: GPLv3 or GPLv2+ or LGPLv3+ URL: http://docs.gluster.org/ %if ( 0%{_for_fedora_koji_builds} ) @@ -238,6 +238,7 @@ Source0: https://download.gluster.org/pub/gluster/glusterfs/10/%{versio %endif Patch1: 0001-SC2081-can-t-match-globs-Use-or-grep.patch +Patch2: 0002-dht-fix-use-after-free-issue-in-dht_setxattr_mds_cbk.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRequires: rpcgen gperftools-devel libunwind-devel @@ -1518,6 +1519,9 @@ exit 0 %endif %changelog +* Fri Mar 3 2023 wuguanghao - 10.3-2 +- fix CVE-2022-48340 + * Mon Dec 5 2022 lihaoxiang - 10.3-1 - Update to glusterfs-10.3-1