Date
1 - 5 of 5
[meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979
|
Joe Slater
Ceph-volume does not properly control key sizes.
Cherry-pick from github.com/ceph/ceph.git. Signed-off-by: Joe Slater <joe.slater@...> --- .../ceph/ceph/CVE-2021-3979.patch | 158 ++++++++++++++++++ recipes-extended/ceph/ceph_15.2.15.bb | 1 + 2 files changed, 159 insertions(+) create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch b/recipes-extended/ceph/ceph/CVE-2021-3979.patch new file mode 100644 index 00000000..081b32ba --- /dev/null +++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch @@ -0,0 +1,158 @@ +From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001 +From: Guillaume Abrioux <gabrioux@...> +Date: Tue, 25 Jan 2022 10:25:53 +0100 +Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option + +ceph-volume doesn't honour osd_dmcrypt_key_size. +It means the default size is always applied. + +It also changes the default value in `get_key_size_from_conf()` + +From cryptsetup manpage: + +> For XTS mode you can optionally set a key size of 512 bits with the -s option. + +Using more than 512bits will end up with the following error message: + +``` +Key size in XTS mode must be 256 or 512 bits. +``` + +Fixes: https://tracker.ceph.com/issues/54006 + +Signed-off-by: Guillaume Abrioux <gabrioux@...> + +Upstream-Status: Backport + github.com/ceph/ceph.git + equivalent to cherry-pick of commit 47c33179f9a15ae95cc1579a421be89378602656 + +CVE: CVE-2021-3979 + +Signed-off-by: Joe Slater <joe.slater@...> +--- + .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------ + .../ceph_volume/util/encryption.py | 34 ++++++++++----- + 2 files changed, 51 insertions(+), 24 deletions(-) + +diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py +index e1420b440d3..c86dc50b7c7 100644 +--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py ++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py +@@ -1,5 +1,31 @@ + from ceph_volume.util import encryption ++import base64 + ++class TestGetKeySize(object): ++ def test_get_size_from_conf_default(self, conf_ceph_stub): ++ conf_ceph_stub(''' ++ [global] ++ fsid=asdf ++ ''') ++ assert encryption.get_key_size_from_conf() == '512' ++ ++ def test_get_size_from_conf_custom(self, conf_ceph_stub): ++ conf_ceph_stub(''' ++ [global] ++ fsid=asdf ++ [osd] ++ osd_dmcrypt_key_size=256 ++ ''') ++ assert encryption.get_key_size_from_conf() == '256' ++ ++ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub): ++ conf_ceph_stub(''' ++ [global] ++ fsid=asdf ++ [osd] ++ osd_dmcrypt_key_size=1024 ++ ''') ++ assert encryption.get_key_size_from_conf() == '512' + + class TestStatus(object): + +@@ -37,17 +63,6 @@ class TestDmcryptClose(object): + + class TestDmcryptKey(object): + +- def test_dmcrypt_with_default_size(self, conf_ceph_stub): +- conf_ceph_stub('[global]\nfsid=asdf-lkjh') +- result = encryption.create_dmcrypt_key() +- assert len(result) == 172 +- +- def test_dmcrypt_with_custom_size(self, conf_ceph_stub): +- conf_ceph_stub(''' +- [global] +- fsid=asdf +- [osd] +- osd_dmcrypt_size=8 +- ''') ++ def test_dmcrypt(self): + result = encryption.create_dmcrypt_key() +- assert len(result) == 172 ++ assert len(base64.b64decode(result)) == 128 +diff --git a/src/ceph-volume/ceph_volume/util/encryption.py b/src/ceph-volume/ceph_volume/util/encryption.py +index 72a0ccf121e..2a2c03337b6 100644 +--- a/src/ceph-volume/ceph_volume/util/encryption.py ++++ b/src/ceph-volume/ceph_volume/util/encryption.py +@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, get_part_entry_type + + logger = logging.getLogger(__name__) + +- +-def create_dmcrypt_key(): ++def get_key_size_from_conf(): + """ +- Create the secret dm-crypt key used to decrypt a device. ++ Return the osd dmcrypt key size from config file. ++ Default is 512. + """ +- # get the customizable dmcrypt key size (in bits) from ceph.conf fallback +- # to the default of 1024 +- dmcrypt_key_size = conf.ceph.get_safe( ++ default_key_size = '512' ++ key_size = conf.ceph.get_safe( + 'osd', + 'osd_dmcrypt_key_size', +- default=1024, +- ) +- # The size of the key is defined in bits, so we must transform that +- # value to bytes (dividing by 8) because we read in bytes, not bits +- random_string = os.urandom(int(dmcrypt_key_size / 8)) ++ default='512') ++ ++ if key_size not in ['256', '512']: ++ logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). " ++ "Falling back to {}bits".format(key_size, default_key_size))) ++ return default_key_size ++ ++ return key_size ++ ++def create_dmcrypt_key(): ++ """ ++ Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key. ++ """ ++ random_string = os.urandom(128) + key = base64.b64encode(random_string).decode('utf-8') + return key + +@@ -38,6 +46,8 @@ def luks_format(key, device): + command = [ + 'cryptsetup', + '--batch-mode', # do not prompt ++ '--key-size', ++ get_key_size_from_conf(), + '--key-file', # misnomer, should be key + '-', # because we indicate stdin for the key here + 'luksFormat', +@@ -83,6 +93,8 @@ def luks_open(key, device, mapping): + """ + command = [ + 'cryptsetup', ++ '--key-size', ++ get_key_size_from_conf(), + '--key-file', + '-', + '--allow-discards', # allow discards (aka TRIM) requests for device +-- +2.35.1 + diff --git a/recipes-extended/ceph/ceph_15.2.15.bb b/recipes-extended/ceph/ceph_15.2.15.bb index 17dbcf35..b13ebb70 100644 --- a/recipes-extended/ceph/ceph_15.2.15.bb +++ b/recipes-extended/ceph/ceph_15.2.15.bb @@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \ file://ceph.conf \ file://0001-cmake-add-support-for-python3.10.patch \ file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \ + file://CVE-2021-3979.patch \ " SRC_URI[sha256sum] = "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf" -- 2.35.1 |
|
|
|
Bruce Ashfield
What about master ? Does it have the same issue ?
toggle quoted message
Show quoted text
Bruce On Wed, Aug 10, 2022 at 1:39 PM Joe Slater <joe.slater@...> wrote:
--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II |
|
|
|
Joe Slater
toggle quoted message
Show quoted text
-----Original Message-----Yes, and I have the patch for that. You cannot cherry-pick between the branches because recipe context is different. The source patch is the same. I used kirkstone first for internal reasons. Joe
|
|
|
|
Bruce Ashfield
On Wed, Aug 10, 2022 at 2:26 PM Slater, Joseph <joe.slater@...> wrote:
In order to merge this to kirkstone, it needs to be on master first.-----Original Message-----Yes, and I have the patch for that. You cannot cherry-pick between the branches because So there should be two sends of the patch, one for master and then another for kirkstone (if it can't be cherry picked). If you sent the one to master and I missed it, my apologies ... gmail threads strangely at times. Bruce Joe -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II |
|
|
|
Joe Slater
No, you didn't miss it. I'll send it in an hour or so. Joe
toggle quoted message
Show quoted text
-----Original Message----- |
|
|