glusterfs.git/xlators/features, branch v4.1.6 features/locks: fix statedump string 2018-11-09T14:04:25+00:00 Amar Tumballi amarts@redhat.com 2018-11-08T05:16:12+00:00 9d9b9745c7e424f01e5526b23b1da17db263275e Currently, there are possibilities in few places, where a user-controlled (like filename, program parameter etc) string can be passed as 'fmt' for printf(), which can lead to segfault, if the user's string contains '%s', '%d' in it. Fixes: CVE-2018-14661 NOTE: this change is a focused fix for the CVE, but is just subset of changes in master. This is done so that we keep the changes in the codebase to minimum, and also as clang coding standard is implemented, the changes wouldn't apply cleanly from master, so there is scope for mistakes. By keeping it to minimum, we solve CVE, and also prevent errors. Fixes: bz#1647668 Change-Id: Ib547293f2d9eb618594cbff0df3b9c800e88bde4 Signed-off-by: Amar Tumballi <amarts@redhat.com> 
Currently, there are possibilities in few places, where a user-controlled
(like filename, program parameter etc) string can be passed as 'fmt' for
printf(), which can lead to segfault, if the user's string contains '%s',
'%d' in it.

Fixes: CVE-2018-14661

NOTE: this change is a focused fix for the CVE, but is just subset of
changes in master. This is done so that we keep the changes in the
codebase to minimum, and also as clang coding standard is implemented,
the changes wouldn't apply cleanly from master, so there is scope for
mistakes. By keeping it to minimum, we solve CVE, and also prevent
errors.

Fixes: bz#1647668
Change-Id: Ib547293f2d9eb618594cbff0df3b9c800e88bde4
Signed-off-by: Amar Tumballi <amarts@redhat.com>
features/locks:Use pthread_mutex_unlock() instead of pthread_mutex_lock() 2018-11-08T16:38:17+00:00 Susant Palai spalai@redhat.com 2018-11-08T16:36:05+00:00 03b65fd52d3e4e3e9d4978fd30c694c51bcde3e3 Fixes CID 1396581 Change-Id: Ic04091b5783a75d8e1e605a9c1c28b77fea048d3 updates: bz#1647972 Signed-off-by: Vijay Bellur <vbellur@redhat.com> Signed-off-by: Susant Palai <spalai@redhat.com> 
Fixes CID 1396581

Change-Id: Ic04091b5783a75d8e1e605a9c1c28b77fea048d3
updates: bz#1647972
Signed-off-by: Vijay Bellur <vbellur@redhat.com>
Signed-off-by: Susant Palai <spalai@redhat.com>
lock: Do not allow meta-lock count to be more than one 2018-11-08T16:38:17+00:00 Susant Palai spalai@redhat.com 2018-11-08T16:29:46+00:00 0087294bd960a45debd614504613feb75de26f74 In the current scheme of glusterfs where lock migration is experimental, (ideally) the rebalance process which is migrating the file should request for a metalock. Hence, the metalock count should not be more than one for an inode. In future, if there is a need for meta-lock from other clients, this patch can be reverted. Since pl_metalk is called as part of setxattr operation, any client process(non-rebalance) residing outside trusted network can exhaust memory of the server node by issuing setxattr repetitively on the metalock key. The current patch makes sure that more than one metalock cannot be granted on an inode. Fixes CVE-2018-14660 updates: bz#1647972 Change-Id: Ie1e697766388718804a9551bc58351808fe71069 Signed-off-by: Susant Palai <spalai@redhat.com> 
In the current scheme of glusterfs where lock migration is
experimental, (ideally) the rebalance process which is migrating
the file should request for a metalock. Hence, the metalock count
should not be more than one for an inode. In future, if there is a
need for meta-lock from other clients, this patch can be reverted.

Since pl_metalk is called as part of setxattr operation, any client
process(non-rebalance) residing outside trusted network can exhaust
memory of the server node by issuing setxattr repetitively on the
metalock key. The current patch makes sure that more than
one metalock cannot be granted on an inode.

