glusterfs.git, branch v4.1.6 doc: Added release notes for 4.1.6 release 2018-11-14T15:54:04+00:00 ShyamsundarR srangana@redhat.com 2018-11-14T15:49:18+00:00 d6383f22f0b6d66c9596c05da7fcf27599615b01 Also corrected a typo in 4.1.4 release notes. Change-Id: I1ee0f4e4409a0a6af6c2940acb2ff70ea2db824e Signed-off-by: ShyamsundarR <srangana@redhat.com> Fixes: bz#1638055 
Also corrected a typo in 4.1.4 release notes.

Change-Id: I1ee0f4e4409a0a6af6c2940acb2ff70ea2db824e
Signed-off-by: ShyamsundarR <srangana@redhat.com>
Fixes: bz#1638055
gfapi: fix bad dict setting of lease-id 2018-11-13T20:45:15+00:00 Kinglong Mee kinglongmee@gmail.com 2018-11-12T13:52:24+00:00 435c8a92b8bafe2e15e130a31dfdfc14ff40b40a lease_id is a 16 bits opaque data, copying it by gf_strdup is wrong. Invalid read of size 2 at 0x483FA2F: memmove (vg_replace_strmem.c:1270) by 0xE2EF6FB: ??? (in /usr/lib64/libtirpc.so.3.0.0) by 0xE2EE047: xdr_opaque (in /usr/lib64/libtirpc.so.3.0.0) by 0x107A97DC: xdr_gfx_value (glusterfs4-xdr.c:207) by 0x107A98C0: xdr_gfx_dict_pair (glusterfs4-xdr.c:321) by 0xE2EF35E: xdr_array (in /usr/lib64/libtirpc.so.3.0.0) by 0x107A9A89: xdr_gfx_dict (glusterfs4-xdr.c:335) by 0x107AA97B: xdr_gfx_write_req (glusterfs4-xdr.c:897) by 0x107A181E: xdr_serialize_generic (xdr-generic.c:25) by 0x231044A2: client_submit_request (client.c:205) by 0x2314D3C1: client4_0_writev (client-rpc-fops_v2.c:3863) by 0x230FD5FA: client_writev (client.c:956) Address 0xad659e18 is 72 bytes inside a block of size 73 alloc'd at 0x483880B: malloc (vg_replace_malloc.c:299) by 0x106BA7EC: __gf_malloc (mem-pool.c:136) by 0x1064521E: gf_strndup (mem-pool.h:166) by 0x1064521E: gf_strdup (mem-pool.h:183) by 0x1064521E: get_fop_attr_thrd_key (glfs.c:627) by 0x1064D8E9: glfs_pwritev@@GFAPI_3.4.0 (glfs-fops.c:1154) by 0x10610C0C: glusterfs_write2 (handle.c:2092) by 0x54D30C: mdcache_write2 (mdcache_file.c:647) by 0x48A3FC: nfs4_write (nfs4_op_write.c:459) by 0x48A44D: nfs4_op_write (nfs4_op_write.c:487) by 0x4634F5: nfs4_Compound (nfs4_Compound.c:947) by 0x460155: nfs_rpc_process_request (nfs_worker_thread.c:1329) by 0x4608A3: nfs_rpc_valid_NFS (nfs_worker_thread.c:1539) by 0x488F12F: svc_vc_decode (svc_vc.c:825) Backport of: > Patch: https://review.gluster.org/21586/ > BUG: bz#1647651 > Change-Id: Ib9fff55c897bc43c15036a869888e763df133757 > Signed-off-by: Kinglong Mee <mijinlong@open-fs.com> (cherry picked from commit 6d4cd8ce6c0d88d331ffed97c51d3061a3900561) Updates bz#1648938 Change-Id: I881d1e9aeb343d456cbf80d16bc46fd4a81a8e43 Signed-off-by: Kinglong Mee <mijinlong@open-fs.com> 
lease_id is a 16 bits opaque data, copying it by gf_strdup is wrong.

