Bug 1625096
Summary: | CVE-2018-10923 glusterfs: I/O to arbitrary devices on storage server | |||
---|---|---|---|---|
Product: | [Community] GlusterFS | Reporter: | Amar Tumballi <atumball> | |
Component: | core | Assignee: | Amar Tumballi <atumball> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | ||
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 4.1 | CC: | anoopcs, bugs, dmoppert, extras-qa, humble.devassy, jonathansteffan, kkeithle, matthias, ndevos, ramkrsna, sisharma | |
Target Milestone: | --- | Keywords: | Security, SecurityTracking | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | glusterfs-5.0 | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | ||
Clone Of: | 1625091 | |||
: | 1625648 (view as bug list) | Environment: | ||
Last Closed: | 2018-09-10 06:39:58 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1625091 | |||
Bug Blocks: | 1610659, 1625648 |
Description
Amar Tumballi
2018-09-04 06:17:35 UTC
REVIEW: https://review.gluster.org/21069 (posix: disable block and character files) posted (#1) for review on master by Amar Tumballi REVIEW: https://review.gluster.org/21092 (posix: disable block and character files) posted (#1) for review on release-4.1 by Amar Tumballi COMMIT: https://review.gluster.org/21069 committed in master by "Amar Tumballi" <amarts> with a commit message- posix: disable open/read/write on special files In the file system, the responsibility w.r.to the block and char device files is related to only support for 'creating' them (using mknod(2)). Once the device files are created, the read/write syscalls for the specific devices are handled by the device driver registered for the specific major number, and depending on the minor number, it knows where to read from. Hence, we are at risk of reading contents from devices which are handled by the host kernel on server nodes. By disabling open/read/write on the device file, we would be safe with the bypass one can achieve from client side (using gfapi) Fixes: bz#1625096 Change-Id: I48c776b0af1cbd2a5240862826d3d8918601e47f Signed-off-by: Amar Tumballi <amarts> COMMIT: https://review.gluster.org/21092 committed in release-4.1 by "jiffin tony Thottan" <jthottan> with a commit message- posix: disable open/read/write on special files In the file system, the responsibility w.r.to the block and char device files is related to only support for 'creating' them (using mknod(2)). Once the device files are created, the read/write syscalls for the specific devices are handled by the device driver registered for the specific major number, and depending on the minor number, it knows where to read from. Hence, we are at risk of reading contents from devices which are handled by the host kernel on server nodes. By disabling open/read/write on the device file, we would be safe with the bypass one can achieve from client side (using gfapi) Fixes: bz#1625096 Change-Id: I48c776b0af1cbd2a5240862826d3d8918601e47f Signed-off-by: Amar Tumballi <amarts> This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-4.1.4, please open a new bug report. glusterfs-4.1.4 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] https://lists.gluster.org/pipermail/announce/2018-September/000112.html [2] https://www.gluster.org/pipermail/gluster-users/ This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-5.0, please open a new bug report. glusterfs-5.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] https://lists.gluster.org/pipermail/announce/2018-October/000115.html [2] https://www.gluster.org/pipermail/gluster-users/ |