Fixes CVE-2018-14660

updates: bz#1647972
Change-Id: Ie1e697766388718804a9551bc58351808fe71069
Signed-off-by: Susant Palai <spalai@redhat.com>
index: prevent arbitrary file creation outside entry-changes folder 2018-11-06T16:13:14+00:00 Ravishankar N ravishankar@redhat.com 2018-11-02T05:30:43+00:00 5f4ae8a80543332a2e92dfa5c7f833ae7b93a664 Patch in master: https://review.gluster.org/#/c/glusterfs/+/21534/ A compromised client can set arbitrary values for the GF_XATTROP_ENTRY_IN_KEY and GF_XATTROP_ENTRY_OUT_KEY during xattrop fop. These values are consumed by index as a filename to be created/deleted according to the key. Thus it is possible to create/delete random files even outside the gluster volume boundary. Fix: Index expects the filename to be a basename, i.e. it must not contain any pathname components like "/" or "../". Enforce this. Fixes: CVE-2018-14654 Fixes: bz#1646200 Change-Id: I35f2a39257b5917d17283d0a4f575b92f783f143 Signed-off-by: Ravishankar N <ravishankar@redhat.com> 
Patch in master: https://review.gluster.org/#/c/glusterfs/+/21534/

A compromised client can set arbitrary values for the GF_XATTROP_ENTRY_IN_KEY
and GF_XATTROP_ENTRY_OUT_KEY during xattrop fop. These values are
consumed by index as a filename to be created/deleted according to the key.
Thus it is possible to create/delete random files even outside the gluster
volume boundary.

Fix:
Index expects the filename to be a basename, i.e. it must not contain any
pathname components like "/" or "../". Enforce this.

Fixes: CVE-2018-14654

Fixes: bz#1646200
Change-Id: I35f2a39257b5917d17283d0a4f575b92f783f143
Signed-off-by: Ravishankar N <ravishankar@redhat.com>
features/locks: add buffer overflow checks in pl_getxattr 2018-11-02T04:44:53+00:00 Ravishankar N ravishankar@redhat.com 2018-10-08T05:34:14+00:00 e2c195712a9ecbda4fa02f5308138a1257a2558a Problem: A compromised client can send a variable length buffer value for the GF_XATTR_CLRLK_CMD virtual xattr. If the length is greater than the size of the "key" used to send the response back, locks xlator can segfault when it tries to do a dict_set because of the buffer overflow in strncpy of pl_getxattr(). Fix: Perform size checks while forming the 'key'. Note: This fix is already there in the master branch upstream as a part of the commit 052849983e51a061d7fb2c3ffd74fa78bb257084 (https://review.gluster.org/#/c/glusterfs/+/20933/) This patch just picks the code change needed to fix the vulnerability. Fixes: CVE-2018-14652 fixes: bz#1645363 Change-Id: I101693e91f9ea2bd26cef6c0b7d82527fefcb3e2 Signed-off-by: Ravishankar N <ravishankar@redhat.com> 
Problem:
A compromised client can send a variable length buffer value for the
GF_XATTR_CLRLK_CMD virtual xattr. If the length is greater than the
size of the "key" used to send the response back, locks xlator can
segfault when it tries to do a dict_set because of the buffer overflow
in strncpy of pl_getxattr().

Fix:
Perform size checks while forming the 'key'.

Note:
This fix is already there in the master branch upstream as a part of the
commit 052849983e51a061d7fb2c3ffd74fa78bb257084 (https://review.gluster.org/#/c/glusterfs/+/20933/)
This patch just picks the code change needed to fix the vulnerability.

Fixes: CVE-2018-14652
fixes: bz#1645363
Change-Id: I101693e91f9ea2bd26cef6c0b7d82527fefcb3e2
Signed-off-by: Ravishankar N <ravishankar@redhat.com>
leases:Mark the fop conflicting if lease_id not set 2018-10-24T09:39:32+00:00 Soumya Koduri skoduri@redhat.com 2018-10-22T15:46:53+00:00 f48e6cf2183a749e75eaa22a1dffe58f0dba34d5 Glusterfs leases expects lease_id to be set and sent for each fop to determine conflict resolution with the existing lease. Incase if not set (most likely if there is an older client in a mixed cluster), it makes sense to consider it as conflicitng fop and recall the lease. Also fixed the return status check for __remove_lease(), wherein non-negative value is considered as success case. This is backport of below mainline patch - https://review.gluster.org/21458 Change-Id: I5bcfba4f7c71a5af7cdedeb03436d0b818e85783 updates: #350 Signed-off-by: Soumya Koduri <skoduri@redhat.com> 
Glusterfs leases expects lease_id to be set and sent
for each fop to determine conflict resolution with the
existing lease.
Incase if not set (most likely if there is an older
client in a mixed cluster), it makes sense to consider
it as conflicitng fop and recall the lease.

Also fixed the return status check for __remove_lease(),
wherein non-negative value is considered as success case.

