Re: [meta-virtualization] [meta-virt][PATCH 1/1] ceph: Fix CVE-2021-3979

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: Joe Slater <joe.slater@windriver.com>
Cc: meta-virtualization@lists.yoctoproject.org, randy.macleod@windriver.com
Subject: Re: [meta-virtualization] [meta-virt][PATCH 1/1] ceph: Fix CVE-2021-3979
Date: Sat, 20 Aug 2022 23:24:12 -0400	[thread overview]
Message-ID: <20220821032411.GD57389@gmail.com> (raw)
In-Reply-To: <20220810201844.30041-1-joe.slater@windriver.com>

Even though Sakib is working on an uprev for master, I've gone
ahead and merged this .. we might as well have the CVE fixed while
we wait.

Bruce

In message: [meta-virtualization] [meta-virt][PATCH 1/1] ceph: Fix CVE-2021-3979
on 10/08/2022 Joe Slater wrote:

> Ceph-volume does not properly control key sizes.
> 
> Cherry-pick from github.com/ceph/ceph.git.
> 
> Signed-off-by: Joe Slater <joe.slater@windriver.com>
> ---
>  .../ceph/ceph/CVE-2021-3979.patch             | 158 ++++++++++++++++++
>  recipes-extended/ceph/ceph_15.2.15.bb         |   1 +
>  2 files changed, 159 insertions(+)
>  create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch
> 
> diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> new file mode 100644
> index 00000000..081b32ba
> --- /dev/null
> +++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> @@ -0,0 +1,158 @@
> +From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001
> +From: Guillaume Abrioux <gabrioux@redhat.com>
> +Date: Tue, 25 Jan 2022 10:25:53 +0100
> +Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
> +
> +ceph-volume doesn't honour osd_dmcrypt_key_size.
> +It means the default size is always applied.
> +
> +It also changes the default value in `get_key_size_from_conf()`
> +
> +From cryptsetup manpage:
> +
> +> For XTS mode you can optionally set a key size of 512 bits with the -s option.
> +
> +Using more than 512bits will end up with the following error message:
> +
> +```
> +Key size in XTS mode must be 256 or 512 bits.
> +```
> +
> +Fixes: https://tracker.ceph.com/issues/54006
> +
> +Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
> +
> +Upstream-Status: Backport
> + github.com/ceph/ceph.git
> + equivalent to cherry-pick of commit 47c33179f9a15ae95cc1579a421be89378602656
> +
> +CVE: CVE-2021-3979
> +
> +Signed-off-by: Joe Slater <joe.slater@windriver.com>
> +---
> + .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
> + .../ceph_volume/util/encryption.py            | 34 ++++++++++-----
> + 2 files changed, 51 insertions(+), 24 deletions(-)
> +
> +diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> +index e1420b440d3..c86dc50b7c7 100644
> +--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> ++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> +@@ -1,5 +1,31 @@
> + from ceph_volume.util import encryption
> ++import base64
> + 
> ++class TestGetKeySize(object):
> ++    def test_get_size_from_conf_default(self, conf_ceph_stub):
> ++        conf_ceph_stub('''
> ++        [global]
> ++        fsid=asdf
> ++        ''')
> ++        assert encryption.get_key_size_from_conf() == '512'
> ++
> ++    def test_get_size_from_conf_custom(self, conf_ceph_stub):
> ++        conf_ceph_stub('''
> ++        [global]
> ++        fsid=asdf
> ++        [osd]
> ++        osd_dmcrypt_key_size=256
> ++        ''')
> ++        assert encryption.get_key_size_from_conf() == '256'
> ++
> ++    def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
> ++        conf_ceph_stub('''
> ++        [global]
> ++        fsid=asdf
> ++        [osd]
> ++        osd_dmcrypt_key_size=1024
> ++        ''')
> ++        assert encryption.get_key_size_from_conf() == '512'
> + 
> + class TestStatus(object):
> + 
> +@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
> + 
> + class TestDmcryptKey(object):
> + 
> +-    def test_dmcrypt_with_default_size(self, conf_ceph_stub):
> +-        conf_ceph_stub('[global]\nfsid=asdf-lkjh')
> +-        result = encryption.create_dmcrypt_key()
> +-        assert len(result) == 172
> +-
> +-    def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
> +-        conf_ceph_stub('''
