diff options
-rw-r--r-- | recipes-extended/glusterfs/files/0003-server-protocol-don-t-allow-.-path-in-name.patch | 73 | ||||
-rw-r--r-- | recipes-extended/glusterfs/glusterfs.inc | 1 |
2 files changed, 74 insertions, 0 deletions
diff --git a/recipes-extended/glusterfs/files/0003-server-protocol-don-t-allow-.-path-in-name.patch b/recipes-extended/glusterfs/files/0003-server-protocol-don-t-allow-.-path-in-name.patch new file mode 100644 index 00000000..e6ef9e39 --- /dev/null +++ b/recipes-extended/glusterfs/files/0003-server-protocol-don-t-allow-.-path-in-name.patch @@ -0,0 +1,73 @@ +From b89658672d137ef56bd0694457b9125bf7d45ba4 Mon Sep 17 00:00:00 2001 +From: Amar Tumballi <amarts@redhat.com> +Date: Thu, 9 Aug 2018 13:00:01 +0530 +Subject: [PATCH 3/7] server-protocol: don't allow '../' path in 'name' + +This will prevent any arbitrary file creation through glusterfs +by modifying the client bits. + +Also check for the similar flaw inside posix too, so we prevent any +changes in layers in-between. + +Fixes: bz#1625095 + +Signed-off-by: Amar Tumballi <amarts@redhat.com> +Change-Id: Id9fe0ef6e86459e8ed85ab947d977f058c5ae06e + +Upstream-Status: Backport + +Fix CVE-2018-10926 +Fix CVE-2018-10927 +Fix CVE-2018-10928 +Fix CVE-2018-10929 +Fix CVE-2018-10930 + +Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +--- + xlators/protocol/server/src/server-resolve.c | 12 ++++++++++++ + xlators/storage/posix/src/posix-handle.h | 6 ++++++ + 2 files changed, 18 insertions(+) + +diff --git a/xlators/protocol/server/src/server-resolve.c b/xlators/protocol/server/src/server-resolve.c +index d0126aa..aa35685 100644 +--- a/xlators/protocol/server/src/server-resolve.c ++++ b/xlators/protocol/server/src/server-resolve.c +@@ -294,6 +294,18 @@ resolve_entry_simple (call_frame_t *frame) + /* expected @parent was found from the inode cache */ + gf_uuid_copy (state->loc_now->pargfid, resolve->pargfid); + state->loc_now->parent = inode_ref (parent); ++ ++ if (strstr (resolve->bname, "../")) { ++ /* Resolving outside the parent's tree is not allowed */ ++ gf_msg (this->name, GF_LOG_ERROR, EPERM, ++ PS_MSG_GFID_RESOLVE_FAILED, ++ "%s: path sent by client not allowed", ++ resolve->bname); ++ resolve->op_ret = -1; ++ resolve->op_errno = EPERM; ++ ret = 1; ++ goto out; ++ } + state->loc_now->name = resolve->bname; + + inode = inode_grep (state->itable, parent, resolve->bname); +diff --git a/xlators/storage/posix/src/posix-handle.h b/xlators/storage/posix/src/posix-handle.h +index 9af6a7a..6e7a8d2 100644 +--- a/xlators/storage/posix/src/posix-handle.h ++++ b/xlators/storage/posix/src/posix-handle.h +@@ -217,6 +217,12 @@ + break; \ + } \ + \ ++ if (strstr (loc->name, "../")) { \ ++ gf_msg (this->name, GF_LOG_ERROR, 0, P_MSG_ENTRY_HANDLE_CREATE, \ ++ "'../' in name not allowed: (%s)", loc->name); \ ++ op_ret = -1; \ ++ break; \ ++ } \ + if (LOC_HAS_ABSPATH (loc)) { \ + MAKE_REAL_PATH (entp, this, loc->path); \ + __parp = strdupa (entp); \ +-- +2.7.4 + diff --git a/recipes-extended/glusterfs/glusterfs.inc b/recipes-extended/glusterfs/glusterfs.inc index e3328723..9a92c30c 100644 --- a/recipes-extended/glusterfs/glusterfs.inc +++ b/recipes-extended/glusterfs/glusterfs.inc @@ -25,6 +25,7 @@ SRC_URI += "file://glusterd.init \ file://0003-glusterfs-access-trusted-peer-group-via-remote-host-.patch \ file://0001-dict-handle-negative-key-value-length-while-unserial.patch \ file://0002-posix-disable-open-read-write-on-special-files.patch \ + file://0003-server-protocol-don-t-allow-.-path-in-name.patch \ " LICENSE = "(LGPLv3+ | GPLv2) & GPLv3+ & LGPLv3+ & GPLv2+ & LGPLv2+ & LGPLv2.1+ & Apache-2.0" |