This is backport of below mainline patch -
 https://review.gluster.org/21458

Change-Id: I5bcfba4f7c71a5af7cdedeb03436d0b818e85783
updates: #350
Signed-off-by: Soumya Koduri <skoduri@redhat.com>
mgmt/glusterd: use proper path to the volfile 2018-10-04T18:31:58+00:00 Raghavendra Bhat raghavendra@redhat.com 2018-10-04T18:27:45+00:00 50ef643281fd1797d9087ff7275c366d67773534 Till now, glusterd was generating the volfile path for the snapshot volume's bricks like this. /snaps/<snap name>/<brick volfile> But in reality, the path to the brick volfile for a snapshot volume is /snaps/<snap name>/<snap volume name>/<brick volfile> The above workaround was used to distinguish between a mount command used to mount the snapshot volume, and a brick of the snapshot volume, so that based on what is actually happening, glusterd can return the proper volfile (client volfile for the former and the brick volfile for the latter). But, this was causing problems for snapshot restore when brick multiplexing is enabled. Because, with brick multiplexing, it tries to find the volfile and sends GETSPEC rpc call to glusterd using the 2nd style of path i.e. /snaps/<snap name>/<snap volume name>/<brick volfile> So, when the snapshot brick (which is multiplexed) sends a GETSPEC rpc request to glusterd for obtaining the brick volume file, glusterd was returning the client volume file of the snapshot volume instead of the brick volume file. Change-Id: I28b2dfa5d9b379fe943db92c2fdfea879a6a594e fixes: bz#1636218 Signed-off-by: Raghavendra Bhat <raghavendra@redhat.com> 
Till now, glusterd was generating the volfile path for the snapshot
volume's bricks like this.

/snaps/<snap name>/<brick volfile>

But in reality, the path to the brick volfile for a snapshot volume is

/snaps/<snap name>/<snap volume name>/<brick volfile>

The above workaround was used to distinguish between a mount command used
to mount the snapshot volume, and a brick of the snapshot volume, so that
based on what is actually happening, glusterd can return the proper volfile
(client volfile for the former and the brick volfile for the latter). But,
this was causing problems for snapshot restore when brick multiplexing is
enabled. Because, with brick multiplexing, it tries to find the volfile
and sends GETSPEC rpc call to glusterd using the 2nd style of path i.e.

/snaps/<snap name>/<snap volume name>/<brick volfile>

So, when the snapshot brick (which is multiplexed) sends a GETSPEC rpc
request to glusterd for obtaining the brick volume file, glusterd was
returning the client volume file of the snapshot volume instead of the
brick volume file.

Change-Id: I28b2dfa5d9b379fe943db92c2fdfea879a6a594e
fixes: bz#1636218
Signed-off-by: Raghavendra Bhat <raghavendra@redhat.com>
libgfchangelog: Fix changelog history API 2018-09-21T13:25:59+00:00 Kotresh HR khiremat@redhat.com 2018-08-21T10:09:44+00:00 bbab048f0a06c34656c2c11c3cec4f2dd9883037 Problem: If requested start time and end time doesn't fall into first HTIME file, then history API fails even though continuous changelogs are avaiable for the requested range in other HTIME files. This is induced by changelog disable and enable which creates fresh HTIME index file. Cause and Analysis: Each HTIME index file represents the availability of continuous changelogs. If changelog is disabled and enabled, a new HTIME index file is created represents non availability of continuous changelogs. So as long as the requested start and end falls into single HTIME index file and not across, history API should succeed. But History API checks for the changelogs only in first HTIME index file and errors out if not available. Fix: Check in all HTIME index files for availability of continuous changelogs for requested change. Backport of: > Patch: https://review.gluster.org/21016/ > BUG: bz#1622549 > Change-Id: I80eeceb5afbd1b89f86a9dc4c320e161907d3559 > Signed-off-by: Kotresh HR <khiremat@redhat.com> (cherry picked from commit 35aa67001c8fac99b040fbc61f36ef4f1b1590ac) fixes: bz#1630141 Change-Id: I80eeceb5afbd1b89f86a9dc4c320e161907d3559 Signed-off-by: Kotresh HR <khiremat@redhat.com> 
Problem:
If requested start time and end time doesn't fall into
first HTIME file, then history API fails even though
continuous changelogs are avaiable for the requested range
in other HTIME files. This is induced by changelog disable
and enable which creates fresh HTIME index file.

Cause and Analysis:
Each HTIME index file represents the availability of
continuous changelogs. If changelog is disabled and enabled,
a new HTIME index file is created represents non availability
of continuous changelogs. So as long as the requested start
and end falls into single HTIME index file and not across,
history API should succeed.

