glusterfs.git/xlators/storage, branch v5.1 all: fix the format string exceptions 2018-11-09T14:03:02+00:00 Amar Tumballi amarts@redhat.com 2018-11-06T17:17:41+00:00 83304fedb464fe3f97db662ce3e07bd948b7b7d9 Currently, there are possibilities in few places, where a user-controlled (like filename, program parameter etc) string can be passed as 'fmt' for printf(), which can lead to segfault, if the user's string contains '%s', '%d' in it. While fixing it, makes sense to make the explicit check for such issues across the codebase, by making the format call properly. Fixes: CVE-2018-14661 Fixes: bz#1647666 Change-Id: Ib547293f2d9eb618594cbff0df3b9c800e88bde4 Signed-off-by: Amar Tumballi <amarts@redhat.com> 
Currently, there are possibilities in few places, where a user-controlled
(like filename, program parameter etc) string can be passed as 'fmt' for
printf(), which can lead to segfault, if the user's string contains '%s',
'%d' in it.

While fixing it, makes sense to make the explicit check for such issues
across the codebase, by making the format call properly.

Fixes: CVE-2018-14661

Fixes: bz#1647666
Change-Id: Ib547293f2d9eb618594cbff0df3b9c800e88bde4
Signed-off-by: Amar Tumballi <amarts@redhat.com>
server: don't allow '/' in basename 2018-11-08T19:06:17+00:00 Amar Tumballi amarts@redhat.com 2018-11-01T01:32:11+00:00 d0b3b63519dac97ad2c4bc24821565e9aea02ba2 Server stack needs to have all the sort of validation, assuming clients can be compromized. It is possible for a compromized client to send basenames with paths with '/', and with that create files without permission on server. By sanitizing the basename, and not allowing anything other than actual directory as the parent for any entry creation, we can mitigate the effects of clients not able to exploit the server. Fixes: CVE-2018-14651 Fixes: bz#1647663 Change-Id: I5dc0da0da2713452ff2b65ac2ddbccf1a267dc20 Signed-off-by: Amar Tumballi <amarts@redhat.com> 
Server stack needs to have all the sort of validation, assuming
clients can be compromized. It is possible for a compromized
client to send basenames with paths with '/', and with that
create files without permission on server. By sanitizing the basename,
and not allowing anything other than actual directory as the parent
for any entry creation, we can mitigate the effects of clients
not able to exploit the server.

Fixes: CVE-2018-14651

Fixes: bz#1647663
Change-Id: I5dc0da0da2713452ff2b65ac2ddbccf1a267dc20
Signed-off-by: Amar Tumballi <amarts@redhat.com>
posix/ctime: Avoid log flood in posix_update_utime_in_mdata 2018-11-08T14:35:54+00:00 Kotresh HR khiremat@redhat.com 2018-10-30T05:26:52+00:00 a2e5f1dbdfff7d1b09b383f5f916d6ae0bc6cb73 posix_update_utime_in_mdata() unconditionally logs an error if consistent time attributes features is not enabled. This log does not add any value, prints an incorrect errno & floods the log file. Hence nuking this log message in this patch. Backport of: > Patch: https://review.gluster.org/21520/ > BUG: 1644129 > Change-Id: I9a1f9e7ada3366d2830f18d81f16a1461040092e > Signed-off-by: Kotresh HR <khiremat@redhat.com> fixes: bz#1644526 Change-Id: I9a1f9e7ada3366d2830f18d81f16a1461040092e Signed-off-by: Kotresh HR <khiremat@redhat.com> 
posix_update_utime_in_mdata() unconditionally logs an error if
consistent time attributes features is not enabled. This log
does not add any value, prints an incorrect errno & floods
the log file. Hence nuking this log message in this patch.

Backport of:

> Patch: https://review.gluster.org/21520/
> BUG: 1644129
> Change-Id: I9a1f9e7ada3366d2830f18d81f16a1461040092e
> Signed-off-by: Kotresh HR <khiremat@redhat.com>