Invalid read of size 2
   at 0x483FA2F: memmove (vg_replace_strmem.c:1270)
   by 0xE2EF6FB: ??? (in /usr/lib64/libtirpc.so.3.0.0)
   by 0xE2EE047: xdr_opaque (in /usr/lib64/libtirpc.so.3.0.0)
   by 0x107A97DC: xdr_gfx_value (glusterfs4-xdr.c:207)
   by 0x107A98C0: xdr_gfx_dict_pair (glusterfs4-xdr.c:321)
   by 0xE2EF35E: xdr_array (in /usr/lib64/libtirpc.so.3.0.0)
   by 0x107A9A89: xdr_gfx_dict (glusterfs4-xdr.c:335)
   by 0x107AA97B: xdr_gfx_write_req (glusterfs4-xdr.c:897)
   by 0x107A181E: xdr_serialize_generic (xdr-generic.c:25)
   by 0x231044A2: client_submit_request (client.c:205)
   by 0x2314D3C1: client4_0_writev (client-rpc-fops_v2.c:3863)
   by 0x230FD5FA: client_writev (client.c:956)
 Address 0xad659e18 is 72 bytes inside a block of size 73 alloc'd
   at 0x483880B: malloc (vg_replace_malloc.c:299)
   by 0x106BA7EC: __gf_malloc (mem-pool.c:136)
   by 0x1064521E: gf_strndup (mem-pool.h:166)
   by 0x1064521E: gf_strdup (mem-pool.h:183)
   by 0x1064521E: get_fop_attr_thrd_key (glfs.c:627)
   by 0x1064D8E9: glfs_pwritev@@GFAPI_3.4.0 (glfs-fops.c:1154)
   by 0x10610C0C: glusterfs_write2 (handle.c:2092)
   by 0x54D30C: mdcache_write2 (mdcache_file.c:647)
   by 0x48A3FC: nfs4_write (nfs4_op_write.c:459)
   by 0x48A44D: nfs4_op_write (nfs4_op_write.c:487)
   by 0x4634F5: nfs4_Compound (nfs4_Compound.c:947)
   by 0x460155: nfs_rpc_process_request (nfs_worker_thread.c:1329)
   by 0x4608A3: nfs_rpc_valid_NFS (nfs_worker_thread.c:1539)
   by 0x488F12F: svc_vc_decode (svc_vc.c:825)

Backport of:

 > Patch: https://review.gluster.org/21586/
 > BUG: bz#1647651
 > Change-Id: Ib9fff55c897bc43c15036a869888e763df133757
 > Signed-off-by: Kinglong Mee <mijinlong@open-fs.com>
(cherry picked from commit 6d4cd8ce6c0d88d331ffed97c51d3061a3900561)

Updates bz#1648938
Change-Id: I881d1e9aeb343d456cbf80d16bc46fd4a81a8e43
Signed-off-by: Kinglong Mee <mijinlong@open-fs.com>
packaging: don't include bd.so rpm in rpm when --without bd 2018-11-13T13:55:19+00:00 Kaleb S. KEITHLEY kkeithle@redhat.com 2018-11-12T16:13:38+00:00 786a2136ac1a6a3d1e7566a923a32ed9af77e1bf long standing bug in .spec file. I guess nobody has ever built rpms with '--without bd' Change-Id: I71e26c3d06af5d329ae89cc249a4ad88664ddf53 fixes: bz#1648982 Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com> 
long standing bug in .spec file.

I guess nobody has ever built rpms with '--without bd'

Change-Id: I71e26c3d06af5d329ae89cc249a4ad88664ddf53
fixes: bz#1648982
Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
logging: check for fmts not being NULL 2018-11-12T15:41:19+00:00 Amar Tumballi amarts@redhat.com 2018-07-13T09:15:31+00:00 c20122d6e9ad949a803d6ed78e120f9f7242e26d this fix is just a review of possible SIGSEGV issues in line 714 as per crash report at the bug: ``` 08:35:25 Program terminated with signal 11, Segmentation fault. 08:35:25 #0 0x00007f4ebb491c5c in gf_time_fmt (dst=0x7f4eb1ff9a90 "", sz_dst=256, utime=1531470915, fmt=0) at /home/jenkins/root/workspace/centos7-regression/libglusterfs/src/common-utils.h:714 ``` fixes: bz#1648367 Change-Id: I160c391f8ac1a3456e59103d293b24e0e3fae718 Signed-off-by: Amar Tumballi <amarts@redhat.com> (cherry picked from commit 6c2deb080aa2df73d3cb2a5f330208d30e9c6759) 
this fix is just a review of possible SIGSEGV issues in line 714
as per crash report at the bug:

```
08:35:25 Program terminated with signal 11, Segmentation fault.
08:35:25 #0  0x00007f4ebb491c5c in gf_time_fmt (dst=0x7f4eb1ff9a90 "", sz_dst=256, utime=1531470915, fmt=0)
at /home/jenkins/root/workspace/centos7-regression/libglusterfs/src/common-utils.h:714
```