> +-        [global]
> +-        fsid=asdf
> +-        [osd]
> +-        osd_dmcrypt_size=8
> +-        ''')
> ++    def test_dmcrypt(self):
> +         result = encryption.create_dmcrypt_key()
> +-        assert len(result) == 172
> ++        assert len(base64.b64decode(result)) == 128
> +diff --git a/src/ceph-volume/ceph_volume/util/encryption.py b/src/ceph-volume/ceph_volume/util/encryption.py
> +index 72a0ccf121e..2a2c03337b6 100644
> +--- a/src/ceph-volume/ceph_volume/util/encryption.py
> ++++ b/src/ceph-volume/ceph_volume/util/encryption.py
> +@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, get_part_entry_type
> + 
> + logger = logging.getLogger(__name__)
> + 
> +-
> +-def create_dmcrypt_key():
> ++def get_key_size_from_conf():
> +     """
> +-    Create the secret dm-crypt key used to decrypt a device.
> ++    Return the osd dmcrypt key size from config file.
> ++    Default is 512.
> +     """
> +-    # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
> +-    # to the default of 1024
> +-    dmcrypt_key_size = conf.ceph.get_safe(
> ++    default_key_size = '512'
> ++    key_size = conf.ceph.get_safe(
> +         'osd',
> +         'osd_dmcrypt_key_size',
> +-        default=1024,
> +-    )
> +-    # The size of the key is defined in bits, so we must transform that
> +-    # value to bytes (dividing by 8) because we read in bytes, not bits
> +-    random_string = os.urandom(int(dmcrypt_key_size / 8))
> ++        default='512')
> ++
> ++    if key_size not in ['256', '512']:
> ++        logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
> ++                        "Falling back to {}bits".format(key_size, default_key_size)))
> ++        return default_key_size
> ++
> ++    return key_size
> ++
> ++def create_dmcrypt_key():
> ++    """
> ++    Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key.
> ++    """
> ++    random_string = os.urandom(128)
> +     key = base64.b64encode(random_string).decode('utf-8')
> +     return key
> + 
> +@@ -38,6 +46,8 @@ def luks_format(key, device):
> +     command = [
> +         'cryptsetup',
> +         '--batch-mode', # do not prompt
> ++        '--key-size',
> ++        get_key_size_from_conf(),
> +         '--key-file', # misnomer, should be key
> +         '-',          # because we indicate stdin for the key here
> +         'luksFormat',
> +@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
> +     """
> +     command = [
> +         'cryptsetup',
> ++        '--key-size',
> ++        get_key_size_from_conf(),
> +         '--key-file',
> +         '-',
> +         '--allow-discards',  # allow discards (aka TRIM) requests for device
> +-- 
> +2.35.1
> +
> diff --git a/recipes-extended/ceph/ceph_15.2.15.bb b/recipes-extended/ceph/ceph_15.2.15.bb
> index 0fb32b26..f2ece8c7 100644
> --- a/recipes-extended/ceph/ceph_15.2.15.bb
> +++ b/recipes-extended/ceph/ceph_15.2.15.bb
> @@ -16,6 +16,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
>             file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
>             file://0001-buffer.h-add-missing-header-file-due-to-gcc-upgrade.patch \
>             file://0002-common-fix-FTBFS-due-to-dout-need_dynamic-on-GCC-12.patch \
> +           file://CVE-2021-3979.patch \
>  "
>  
>  SRC_URI[sha256sum] = "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
> -- 
> 2.35.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7519): https://lists.yoctoproject.org/g/meta-virtualization/message/7519
> Mute This Topic: https://lists.yoctoproject.org/mt/92945022/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

     prev parent reply	other threads:[~2022-08-21  3:24 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-10 20:18 [meta-virt][PATCH 1/1] ceph: Fix CVE-2021-3979 Joe Slater
2022-08-21  3:24 ` Bruce Ashfield [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220821032411.GD57389@gmail.com \
    --to=bruce.ashfield@gmail.com \
    --cc=joe.slater@windriver.com \
    --cc=meta-virtualization@lists.yoctoproject.org \
    --cc=randy.macleod@windriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.