fixes: bz#1644526
Change-Id: I9a1f9e7ada3366d2830f18d81f16a1461040092e
Signed-off-by: Kotresh HR <khiremat@redhat.com>
storage/posix: Do not fail entry creation fops if gfid handle already exists 2018-10-22T05:46:38+00:00 Krutika Dhananjay kdhananj@redhat.com 2018-10-17T08:56:14+00:00 ecdc33ada79f155f2bde2860b29872526939e22b Backport of: > Change-Id: I84a5e54d214b6c47ed85671a880bb1c767a29f4d > Signed-off-by: Krutika Dhananjay <kdhananj@redhat.com> > (cherry picked from commit 15c9976) > BUG: 1638453 PROBLEM: tests/bugs/shard/bug-1251824.t fails occasionally with EIO due to gfid mismatch across replicas on the same shard when dd is executed. CAUSE: Turns out this is due to a race between posix_mknod() and posix_lookup(). posix mknod does 3 operations, among other things: 1. creation of the entry itself under its parent directory 2. setting the gfid xattr on the file, and 3. creating the gfid link under .glusterfs. Consider a case where the thread doing posix_mknod() (initiated by shard) has executed steps 1 and 2 and is on its way to executing 3. And a parallel LOOKUP from another thread on noting that loc->inode->gfid is NULL, tries to perform gfid_heal where it attempts to create the gfid link under .glusterfs and succeeds. As a result, posix_gfid_set() through MKNOD (step 3) fails with EEXIST. In the older code, MKNOD under such conditions was NOT being treated as a failure. But commit e37ee6d changes this behavior by failing MKNOD, causing the entry creation to be undone in posix_mknod() (it's another matter that the stale gfid handle gets left behind if lookup has gone ahead and gfid-healed it). All of this happens on only one replica while on the other MKNOD succeeds. Now if a parallel write causes shard translator to send another MKNOD of the same shard (shortly after AFR releases entrylk from the first MKNOD), the file is created on the other replica too, although with a new gfid (since "gfid-req" that is passed now is a new UUID. This leads to a gfid-mismatch across the replicas. FIX: The solution is to not fail MKNOD (or any other entry fop for that matter that does posix_gfid_set()) if the .glusterfs link creation fails with EEXIST. Change-Id: I84a5e54d214b6c47ed85671a880bb1c767a29f4d fixes: bz#1641429 Signed-off-by: Krutika Dhananjay <kdhananj@redhat.com> 
Backport of:
> Change-Id: I84a5e54d214b6c47ed85671a880bb1c767a29f4d
> Signed-off-by: Krutika Dhananjay <kdhananj@redhat.com>
> (cherry picked from commit 15c9976)
> BUG: 1638453

PROBLEM:
tests/bugs/shard/bug-1251824.t fails occasionally with EIO due to gfid
mismatch across replicas on the same shard when dd is executed.

CAUSE:
Turns out this is due to a race between posix_mknod() and posix_lookup().

posix mknod does 3 operations, among other things:
1. creation of the entry itself under its parent directory
2. setting the gfid xattr on the file, and
3. creating the gfid link under .glusterfs.

Consider a case where the thread doing posix_mknod() (initiated by shard)
has executed steps 1 and 2 and is on its way to executing 3. And a
parallel LOOKUP from another thread on noting that loc->inode->gfid is NULL,
tries to perform gfid_heal where it attempts to create the gfid link
under .glusterfs and succeeds.  As a result, posix_gfid_set() through
MKNOD (step 3) fails with EEXIST.

In the older code, MKNOD under such conditions was NOT being treated
as a failure. But commit e37ee6d changes this behavior by failing MKNOD,
causing the entry creation to be undone in posix_mknod() (it's another
matter that the stale gfid handle gets left behind if lookup has gone
ahead and gfid-healed it).
All of this happens on only one replica while on the other MKNOD succeeds.

Now if a parallel write causes shard translator to send another MKNOD
of the same shard (shortly after AFR releases entrylk from the first
MKNOD), the file is created on the other replica too, although with a
new gfid (since "gfid-req" that is passed now is a new UUID. This leads
to a gfid-mismatch across the replicas.

FIX:
The solution is to not fail MKNOD (or any other entry fop for that matter
that does posix_gfid_set()) if the .glusterfs link creation fails with EEXIST.

Change-Id: I84a5e54d214b6c47ed85671a880bb1c767a29f4d
fixes: bz#1641429
Signed-off-by: Krutika Dhananjay <kdhananj@redhat.com>
posix: Fix exporting default value for `export-statfs-size` 2018-10-08T05:40:48+00:00 Aravinda VK avishwan@redhat.com 2018-09-17T08:46:09+00:00 3a962b17ad82a7a80da804550cfdf84ec4ec82fd No default value was specified for `export-statfs-size` in posix option table. Glusterd2 sets default value as `off` since the option type is `bool`. Posix treats `export-statfs-size=on` if not specified in volfile(That means default value is `on`) This patch sets default value as `on` > Change-Id: I5c6341183be9b62a78fdbc94621220f9284e1382 > updates: #302 > Signed-off-by: Aravinda VK <avishwan@redhat.com> (cherry picked from commit 07088d95e450f847722e5decbfa5da18a0dbd9de) Change-Id: Ib6b3accdb9921376c16040bd2312b99b0226a26f Fixes: bz#1636842 Signed-off-by: Aravinda VK <avishwan@redhat.com> 
No default value was specified for `export-statfs-size` in posix
option table. Glusterd2 sets default value as `off` since the
option type is `bool`. Posix treats `export-statfs-size=on` if
not specified in volfile(That means default value is `on`)

This patch sets default value as `on`

> Change-Id: I5c6341183be9b62a78fdbc94621220f9284e1382
> updates: #302
> Signed-off-by: Aravinda VK <avishwan@redhat.com>

(cherry picked from commit 07088d95e450f847722e5decbfa5da18a0dbd9de)