fixes: bz#1648367
Change-Id: I160c391f8ac1a3456e59103d293b24e0e3fae718
Signed-off-by: Amar Tumballi <amarts@redhat.com>
(cherry picked from commit 6c2deb080aa2df73d3cb2a5f330208d30e9c6759)
geo-rep: Fix traceback with symlink metadata sync 2018-11-12T15:40:59+00:00 Kotresh HR khiremat@redhat.com 2018-11-05T06:16:41+00:00 e65f1ad03536a2de811d5092b665905af59934fb While syncing metadata, 'os.chmod', 'os.chown', 'os.utime' should be used without de-reference. But python supports only 'os.chown' without de-reference. That's mostly because Linux doesn't support 'chmod' on symlink file itself but it does support 'chown'. So while syncing metadata ops, if it's symlink we should only sync 'chown' and not do 'chmod' and 'utime'. It will lead to tracebacks with errors like EROFS, EPERM, ACCESS, ENOENT. All the three errors (EPERM, ACCESS, ENOENT) were handled except EROFS. But the way it was handled was not fool proof. The operation is tried and failure was handled based on the errors. All the errors with symlink file for 'chown', 'utime' had to be passed to safe errors list of 'errno_wrap'. This patch handles it better by avoiding 'chmod' and 'utime' if it's symlink file. Backport of: > Patch: https://review.gluster.org/21546/ > BUG: 1646104 > Change-Id: Ic354206455cdc7ab2a87d741d81f4efe1f19d77d > Signed-off-by: Kotresh HR <khiremat@redhat.com> (cherry picked from commit 3c6cf9a4a1b46cab2dc53c1ee0afca0fe993102e) fixes: bz#1646806 Change-Id: Ic354206455cdc7ab2a87d741d81f4efe1f19d77d Signed-off-by: Kotresh HR <khiremat@redhat.com> 
While syncing metadata, 'os.chmod', 'os.chown',
'os.utime' should be used without de-reference.
But python supports only 'os.chown' without
de-reference. That's mostly because Linux
doesn't support 'chmod' on symlink file itself
but it does support 'chown'.

So while syncing metadata ops, if it's symlink
we should only sync 'chown' and not do 'chmod'
and 'utime'. It will lead to tracebacks with
errors like EROFS, EPERM, ACCESS, ENOENT.
All the three errors (EPERM, ACCESS, ENOENT)
were handled except EROFS. But the way it was
handled was not fool proof. The operation is
tried and failure was handled based on the errors.
All the errors with symlink file for 'chown',
'utime' had to be passed to safe errors list of
'errno_wrap'. This patch handles it better by
avoiding 'chmod' and 'utime' if it's symlink
file.

Backport of:
> Patch: https://review.gluster.org/21546/
> BUG: 1646104
> Change-Id: Ic354206455cdc7ab2a87d741d81f4efe1f19d77d
> Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 3c6cf9a4a1b46cab2dc53c1ee0afca0fe993102e)

fixes: bz#1646806
Change-Id: Ic354206455cdc7ab2a87d741d81f4efe1f19d77d
Signed-off-by: Kotresh HR <khiremat@redhat.com>
io-stats: prevent taking file dump on server side 2018-11-12T15:39:00+00:00 Amar Tumballi amarts@redhat.com 2018-11-08T05:44:44+00:00 bcb9e2b9c38a2c00943d53ba564a71b283d04b9d By allowing clients taking dump in a file on brick process, we are allowing compromised clients to create io-stats dumps on server, which can exhaust all the available inodes. Fixes: CVE-2018-14659 Fixes: bz#1647669 Change-Id: I32bfde9d4fe646d819a45e627805b928cae2e1ca Signed-off-by: Amar Tumballi <amarts@redhat.com> 
By allowing clients taking dump in a file on brick process, we are
allowing compromised clients to create io-stats dumps on server,
which can exhaust all the available inodes.

Fixes: CVE-2018-14659

Fixes: bz#1647669
Change-Id: I32bfde9d4fe646d819a45e627805b928cae2e1ca
Signed-off-by: Amar Tumballi <amarts@redhat.com>
protocol: remove the option 'verify-volfile-checksum' 2018-11-12T15:38:44+00:00 Amar Tumballi amarts@redhat.com 2018-11-01T01:46:32+00:00 f87246d11d69b01b05a593b8378469d1cc67fdbc 'getspec' operation is not used between 'client' and 'server' ever since we have off-loaded volfile management to glusterd, ie, at least 7 years. No reason to keep the dead code! The removed option had no meaning, as glusterd didn't provide a way to set (or unset) this option. So, no regression should be observed from any of the existing glusterfs deployment, supported or unsupported. Updates: CVE-2018-14653 Updates: bz#1647670 Change-Id: I4a2e0f673c5bcd4644976a61dbd2d37003a428eb Signed-off-by: Amar Tumballi <amarts@redhat.com> 
'getspec' operation is not used between 'client' and 'server' ever since
we have off-loaded volfile management to glusterd, ie, at least 7 years.

