[Bug 1274247] Re: [MIR] Glusterfs

Seth Arnold 1274247 at bugs.launchpad.net
Fri Apr 11 00:21:51 UTC 2014 

I reviewed glusterfs version 3.4.2-1ubuntu1 as checked into trusty. This
should not be considered a full security audit, but rather a quick gauge
of maintainability.

I'm not going to fill in the full review checklist; I don't think that
the results would be that useful for anyone, so here's just a list
of what I found while reading the code:

- cppcheck reports ~20 real coding mistakes, perhaps a few false positives
- get_uuid_via_daemon() doesn't check fork() for error return
- rdd_valid_config() buffer overflow rdd_config.out_file.path
- gf_cli_print_limit_list() doesn't check sprintf(abspath) return value
- rb_malloc() and rb_free() ignore their allocator argument
  Not a security problem, but might be very surprising
- int_to_data() data_from_[u]int{64,32,16,8}() data_from_double()
  all re-calculate the length rather than use the return value from
  gf_asprintf(). (Not a security problem, just redundant.)

Because a filesystem is supposed to be extremely high quality, I'm very
concerned about the issues found with cppcheck and the issues I found
by hand. While nothing looked security-relevant on a first glance, the
architecture of a clustered filesystem may turn otherwise benign issues
into serious security issues. Unchecked error returns, null-pointer
dereferences, and buffer overflows are all together too much.

The general coding style is good and shows discipline and promise, but
I don't believe we should bless this current codebase. Perhaps we can
reconsider this for a future release: in the meantime, please address
the cppcheck issues. (I see on the glusterfs wiki that recently Coverity
scans are being run on glusterfs; hopefully this work will land before
the next Ubuntu release.)

Security team NACK for glusterfs in main for 14.04 LTS. With the proper
quality work, this may be suitable for support in future releases.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1274247

Title:
  [MIR] Glusterfs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glusterfs/+bug/1274247/+subscriptions

More information about the Ubuntu-server-bugs mailing list