From 27e71274abc6aec1019f72c102f9cf1127b439b9 Mon Sep 17 00:00:00 2001 From: wguanghao Date: Thu, 9 Mar 2023 11:06:13 +0800 Subject: [PATCH] fix CVE-2023-26253 --- ...n-bug-in-during-receive-event-notifi.patch | 65 +++++++++++++++++++ glusterfs.spec | 6 +- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch diff --git a/0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch b/0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch new file mode 100644 index 0000000..21b319b --- /dev/null +++ b/0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch @@ -0,0 +1,65 @@ +From fd8662d4bac4641a855fbb3edd316d2e60ac6c51 Mon Sep 17 00:00:00 2001 +From: mohit84 +Date: Thu, 2 Mar 2023 02:58:57 +0530 +Subject: [PATCH] fuse: Resolve asan bug in during receive event notification + (#4019) + +The fuse xlator notify function tries to assign data object +to graph object without checking an event. In case of upcall +event data object represents upcall object so during access +of graph object the process is crashed for asan build. + +Solution: Access the graph->id only while event is associated + specific to fuse xlator + +Fixes: #3954 +Change-Id: I6b2869256b26d22163879737dcf163510d1cd8bf +Signed-off-by: Mohit Agrawal +--- + xlators/mount/fuse/src/fuse-bridge.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c +index 11b38f6..ca21801 100644 +--- a/xlators/mount/fuse/src/fuse-bridge.c ++++ b/xlators/mount/fuse/src/fuse-bridge.c +@@ -6262,6 +6262,7 @@ notify(xlator_t *this, int32_t event, void *data, ...) + int32_t ret = 0; + fuse_private_t *private = NULL; + gf_boolean_t start_thread = _gf_false; ++ gf_boolean_t event_graph = _gf_true; + glusterfs_graph_t *graph = NULL; + + private +@@ -6269,9 +6270,6 @@ notify(xlator_t *this, int32_t event, void *data, ...) + + graph = data; + +- gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event, +- ((graph) ? graph->id : 0)); +- + switch (event) { + case GF_EVENT_GRAPH_NEW: + break; +@@ -6335,9 +6333,18 @@ notify(xlator_t *this, int32_t event, void *data, ...) + } + + default: ++ /* Set the event_graph to false so that event ++ debug msg would not try to access invalid graph->id ++ while data object is not matched to graph object ++ for ex in case of upcall event data object represents ++ gf_upcall object ++ */ ++ event_graph = _gf_false; + break; + } + ++ gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event, ++ ((graph && event_graph) ? graph->id : -1)); + return ret; + } + +-- +2.33.0 + diff --git a/glusterfs.spec b/glusterfs.spec index cd52f3a..86b6f54 100644 --- a/glusterfs.spec +++ b/glusterfs.spec @@ -3,7 +3,7 @@ Name: glusterfs Version: 7.0 -Release: 7 +Release: 8 License: GPLv2 and LGPLv3+ Summary: Aggregating distributed file system URL: http://docs.gluster.org/ @@ -12,6 +12,7 @@ Source7: glusterfsd.service Patch0: 0000-core-fix-memory-pool-management-races.patch Patch1: 0001-geo-rep-Fix-the-name-of-changelog-archive-file.patch +Patch2: 0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch BuildRequires: systemd bison flex gcc make libtool ncurses-devel readline-devel libattr-devel BuildRequires: libxml2-devel openssl-devel libaio-devel libacl-devel python3-devel git perl @@ -460,6 +461,9 @@ exit 0 %{_mandir}/man8/*gluster*.8* %changelog +* Thu Mar 9 2023 wuguanghao - 7.0-8 +- fix CVE-2023-26253 + * Tue Jun 8 2021 yanglongkang - 7.0-7 - geo-rep fix the name of changelog archive file -- Gitee