1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
From f4dddd7727988b8077b2da577e195621d5bac9c7 Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Tue, 25 Sep 2018 15:23:10 +0800
Subject: [PATCH 5/7] cluster/afr: Fix dict-leak in pre-op
At the time of pre-op, pre_op_xdata is populted with the xattrs we get from the
disk and at the time of post-op it gets over-written without unreffing the
previous value stored leading to a leak.
This is a regression we missed in
https://review.gluster.org/#/q/ba149bac92d169ae2256dbc75202dc9e5d06538e
BUG: 1550078
Change-Id: I0456f9ad6f77ce6248b747964a037193af3a3da7
Signed-off-by: Pranith Kumar K <pkarampu@redhat.com>
Upstream-Status: Backport
Fix CVE-2018-10924
Modified for this old glusterfs version.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
xlators/cluster/afr/src/afr-common.c | 14 +++++++-------
xlators/cluster/afr/src/afr-transaction.c | 20 ++++++++++----------
xlators/cluster/afr/src/afr.h | 4 ++--
3 files changed, 19 insertions(+), 19 deletions(-)
diff --git a/xlators/cluster/afr/src/afr-common.c b/xlators/cluster/afr/src/afr-common.c
index 0643204..85150a0 100644
--- a/xlators/cluster/afr/src/afr-common.c
+++ b/xlators/cluster/afr/src/afr-common.c
@@ -1673,13 +1673,13 @@ afr_local_transaction_cleanup (afr_local_t *local, xlator_t *this)
GF_FREE (local->transaction.pre_op);
GF_FREE (local->transaction.pre_op_sources);
- if (local->transaction.pre_op_xdata) {
+ if (local->transaction.changelog_xdata) {
for (i = 0; i < priv->child_count; i++) {
- if (!local->transaction.pre_op_xdata[i])
+ if (!local->transaction.changelog_xdata[i])
continue;
- dict_unref (local->transaction.pre_op_xdata[i]);
+ dict_unref (local->transaction.changelog_xdata[i]);
}
- GF_FREE (local->transaction.pre_op_xdata);
+ GF_FREE (local->transaction.changelog_xdata);
}
GF_FREE (local->transaction.eager_lock);
@@ -5396,10 +5396,10 @@ afr_transaction_local_init (afr_local_t *local, xlator_t *this)
goto out;
if (priv->arbiter_count == 1) {
- local->transaction.pre_op_xdata =
- GF_CALLOC (sizeof (*local->transaction.pre_op_xdata),
+ local->transaction.changelog_xdata =
+ GF_CALLOC (sizeof (*local->transaction.changelog_xdata),
priv->child_count, gf_afr_mt_dict_t);
- if (!local->transaction.pre_op_xdata)
+ if (!local->transaction.changelog_xdata)
goto out;
local->transaction.pre_op_sources =
diff --git a/xlators/cluster/afr/src/afr-transaction.c b/xlators/cluster/afr/src/afr-transaction.c
index 35621d9..c9a4474 100644
--- a/xlators/cluster/afr/src/afr-transaction.c
+++ b/xlators/cluster/afr/src/afr-transaction.c
@@ -276,9 +276,9 @@ afr_compute_pre_op_sources (call_frame_t *frame, xlator_t *this)
matrix = ALLOC_MATRIX (priv->child_count, int);
for (i = 0; i < priv->child_count; i++) {
- if (!local->transaction.pre_op_xdata[i])
+ if (!local->transaction.changelog_xdata[i])
continue;
- xdata = local->transaction.pre_op_xdata[i];
+ xdata = local->transaction.changelog_xdata[i];
afr_selfheal_fill_matrix (this, matrix, i, idx, xdata);
}
@@ -295,13 +295,6 @@ afr_compute_pre_op_sources (call_frame_t *frame, xlator_t *this)
for (j = 0; j < priv->child_count; j++)
if (matrix[i][j] != 0)
local->transaction.pre_op_sources[j] = 0;
-
- /*We don't need the xattrs any more. */
- for (i = 0; i < priv->child_count; i++)
- if (local->transaction.pre_op_xdata[i]) {
- dict_unref (local->transaction.pre_op_xdata[i]);
- local->transaction.pre_op_xdata[i] = NULL;
- }
}
gf_boolean_t
@@ -1175,7 +1168,7 @@ afr_changelog_cbk (call_frame_t *frame, void *cookie, xlator_t *this,
if (priv->arbiter_count == 1 && !op_ret) {
if (xattr)
- local->transaction.pre_op_xdata[child_index] =
+ local->transaction.changelog_xdata[child_index] =
dict_ref (xattr);
}
@@ -1608,6 +1601,13 @@ afr_changelog_do (call_frame_t *frame, xlator_t *this, dict_t *xattr,
local = frame->local;
priv = this->private;
+ for (i = 0; i < priv->child_count; i++) {
+ if (local->transaction.changelog_xdata[i]) {
+ dict_unref (local->transaction.changelog_xdata[i]);
+ local->transaction.changelog_xdata[i] = NULL;
+ }
+ }
+
ret = afr_changelog_prepare (this, frame, &call_count, changelog_resume,
op, &xdata, &newloc_xdata);
diff --git a/xlators/cluster/afr/src/afr.h b/xlators/cluster/afr/src/afr.h
index cf736ed..2854153 100644
--- a/xlators/cluster/afr/src/afr.h
+++ b/xlators/cluster/afr/src/afr.h
@@ -737,8 +737,8 @@ typedef struct _afr_local {
unsigned char *pre_op;
- /* For arbiter configuration only. */
- dict_t **pre_op_xdata;
+ /* Changelog xattr dict for [f]xattrop*/
+ dict_t **changelog_xdata;
unsigned char *pre_op_sources;
/* @failed_subvols: subvolumes on which a pre-op or a
--
2.7.4
|
