[Bugs] [Bug 1272929] New: libgfapi: brick process crashes if attr KEY length > 255 for glfs_lgetxattr(...)

bugzilla at redhat.com bugzilla at redhat.com
Mon Oct 19 08:56:04 UTC 2015


https://bugzilla.redhat.com/show_bug.cgi?id=1272929

            Bug ID: 1272929
           Summary: libgfapi: brick process crashes if attr KEY length >
                    255 for glfs_lgetxattr(...)
           Product: Red Hat Gluster Storage
           Version: 3.1
         Component: glusterfs
     Sub Component: core
          Keywords: Triaged
          Assignee: rhs-bugs at redhat.com
          Reporter: mchangir at redhat.com
        QA Contact: annair at redhat.com
                CC: bugs at gluster.org, gluster-bugs at redhat.com,
                    jthottan at redhat.com, mchangir at redhat.com,
                    ndevos at redhat.com, rgowdapp at redhat.com,
                    sdharane at redhat.com
        Depends On: 1263056
            Blocks: 1272926
             Group: redhat



+++ This bug was initially created as a clone of Bug #1263056 +++

Description of problem:
When testing integration with bareos backup/restore application, it was noticed
that the brick process, glusterfsd terminates with a core dump. Random
attribute key values having length greater than 255 consistent caused
glusterfsd to crash while servicing a call to glfs_lgetxattr() function.

Input validation seems to be missing in libgfapi.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

--- Additional comment from Soumya Koduri on 2015-09-15 08:20:01 EDT ---

Could you provide core(bt), logs and the steps to reproduce the issue.

--- Additional comment from Milind Changire on 2015-09-15 12:47:57 EDT ---

Actually I faced a stack corruption problem while testing integration with a
backup-restore application called bareos.

There has been some root cause analysis by Raghavendra G and Poornima G and it
was concluded that although the VFS doesn't allow operations on xattr keys >
255 in length via getfattr command and the keys don't reach the server, there
isn't any validation in the libgfapi at least for this specific criteria for
this specific API.

Poornima G also attempted to get/set xattr via api/examples/glfsxmp.c with a
key > 255 length and had a different outcome. Please consult her for more info.

Here's the uncommitted patch of the fix for reference:

diff --git a/api/src/glfs-fops.c b/api/src/glfs-fops.c
index ff85f7b..2d7a23c 100644
--- a/api/src/glfs-fops.c
+++ b/api/src/glfs-fops.c
@@ -2853,6 +2853,12 @@ glfs_getxattr_common (struct glfs *fs, const char *path,
const char *name,
                errno = EIO;
                goto out;
        }
+
+        if (strlen(name) > 255) {
+                ret = -1;
+                errno = EINVAL;
+                goto out;
+        }
 retry:
        if (follow)
                ret = glfs_resolve (fs, subvol, path, &loc, &iatt, reval);

--- Additional comment from Jiffin on 2015-09-22 08:45:13 EDT ---

Can u send out fix on upstream and change the status of the bug accordingly.

--- Additional comment from Milind Changire on 2015-09-22 09:14:06 EDT ---

Gerrit review for upstream master available at:
http://review.gluster.org/#/c/12207/


Referenced Bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1263056
[Bug 1263056] libgfapi: brick process crashes if attr KEY length > 255 for
glfs_lgetxattr(...)
https://bugzilla.redhat.com/show_bug.cgi?id=1272926
[Bug 1272926] libgfapi: brick process crashes if attr KEY length > 255 for
glfs_lgetxattr(...)
-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=v6jJzRXpt3&a=cc_unsubscribe


More information about the Bugs mailing list