> -----Original Message----- > From: Bruce Ashfield <[email protected]> > Sent: Wednesday, August 10, 2022 11:03 AM > To: Slater, Joseph <[email protected]> > Cc: [email protected]; MacLeod, Randy > <[email protected]> > Subject: Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix > CVE-1021-3979 > > What about master ? Does it have the same issue ?
Yes, and I have the patch for that. You cannot cherry-pick between the branches because recipe context is different. The source patch is the same. I used kirkstone first for internal reasons. Joe > > Bruce > > On Wed, Aug 10, 2022 at 1:39 PM Joe Slater <[email protected]> wrote: > > > > Ceph-volume does not properly control key sizes. > > > > Cherry-pick from github.com/ceph/ceph.git. > > > > Signed-off-by: Joe Slater <[email protected]> > > --- > > .../ceph/ceph/CVE-2021-3979.patch | 158 ++++++++++++++++++ > > recipes-extended/ceph/ceph_15.2.15.bb | 1 + > > 2 files changed, 159 insertions(+) > > create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch > > > > diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch > > b/recipes-extended/ceph/ceph/CVE-2021-3979.patch > > new file mode 100644 > > index 00000000..081b32ba > > --- /dev/null > > +++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch > > @@ -0,0 +1,158 @@ > > +From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 > > +2001 > > +From: Guillaume Abrioux <[email protected]> > > +Date: Tue, 25 Jan 2022 10:25:53 +0100 > > +Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option > > + > > +ceph-volume doesn't honour osd_dmcrypt_key_size. > > +It means the default size is always applied. > > + > > +It also changes the default value in `get_key_size_from_conf()` > > + > > +From cryptsetup manpage: > > + > > +> For XTS mode you can optionally set a key size of 512 bits with the -s > option. > > + > > +Using more than 512bits will end up with the following error message: > > + > > +``` > > +Key size in XTS mode must be 256 or 512 bits. > > +``` > > + > > +Fixes: https://tracker.ceph.com/issues/54006 > > + > > +Signed-off-by: Guillaume Abrioux <[email protected]> > > + > > +Upstream-Status: Backport > > + github.com/ceph/ceph.git > > + equivalent to cherry-pick of commit > > +47c33179f9a15ae95cc1579a421be89378602656 > > + > > +CVE: CVE-2021-3979 > > + > > +Signed-off-by: Joe Slater <[email protected]> > > +--- > > + .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------ > > + .../ceph_volume/util/encryption.py | 34 ++++++++++----- > > + 2 files changed, 51 insertions(+), 24 deletions(-) > > + > > +diff --git > > +a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py > > +b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py > > +index e1420b440d3..c86dc50b7c7 100644 > > +--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py > > ++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py > > +@@ -1,5 +1,31 @@ > > + from ceph_volume.util import encryption > > ++import base64 > > + > > ++class TestGetKeySize(object): > > ++ def test_get_size_from_conf_default(self, conf_ceph_stub): > > ++ conf_ceph_stub(''' > > ++ [global] > > ++ fsid=asdf > > ++ ''') > > ++ assert encryption.get_key_size_from_conf() == '512' > > ++ > > ++ def test_get_size_from_conf_custom(self, conf_ceph_stub): > > ++ conf_ceph_stub(''' > > ++ [global] > > ++ fsid=asdf > > ++ [osd] > > ++ osd_dmcrypt_key_size=256 > > ++ ''') > > ++ assert encryption.get_key_size_from_conf() == '256' > > ++ > > ++ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub): > > ++ conf_ceph_stub(''' > > ++ [global] > > ++ fsid=asdf > > ++ [osd] > > ++ osd_dmcrypt_key_size=1024 > > ++ ''') > > ++ assert encryption.get_key_size_from_conf() == '512' > > + > > + class TestStatus(object): > > + > > +@@ -37,17 +63,6 @@ class TestDmcryptClose(object): > > + > > + class TestDmcryptKey(object): > > + > > +- def