From fdaf6e34dba8eaaf3628233e7149c690054e4723 Mon Sep 17 00:00:00 2001 From: zhangyaqi Date: Mon, 20 Oct 2025 07:15:03 +0800 Subject: [PATCH] fix use after free in readdir (cherry picked from commit 2d20e41562e5e7344d3664f5b423c24ef3985898) --- 0007-fix-use-after-free-in-readdir.patch | 46 ++++++++++++++++++++++++ glusterfs.spec | 8 +++-- 2 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 0007-fix-use-after-free-in-readdir.patch diff --git a/0007-fix-use-after-free-in-readdir.patch b/0007-fix-use-after-free-in-readdir.patch new file mode 100644 index 0000000..e3ca71b --- /dev/null +++ b/0007-fix-use-after-free-in-readdir.patch @@ -0,0 +1,46 @@ +From 490e018484efc8db4d00ec6efa72d95c093be575 Mon Sep 17 00:00:00 2001 +From: Rafi KC +Date: Tue, 18 Feb 2025 15:34:11 +0530 +Subject: [PATCH] api/glfs: Fix use after free in readdir (#4477) + +There is a code path in glfs readdir where we might end up +using a free'ed memory. A possible case is when we use the +fd to read the offset 0 after reading the content at least +once, and the during the second time, the readdir return 0, +probably due to the contents got deleted. + +Change-Id: I08fa6cc9b924b90597ef4498e081cae9339fbd6a +Fixes: #3955 + +Signed-off-by: Mohammed Rafi KC +--- + api/src/glfs-fops.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/api/src/glfs-fops.c b/api/src/glfs-fops.c +index f60d1c7..2e5a957 100644 +--- a/api/src/glfs-fops.c ++++ b/api/src/glfs-fops.c +@@ -48,6 +48,7 @@ glfs_mark_glfd_for_deletion(struct glfs_fd *glfd) + LOCK(&glfd->lock); + { + glfd->state = GLFD_CLOSE; ++ glfd->next = NULL; + } + UNLOCK(&glfd->lock); + +@@ -4011,6 +4012,11 @@ glfd_entry_refresh(struct glfs_fd *glfd, int plus) + } + + list_splice_init(&glfd->entries, &old.list); ++ /* If glfd->next is non null means, this entry is from the old ++ * list, there is no point in keeping the free'ed data. Hence ++ * set to NULL; ++ */ ++ glfd->next = NULL; + list_splice_init(&entries.list, &glfd->entries); + + /* spurious errno is dangerous for glfd_entry_next() */ +-- +2.43.0 + diff --git a/glusterfs.spec b/glusterfs.spec index 81fcb9e..87a9a6b 100644 --- a/glusterfs.spec +++ b/glusterfs.spec @@ -224,7 +224,7 @@ Summary: Distributed File System Name: glusterfs Version: 11.1 -Release: 6 +Release: 7 License: GPLv3 or GPLv2+ or LGPLv3+ URL: http://docs.gluster.org/ %if ( 0%{_for_fedora_koji_builds} ) @@ -243,6 +243,7 @@ Patch3: 0003-fix-mount.glusterfs-Remove-from-grep-command.patch Patch4: 0004-prevent-gnfs-IO-Errors-on-smaller-files.patch Patch5: 0005-glusterd-fix-memory-leaks-due-to-lack-of-GF_FREE.patch Patch6: 0006-glusterd-fix-memory-leaks-detected-by-asan.patch +Patch7: 0007-fix-use-after-free-in-readdir.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRequires: rpcgen gperftools-devel libunwind-devel @@ -1505,7 +1506,10 @@ exit 0 %{_mandir}/man8/*gluster*.8* %changelog -* Tue Jul 1 2025 wangmian - 11.1-6 +* Fri Oct 24 2025 zhangyaqi - 11.1-7 +- api/glfs: Fix use after free in readdir + +* Tue Jul 01 2025 wangmian - 11.1-6 - Fixed bug for macros in Changelog * Mon Jul 22 2024 cenhuilin - 11.1-5 -- Gitee