From 8eeec7148b4c58628d2bbdf086f08334c07bd27c Mon Sep 17 00:00:00 2001 From: wangxiaomeng Date: Thu, 16 Nov 2023 13:32:32 +0800 Subject: [PATCH] fix CVE-2022-48340 (cherry picked from commit a27df4d5e592edf3f8a59a6f5a4fd514b3591ed2) --- ...dht-fix-asan-use-after-free-bug-4248.patch | 89 +++++++++++++++++++ glusterfs.spec | 6 +- 2 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 0006-dht-fix-asan-use-after-free-bug-4248.patch diff --git a/0006-dht-fix-asan-use-after-free-bug-4248.patch b/0006-dht-fix-asan-use-after-free-bug-4248.patch new file mode 100644 index 0000000..f5efe43 --- /dev/null +++ b/0006-dht-fix-asan-use-after-free-bug-4248.patch @@ -0,0 +1,89 @@ +From 9c580285c32d1e8f684c51cdc3a023319f05b1f8 Mon Sep 17 00:00:00 2001 +From: mohit84 +Date: Wed, 25 Oct 2023 11:48:51 +0530 +Subject: [PATCH] dht: fix asan use-after-free bug (#4248) + +The client is throwing below stacktrace while asan is enabled. The client is facing +an issue while application is trying to call removexattr in 2x1 subvol and non-mds +subvol is down. As we can see in below stacktrace dht_setxattr_mds_cbk is calling +dht_setxattr_non_mds_cbk and dht_setxattr_non_mds_cbk is trying to wipe local because +call_cnt is 0 but dht_setxattr_mds_cbk is trying to access frame->local that;s why +it is crashed. + +x621000051c34 is located 1844 bytes inside of 4164-byte region [0x621000051500,0x621000052544) freed by thread T7 here: + +Solution: Use switch instead of using if statement to wind a operation, in case of switch + the code will not try to access local after wind a operation for last dht subvol. + +> Fixes: #3732 +> Change-Id: I031bc814d6df98058430ef4de7040e3370d1c677 +> (Cherry picke from commit 11ff6f56a1e7ad740ffe46e39a5911c9e7367eb6) +> (Reviwed on upstream link https://github.com/gluster/glusterfs/pull/4242) + +Fixes: #3732 +Change-Id: I031bc814d6df98058430ef4de7040e3370d1c677 + +Signed-off-by: Mohit Agrawal +--- + xlators/cluster/dht/src/dht-common.c | 45 ++++++++++++++-------------- + 1 file changed, 23 insertions(+), 22 deletions(-) + +diff --git a/xlators/cluster/dht/src/dht-common.c b/xlators/cluster/dht/src/dht-common.c +index b31b88296b..c5c83c20aa 100644 +--- a/xlators/cluster/dht/src/dht-common.c ++++ b/xlators/cluster/dht/src/dht-common.c +@@ -3965,28 +3965,29 @@ dht_setxattr_mds_cbk(call_frame_t *frame, void *cookie, xlator_t *this, + for (i = 0; i < conf->subvolume_cnt; i++) { + if (mds_subvol && (mds_subvol == conf->subvolumes[i])) + continue; +- if (local->fop == GF_FOP_SETXATTR) { +- STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i], +- conf->subvolumes[i]->fops->setxattr, &local->loc, +- local->xattr, local->flags, local->xattr_req); +- } +- +- if (local->fop == GF_FOP_FSETXATTR) { +- STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i], +- conf->subvolumes[i]->fops->fsetxattr, local->fd, +- local->xattr, local->flags, local->xattr_req); +- } +- +- if (local->fop == GF_FOP_REMOVEXATTR) { +- STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i], +- conf->subvolumes[i]->fops->removexattr, &local->loc, +- local->key, local->xattr_req); +- } +- +- if (local->fop == GF_FOP_FREMOVEXATTR) { +- STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i], +- conf->subvolumes[i]->fops->fremovexattr, local->fd, +- local->key, local->xattr_req); ++ switch (local->fop) { ++ case GF_FOP_SETXATTR: ++ STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i], ++ conf->subvolumes[i]->fops->setxattr, &local->loc, ++ local->xattr, local->flags, local->xattr_req); ++ break; ++ case GF_FOP_FSETXATTR: ++ STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i], ++ conf->subvolumes[i]->fops->fsetxattr, local->fd, ++ local->xattr, local->flags, local->xattr_req); ++ break; ++ case GF_FOP_REMOVEXATTR: ++ STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i], ++ conf->subvolumes[i]->fops->removexattr, &local->loc, ++ local->key, local->xattr_req); ++ break; ++ case GF_FOP_FREMOVEXATTR: ++ STACK_WIND(frame, dht_setxattr_non_mds_cbk, conf->subvolumes[i], ++ conf->subvolumes[i]->fops->fremovexattr, local->fd, ++ local->key, local->xattr_req); ++ break; ++ default: ++ break; + } + } + +-- +2.33.0 + diff --git a/glusterfs.spec b/glusterfs.spec index acf9ce2..1fc2b8b 100644 --- a/glusterfs.spec +++ b/glusterfs.spec @@ -3,7 +3,7 @@ Name: glusterfs Version: 7.0 -Release: 11 +Release: 12 License: GPLv2 and LGPLv3+ Summary: Aggregating distributed file system URL: http://docs.gluster.org/ @@ -16,6 +16,7 @@ Patch2: 0002-upcall-internal.c-fix-debug-log-message-3651.patch Patch3: 0003-SC2081-can-t-match-globs-Use-or-grep.patch Patch4: 0004-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch Patch5: 0005-timer-fix-event-destruction-race.patch +Patch6: 0006-dht-fix-asan-use-after-free-bug-4248.patch BuildRequires: systemd bison flex gcc make libtool ncurses-devel readline-devel libattr-devel BuildRequires: libxml2-devel openssl-devel libaio-devel libacl-devel python3-devel git perl @@ -464,6 +465,9 @@ exit 0 %{_mandir}/man8/*gluster*.8* %changelog +* Wed Nov 22 2023 wangxiaomeng - 7.0-12 +- fix CVE-2022-48340 + * Wed Jul 12 2023 wuguanghao - 7.0-11 - timer: fix event destruction race -- Gitee