From cbc885f8b237fdace72be39c1922fa90cec91d28 Mon Sep 17 00:00:00 2001 From: wguanghao Date: Thu, 9 Mar 2023 15:19:35 +0800 Subject: [PATCH] fix CVE-2023-26253 (cherry picked from commit 59901eac61989bb9988995a7292a8c07f3bffa24) --- ...n-bug-in-during-receive-event-notifi.patch | 65 +++++++++++++++++++ glusterfs.spec | 6 +- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch diff --git a/0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch b/0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch new file mode 100644 index 0000000..bdded26 --- /dev/null +++ b/0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch @@ -0,0 +1,65 @@ +From 5f26bfb979af9051e07f35a01d749ba4977f4b1e Mon Sep 17 00:00:00 2001 +From: mohit84 +Date: Thu, 2 Mar 2023 02:58:57 +0530 +Subject: [PATCH] fuse: Resolve asan bug in during receive event notification + (#4019) + +The fuse xlator notify function tries to assign data object +to graph object without checking an event. In case of upcall +event data object represents upcall object so during access +of graph object the process is crashed for asan build. + +Solution: Access the graph->id only while event is associated + specific to fuse xlator + +Fixes: #3954 +Change-Id: I6b2869256b26d22163879737dcf163510d1cd8bf +Signed-off-by: Mohit Agrawal +--- + xlators/mount/fuse/src/fuse-bridge.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c +index bd61421263..2dc9b4f429 100644 +--- a/xlators/mount/fuse/src/fuse-bridge.c ++++ b/xlators/mount/fuse/src/fuse-bridge.c +@@ -6502,6 +6502,7 @@ notify(xlator_t *this, int32_t event, void *data, ...) + int32_t ret = 0; + fuse_private_t *private = NULL; + gf_boolean_t start_thread = _gf_false; ++ gf_boolean_t event_graph = _gf_true; + glusterfs_graph_t *graph = NULL; + struct pollfd pfd = {0}; + +@@ -6509,9 +6510,6 @@ notify(xlator_t *this, int32_t event, void *data, ...) + + graph = data; + +- gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event, +- ((graph) ? graph->id : 0)); +- + switch (event) { + case GF_EVENT_GRAPH_NEW: + break; +@@ -6597,9 +6595,18 @@ notify(xlator_t *this, int32_t event, void *data, ...) + } + + default: ++ /* Set the event_graph to false so that event ++ debug msg would not try to access invalid graph->id ++ while data object is not matched to graph object ++ for ex in case of upcall event data object represents ++ gf_upcall object ++ */ ++ event_graph = _gf_false; + break; + } + ++ gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event, ++ ((graph && event_graph) ? graph->id : -1)); + return ret; + } + +-- +2.33.0 + diff --git a/glusterfs.spec b/glusterfs.spec index 9a126b5..9a232a2 100644 --- a/glusterfs.spec +++ b/glusterfs.spec @@ -224,7 +224,7 @@ Summary: Distributed File System Name: glusterfs Version: 10.0 -Release: 7 +Release: 8 License: GPLv3 or GPLv2+ or LGPLv3+ URL: http://docs.gluster.org/ %if ( 0%{_for_fedora_koji_builds} ) @@ -238,6 +238,7 @@ Source0: https://download.gluster.org/pub/gluster/glusterfs/10/10.0/glu %endif Patch1: 0001-SC2081-can-t-match-globs-Use-or-grep.patch +Patch2: 0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRequires: rpcgen gperftools-devel libunwind-devel @@ -1520,6 +1521,9 @@ exit 0 %{_mandir}/man8/*gluster*.8* %changelog +* Thu Mar 9 2023 wuguanghao - 10.0-8 +- fix CVE-2023-26253 + * Tue Feb 7 2023 lihaoxiang - 10.0-7 - fix upgrade error that %{_mandir}/man8/*gluster*.8* belong to package glusterfs currently conflict with that belong to package help in the lower version. -- Gitee