A local non-root user with access to the D-Bus system bus can call the CheckConfig method implemented in the tcmu-runner daemon via handler_glfs.so and cause various kinds of segmentation faults, depending on the string passed to the method. For example the "hosts" variable in glfs_check_config() is not zero initialized, but always freed on error, causing invalid free and/or invalid memory accesses. Upstream patch: https://github.com/open-iscsi/tcmu-runner/commit/61bd03e600d2abf309173e9186f4d465bb1b7157 References: http://seclists.org/oss-sec/2017/q3/207
Created tcmu-runner tracking bugs for this issue: Affects: fedora-all [bug 1487255]
This issue has been addressed in the following products: Red Hat Gluster Storage 3.3 for RHEL 7 Via RHSA-2017:3277 https://access.redhat.com/errata/RHSA-2017:3277