Change-Id: Ib6b3accdb9921376c16040bd2312b99b0226a26f
Fixes: bz#1636842
Signed-off-by: Aravinda VK <avishwan@redhat.com>
ctime: Provide noatime option 2018-10-02T12:45:23+00:00 Kotresh HR khiremat@redhat.com 2018-09-03T13:07:58+00:00 315b45f85ecba15d7fc8f2342468b89ee4747c48 Most of the applications are {c|m}time dependant and very few are atime dependant. So provide noatime option to not update atime when ctime feature is enabled. Also this option has to be enabled with ctime feature to avoid unnecessary self heal. Since AFR/EC reads data from single subvolume, atime is only updated in one subvolume triggering self heal. Backport of: > Patch: https://review.gluster.org/21073 > BUG: 1593538 > Change-Id: I085fb33c882296545345f5df194cde7b6cbc337e > Signed-off-by: Kotresh HR <khiremat@redhat.com> (cherry picked from commit 89636be4c73b12de2e11c75d8e59527bb243f147) updates: bz#1633015 Change-Id: I085fb33c882296545345f5df194cde7b6cbc337e Signed-off-by: Kotresh HR <khiremat@redhat.com> 
Most of the applications are {c|m}time dependant
and very few are atime dependant. So provide noatime
option to not update atime when ctime feature is
enabled.

Also this option has to be enabled with ctime
feature to avoid unnecessary self heal. Since
AFR/EC reads data from single subvolume, atime
is only updated in one subvolume triggering self
heal.

Backport of:
> Patch: https://review.gluster.org/21073
> BUG: 1593538
> Change-Id: I085fb33c882296545345f5df194cde7b6cbc337e
> Signed-off-by: Kotresh HR <khiremat@redhat.com>
(cherry picked from commit 89636be4c73b12de2e11c75d8e59527bb243f147)

updates: bz#1633015
Change-Id: I085fb33c882296545345f5df194cde7b6cbc337e
Signed-off-by: Kotresh HR <khiremat@redhat.com>
gfapi: revert several patchs that introduced pre/post attrs 2018-09-17T14:26:06+00:00 ShyamsundarR srangana@redhat.com 2018-09-14T02:15:20+00:00 cee40c3e3c26ebfb3b98109d154501a5cce61c0d Reverted the following: - 248152767b0599986bbb6bb35fc27197f6be6964 - 09943beb499617212f2985ca8ea9ecd1ed1b470e - d01f7244e9d9f7e3ef84e0ba7b48ef1b1b09d809 The reverts are redone by hand, due to clang format changes that made using git to revert the changes more tedious. Change-Id: I96489638a2b641fb2206a110298543225783f7be Updates: bz#1628620 Signed-off-by: ShyamsundarR <srangana@redhat.com> 
Reverted the following:
  - 248152767b0599986bbb6bb35fc27197f6be6964
  - 09943beb499617212f2985ca8ea9ecd1ed1b470e
  - d01f7244e9d9f7e3ef84e0ba7b48ef1b1b09d809

The reverts are redone by hand, due to clang format changes
that made using git to revert the changes more tedious.

Change-Id: I96489638a2b641fb2206a110298543225783f7be
Updates: bz#1628620
Signed-off-by: ShyamsundarR <srangana@redhat.com>
Land part 2 of clang-format changes 2018-09-12T12:22:45+00:00 Gluster Ant bugzilla-bot@gluster.org 2018-09-12T12:22:45+00:00 e16868dede6455cab644805af6fe1ac312775e13 Change-Id: Ia84cc24c8924e6d22d02ac15f611c10e26db99b4 Signed-off-by: Nigel Babu <nigelb@redhat.com> 
Change-Id: Ia84cc24c8924e6d22d02ac15f611c10e26db99b4
Signed-off-by: Nigel Babu <nigelb@redhat.com>
Land clang-format changes 2018-09-12T11:52:48+00:00 Gluster Ant bugzilla-bot@gluster.org 2018-09-12T11:52:48+00:00 45a71c0548b6fd2c757aa2e7b7671a1411948894 Change-Id: I6f5d8140a06f3c1b2d196849299f8d483028d33b 
Change-Id: I6f5d8140a06f3c1b2d196849299f8d483028d33b
storage/posix: Fix coverity issue - Unchecked return value 2018-09-11T04:15:56+00:00 Ashish Pandey aspandey@redhat.com 2018-09-06T10:45:01+00:00 ee79077c0d19ddf97caea22cc001b6f4f9b0829c Fixes CID: 1388886 https://scan6.coverity.com/reports.htm#v42607/p10714/fileInstanceId=85287446&defectInstanceId=25997291&mergedDefectId=1388886 Change-Id: Ic4e558bba7e15d213c07bc31affb2e175ace5502 updates: bz#789278 Signed-off-by: Ashish Pandey <aspandey@redhat.com> 
Fixes CID: 1388886

https://scan6.coverity.com/reports.htm#v42607/p10714/fileInstanceId=85287446&defectInstanceId=25997291&mergedDefectId=1388886

Change-Id: Ic4e558bba7e15d213c07bc31affb2e175ace5502
updates: bz#789278
Signed-off-by: Ashish Pandey <aspandey@redhat.com>