No reason to keep the dead code! The removed option had no meaning,
as glusterd didn't provide a way to set (or unset) this option. So,
no regression should be observed from any of the existing glusterfs
deployment, supported or unsupported.

Updates: CVE-2018-14653

Updates: bz#1647670
Change-Id: I4a2e0f673c5bcd4644976a61dbd2d37003a428eb
Signed-off-by: Amar Tumballi <amarts@redhat.com>
glusterd-handshake: prevent a buffer overflow 2018-11-09T18:44:53+00:00 Amar Tumballi amarts@redhat.com 2018-11-01T01:38:29+00:00 6abe44670172f2031440b9c37923c07b712694e8 as key size in xdr can be anything, it can be bigger than the 'NAME_MAX' allowed in the structure, which can allow for service denial attacks. Fixes: CVE-2018-14653 Fixes: bz#1647670 Change-Id: I2dc5e99af27ddf44c12c94b07e51adb8674cce80 Signed-off-by: Amar Tumballi <amarts@redhat.com> 
as key size in xdr can be anything, it can be bigger than the
'NAME_MAX' allowed in the structure, which can allow for service denial
attacks.

Fixes: CVE-2018-14653

Fixes: bz#1647670
Change-Id: I2dc5e99af27ddf44c12c94b07e51adb8674cce80
Signed-off-by: Amar Tumballi <amarts@redhat.com>
server: don't allow '/' in basename 2018-11-09T14:04:35+00:00 Amar Tumballi amarts@redhat.com 2018-11-08T05:32:32+00:00 f0b5816f775ee75d42946694f031e70616a98cd9 Server stack needs to have all the sort of validation, assuming clients can be compromized. It is possible for a compromized client to send basenames with paths with '/', and with that create files without permission on server. By sanitizing the basename, and not allowing anything other than actual directory as the parent for any entry creation, we can mitigate the effects of clients not able to exploit the server. Fixes: CVE-2018-14651 Fixes: bz#1647667 Change-Id: I5dc0da0da2713452ff2b65ac2ddbccf1a267dc20 Signed-off-by: Amar Tumballi <amarts@redhat.com> 
Server stack needs to have all the sort of validation, assuming
clients can be compromized. It is possible for a compromized
client to send basenames with paths with '/', and with that
create files without permission on server. By sanitizing the basename,
and not allowing anything other than actual directory as the parent
for any entry creation, we can mitigate the effects of clients
not able to exploit the server.

Fixes: CVE-2018-14651

Fixes: bz#1647667
Change-Id: I5dc0da0da2713452ff2b65ac2ddbccf1a267dc20
Signed-off-by: Amar Tumballi <amarts@redhat.com>
features/locks: fix statedump string 2018-11-09T14:04:25+00:00 Amar Tumballi amarts@redhat.com 2018-11-08T05:16:12+00:00 9d9b9745c7e424f01e5526b23b1da17db263275e Currently, there are possibilities in few places, where a user-controlled (like filename, program parameter etc) string can be passed as 'fmt' for printf(), which can lead to segfault, if the user's string contains '%s', '%d' in it. Fixes: CVE-2018-14661 NOTE: this change is a focused fix for the CVE, but is just subset of changes in master. This is done so that we keep the changes in the codebase to minimum, and also as clang coding standard is implemented, the changes wouldn't apply cleanly from master, so there is scope for mistakes. By keeping it to minimum, we solve CVE, and also prevent errors. Fixes: bz#1647668 Change-Id: Ib547293f2d9eb618594cbff0df3b9c800e88bde4 Signed-off-by: Amar Tumballi <amarts@redhat.com> 
Currently, there are possibilities in few places, where a user-controlled
(like filename, program parameter etc) string can be passed as 'fmt' for
printf(), which can lead to segfault, if the user's string contains '%s',
'%d' in it.

Fixes: CVE-2018-14661

NOTE: this change is a focused fix for the CVE, but is just subset of
changes in master. This is done so that we keep the changes in the
codebase to minimum, and also as clang coding standard is implemented,
the changes wouldn't apply cleanly from master, so there is scope for
mistakes. By keeping it to minimum, we solve CVE, and also prevent
errors.

Fixes: bz#1647668
Change-Id: Ib547293f2d9eb618594cbff0df3b9c800e88bde4
Signed-off-by: Amar Tumballi <amarts@redhat.com>