fix CVE-2023-26253

2023-03-09 09:41:14 +08:00 · 2023-03-09 09:41:14 +08:00 · 451c6d4b33
commit 451c6d4b33
parent bf3235aa11
2 changed files with 70 additions and 1 deletions
--- a/0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch
+++ b/0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch
@ -0,0 +1,65 @@
+From 5f26bfb979af9051e07f35a01d749ba4977f4b1e Mon Sep 17 00:00:00 2001
+From: mohit84 <moagrawa@redhat.com>
+Date: Thu, 2 Mar 2023 02:58:57 +0530
+Subject: [PATCH] fuse: Resolve asan bug in during receive event notification
+ (#4019)
+
+The fuse xlator notify function tries to assign data object
+to graph object without checking an event. In case of upcall
+event data object represents upcall object so during access
+of graph object the process is crashed for asan build.
+
+Solution: Access the graph->id only while event is associated
+          specific to fuse xlator
+
+Fixes: #3954
+Change-Id: I6b2869256b26d22163879737dcf163510d1cd8bf
+Signed-off-by: Mohit Agrawal <moagrawa@redhat.com>
+---
+ xlators/mount/fuse/src/fuse-bridge.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/xlators/mount/fuse/src/fuse-bridge.c b/xlators/mount/fuse/src/fuse-bridge.c
+index bd61421263..2dc9b4f429 100644
+--- a/xlators/mount/fuse/src/fuse-bridge.c
+++ b/xlators/mount/fuse/src/fuse-bridge.c
+@@ -6502,6 +6502,7 @@ notify(xlator_t *this, int32_t event, void *data, ...)
+     int32_t ret = 0;
+     fuse_private_t *private = NULL;
+     gf_boolean_t start_thread = _gf_false;
+    gf_boolean_t event_graph = _gf_true;
+     glusterfs_graph_t *graph = NULL;
+     struct pollfd pfd = {0};
+ 
+@@ -6509,9 +6510,6 @@ notify(xlator_t *this, int32_t event, void *data, ...)
+ 
+     graph = data;
+ 
+-    gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event,
+-           ((graph) ? graph->id : 0));
+-
+     switch (event) {
+         case GF_EVENT_GRAPH_NEW:
+             break;
+@@ -6597,9 +6595,18 @@ notify(xlator_t *this, int32_t event, void *data, ...)
+         }
+ 
+         default:
+            /* Set the event_graph to false so that event
+               debug msg would not try to access invalid graph->id
+               while data object is not matched to graph object
+               for ex in case of upcall event data object represents
+               gf_upcall object
+            */
+            event_graph = _gf_false;
+             break;
+     }
+ 
+    gf_log("fuse", GF_LOG_DEBUG, "got event %d on graph %d", event,
+           ((graph && event_graph) ? graph->id : -1));
+     return ret;
+ }
+ 
+-- 
+2.33.0
+
--- a/glusterfs.spec
+++ b/glusterfs.spec
@ -224,7 +224,7 @@
 Summary:          Distributed File System
 Name:             glusterfs
 Version:          10.3
-Release:          1
+Release:          2
 License:          GPLv3 or GPLv2+ or LGPLv3+
 URL:              http://docs.gluster.org/
 %if ( 0%{_for_fedora_koji_builds} )
@ -238,6 +238,7 @@ Source0:          https://download.gluster.org/pub/gluster/glusterfs/10/%{versio
 %endif
 
 Patch1:         0001-SC2081-can-t-match-globs-Use-or-grep.patch
+Patch2:         0002-fuse-Resolve-asan-bug-in-during-receive-event-notifi.patch

 BuildRoot:        %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 BuildRequires:    rpcgen gperftools-devel libunwind-devel
@ -1518,6 +1519,9 @@ exit 0
 %endif

 %changelog
+* Thu Mar 9 2023 wuguanghao <wuguanghao3@huawei.com> - 10.3-2
+- fix CVE-2023-26253
+
 * Mon Dec 5 2022 lihaoxiang <lihaoxiang9@huawei.com> - 10.3-1
 - Update to glusterfs-10.3-1