But History API checks for the changelogs only in first
HTIME index file and errors out if not available.

Fix:
Check in all HTIME index files for availability of continuous
changelogs for requested change.

Backport of:
 > Patch: https://review.gluster.org/21016/ 
 > BUG: bz#1622549
 > Change-Id: I80eeceb5afbd1b89f86a9dc4c320e161907d3559
 > Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 35aa67001c8fac99b040fbc61f36ef4f1b1590ac)


fixes: bz#1630141
Change-Id: I80eeceb5afbd1b89f86a9dc4c320e161907d3559
Signed-off-by: Kotresh HR <khiremat@redhat.com>
ctime: Fix self heal of symlink in EC volume 2018-07-02T17:14:15+00:00 Kotresh HR khiremat@redhat.com 2018-06-18T17:40:33+00:00 695470765d4d047102fc9d2db7574a6fdb2b3eb3 Since IEEE Std 1003.1-2001 does not require any association of file times with symbolic links, there is no requirement that file times be updated by readlink() states [1]. stat on symlink file was generating a readlink fop on one of the subvolumes of ec set which in turn updates atime on that subvolume. This causes mdata xattr to be different across ec set and hence self heal fails. So based on [1], atime is no longer updated by readlink fop. [1] http://pubs.opengroup.org/onlinepubs/009695399/functions/readlink.html Backport of: > Patch: https://review.gluster.org/#/c/20311/ > BUG: 1592509 > Change-Id: I08bd3ca3bdb222bd18160b1aa58fc2f7630c8083 > Signed-off-by: Kotresh HR <khiremat@redhat.com> (cherry picked from commit c097a7894d458e33a41f6db6092677108ef30fec) fixes: bz#1593536 Change-Id: I08bd3ca3bdb222bd18160b1aa58fc2f7630c8083 Signed-off-by: Kotresh HR <khiremat@redhat.com> (cherry picked from commit c097a7894d458e33a41f6db6092677108ef30fec) 
Since IEEE Std 1003.1-2001 does not require any
association of file times with symbolic links,
there is no requirement that file times be
updated by readlink() states [1].

stat on symlink file was generating a readlink
fop on one of the subvolumes of ec set which
in turn updates atime on that subvolume. This
causes mdata xattr to be different across ec
set and hence self heal fails. So based on [1],
atime is no longer updated by readlink fop.

[1] http://pubs.opengroup.org/onlinepubs/009695399/functions/readlink.html

Backport of:
  > Patch: https://review.gluster.org/#/c/20311/
  > BUG: 1592509
  > Change-Id: I08bd3ca3bdb222bd18160b1aa58fc2f7630c8083
  > Signed-off-by: Kotresh HR <khiremat@redhat.com>
  (cherry picked from commit c097a7894d458e33a41f6db6092677108ef30fec)

fixes: bz#1593536
Change-Id: I08bd3ca3bdb222bd18160b1aa58fc2f7630c8083
Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit c097a7894d458e33a41f6db6092677108ef30fec)
features/shard: Fix missing unlock in shard_fsync_shards_cbk() 2018-06-06T14:00:52+00:00 Vijay Bellur vbellur@redhat.com 2018-06-01T00:11:01+00:00 9757ee891cf45abd6380fd693639f5c4cd199c2f Backport of: > Change-Id: I745a98e957cf3c6ba69247fcf6b58dd05cf59c3c > Signed-off-by: Vijay Bellur <vbellur@redhat.com> > (cherry picked from commit b21f742f96d46b4adfa87281dd9a2e48fea8d031) > BUG: 789278 Change-Id: I745a98e957cf3c6ba69247fcf6b58dd05cf59c3c fixes: bz#1587908 Signed-off-by: Vijay Bellur <vbellur@redhat.com> (cherry picked from commit b21f742f96d46b4adfa87281dd9a2e48fea8d031) 
Backport of:
> Change-Id: I745a98e957cf3c6ba69247fcf6b58dd05cf59c3c
> Signed-off-by: Vijay Bellur <vbellur@redhat.com>
> (cherry picked from commit b21f742f96d46b4adfa87281dd9a2e48fea8d031)
> BUG: 789278

Change-Id: I745a98e957cf3c6ba69247fcf6b58dd05cf59c3c
fixes: bz#1587908
Signed-off-by: Vijay Bellur <vbellur@redhat.com>
(cherry picked from commit b21f742f96d46b4adfa87281dd9a2e48fea8d031)