test_dmcrypt_with_default_size(self, conf_ceph_stub): > > +- conf_ceph_stub('[global]\nfsid=asdf-lkjh') > > +- result = encryption.create_dmcrypt_key() > > +- assert len(result) == 172 > > +- > > +- def test_dmcrypt_with_custom_size(self, conf_ceph_stub): > > +- conf_ceph_stub(''' > > +- [global] > > +- fsid=asdf > > +- [osd] > > +- osd_dmcrypt_size=8 > > +- ''') > > ++ def test_dmcrypt(self): > > + result = encryption.create_dmcrypt_key() > > +- assert len(result) == 172 > > ++ assert len(base64.b64decode(result)) == 128 > > +diff --git a/src/ceph-volume/ceph_volume/util/encryption.py > > +b/src/ceph-volume/ceph_volume/util/encryption.py > > +index 72a0ccf121e..2a2c03337b6 100644 > > +--- a/src/ceph-volume/ceph_volume/util/encryption.py > > ++++ b/src/ceph-volume/ceph_volume/util/encryption.py > > +@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, > > +get_part_entry_type > > + > > + logger = logging.getLogger(__name__) > > + > > +- > > +-def create_dmcrypt_key(): > > ++def get_key_size_from_conf(): > > + """ > > +- Create the secret dm-crypt key used to decrypt a device. > > ++ Return the osd dmcrypt key size from config file. > > ++ Default is 512. > > + """ > > +- # get the customizable dmcrypt key size (in bits) from ceph.conf > > fallback > > +- # to the default of 1024 > > +- dmcrypt_key_size = conf.ceph.get_safe( > > ++ default_key_size = '512' > > ++ key_size = conf.ceph.get_safe( > > + 'osd', > > + 'osd_dmcrypt_key_size', > > +- default=1024, > > +- ) > > +- # The size of the key is defined in bits, so we must transform that > > +- # value to bytes (dividing by 8) because we read in bytes, not bits > > +- random_string = os.urandom(int(dmcrypt_key_size / 8)) > > ++ default='512') > > ++ > > ++ if key_size not in ['256', '512']: > > ++ logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). > > " > > ++ "Falling back to {}bits".format(key_size, > > default_key_size))) > > ++ return default_key_size > > ++ > > ++ return key_size > > ++ > > ++def create_dmcrypt_key(): > > ++ """ > > ++ Create the secret dm-crypt key (KEK) used to encrypt/decrypt the > > Volume > Key. > > ++ """ > > ++ random_string = os.urandom(128) > > + key = base64.b64encode(random_string).decode('utf-8') > > + return key > > + > > +@@ -38,6 +46,8 @@ def luks_format(key, device): > > + command = [ > > + 'cryptsetup', > > + '--batch-mode', # do not prompt > > ++ '--key-size', > > ++ get_key_size_from_conf(), > > + '--key-file', # misnomer, should be key > > + '-', # because we indicate stdin for the key here > > + 'luksFormat', > > +@@ -83,6 +93,8 @@ def luks_open(key, device, mapping): > > + """ > > + command = [ > > + 'cryptsetup', > > ++ '--key-size', > > ++ get_key_size_from_conf(), > > + '--key-file', > > + '-', > > + '--allow-discards', # allow discards (aka TRIM) requests > > +for device > > +-- > > +2.35.1 > > + > > diff --git a/recipes-extended/ceph/ceph_15.2.15.bb > > b/recipes-extended/ceph/ceph_15.2.15.bb > > index 17dbcf35..b13ebb70 100644 > > --- a/recipes-extended/ceph/ceph_15.2.15.bb > > +++ b/recipes-extended/ceph/ceph_15.2.15.bb > > @@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph- > ${PV}.tar.gz \ > > file://ceph.conf \ > > file://0001-cmake-add-support-for-python3.10.patch \ > > > > file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \ > > + file://CVE-2021-3979.patch \ > > " > > > > SRC_URI[sha256sum] = > "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf" > > -- > > 2.35.1 > > > > > > > > > > > -- > - Thou shalt not follow the NULL pointer, for chaos and madness await thee at > its end > - "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7516): https://lists.yoctoproject.org/g/meta-virtualization/message/7516 Mute This Topic: https://lists.yoctoproject.org/mt/92941876/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
