From dc775c4ae052d1e9d0f61ace3be999f73f0ffa23 Mon Sep 17 00:00:00 2001
From: Ravishankar N <ravishankar@redhat.com>
Date: Thu, 1 Nov 2018 21:31:41 +0530
Subject: index: prevent arbitrary file creation outside entry-changes folder

Patch in master: https://review.gluster.org/#/c/glusterfs/+/21534/

Problem:
A compromised client can set arbitrary values for the GF_XATTROP_ENTRY_IN_KEY
and GF_XATTROP_ENTRY_OUT_KEY during xattrop fop. These values are
consumed by index as a filename to be created/deleted according to the key.
Thus it is possible to create/delete random files even outside the gluster
volume boundary.

Fix:
Index expects the filename to be a basename, i.e. it must not contain any
pathname components like "/" or "../". Enforce this.

Fixes: CVE-2018-14654

Fixes: bz#1646204
Change-Id: I35f2a39257b5917d17283d0a4f575b92f783f143
Signed-off-by: Ravishankar N <ravishankar@redhat.com>
---
 xlators/features/index/src/index.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/xlators/features/index/src/index.c b/xlators/features/index/src/index.c
index 08785f21a2a..f3b12595631 100644
--- a/xlators/features/index/src/index.c
+++ b/xlators/features/index/src/index.c
@@ -841,6 +841,14 @@ index_entry_create(xlator_t *this, inode_t *inode, char *filename)
         ctx->state[ENTRY_CHANGES] = IN;
     }
 
+    if (strchr(filename, '/')) {
+        gf_msg(this->name, GF_LOG_ERROR, EINVAL, INDEX_MSG_INDEX_ADD_FAILED,
+               "Got invalid entry (%s) for pargfid path (%s)", filename,
+               pgfid_path);
+        op_errno = EINVAL;
+        goto out;
+    }
+
     len = snprintf(entry_path, sizeof(entry_path), "%s/%s", pgfid_path,
                    filename);
     if ((len < 0) || (len >= sizeof(entry_path))) {
@@ -875,6 +883,15 @@ index_entry_delete(xlator_t *this, uuid_t pgfid, char *filename)
 
     make_gfid_path(priv->index_basepath, ENTRY_CHANGES_SUBDIR, pgfid,
                    pgfid_path, sizeof(pgfid_path));
+
+    if (strchr(filename, '/')) {
+        gf_msg(this->name, GF_LOG_ERROR, EINVAL, INDEX_MSG_INDEX_DEL_FAILED,
+               "Got invalid entry (%s) for pargfid path (%s)", filename,
+               pgfid_path);
+        op_errno = EINVAL;
+        goto out;
+    }
+
     len = snprintf(entry_path, sizeof(entry_path), "%s/%s", pgfid_path,
                    filename);
     if ((len < 0) || (len >= sizeof(entry_path))) {
-- 
cgit