* [PATCH] libceph: bump CephXAuthenticate encoding version
@ 2021-04-25 20:05 Ilya Dryomov
2021-04-27 16:07 ` Sage Weil
0 siblings, 1 reply; 2+ messages in thread
From: Ilya Dryomov @ 2021-04-25 20:05 UTC (permalink / raw)
To: ceph-devel; +Cc: Sage Weil
A dummy v3 encoding (exactly the same as v2) was introduced so that
the monitors can distinguish broken clients that may not include their
auth ticket in CEPHX_GET_AUTH_SESSION_KEY request on reconnects, thus
failing to prove previous possession of their global_id (one part of
CVE-2021-20288).
The kernel client has always included its auth ticket, so it is
compatible with enforcing mode as is. However we want to bump the
encoding version to avoid having to authenticate twice on the initial
connect -- all legacy (CephXAuthenticate < v3) are now forced do so in
order to expose insecure global_id reclaim.
Marking for stable since at least for 5.11 and 5.12 it is trivial
(v2 -> v3).
Cc: stable@vger.kernel.org # 5.11+
URL: https://tracker.ceph.com/issues/50452
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
---
net/ceph/auth_x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c
index ca44c327bace..79641c4afee9 100644
--- a/net/ceph/auth_x.c
+++ b/net/ceph/auth_x.c
@@ -526,7 +526,7 @@ static int ceph_x_build_request(struct ceph_auth_client *ac,
if (ret < 0)
return ret;
- auth->struct_v = 2; /* nautilus+ */
+ auth->struct_v = 3; /* nautilus+ */
auth->key = 0;
for (u = (u64 *)enc_buf; u + 1 <= (u64 *)(enc_buf + ret); u++)
auth->key ^= *(__le64 *)u;
--
2.19.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] libceph: bump CephXAuthenticate encoding version
2021-04-25 20:05 [PATCH] libceph: bump CephXAuthenticate encoding version Ilya Dryomov
@ 2021-04-27 16:07 ` Sage Weil
0 siblings, 0 replies; 2+ messages in thread
From: Sage Weil @ 2021-04-27 16:07 UTC (permalink / raw)
To: Ilya Dryomov; +Cc: ceph-devel, Sage Weil
On Sun, Apr 25, 2021 at 3:05 PM Ilya Dryomov <idryomov@gmail.com> wrote:
>
> A dummy v3 encoding (exactly the same as v2) was introduced so that
> the monitors can distinguish broken clients that may not include their
> auth ticket in CEPHX_GET_AUTH_SESSION_KEY request on reconnects, thus
> failing to prove previous possession of their global_id (one part of
> CVE-2021-20288).
>
> The kernel client has always included its auth ticket, so it is
> compatible with enforcing mode as is. However we want to bump the
> encoding version to avoid having to authenticate twice on the initial
> connect -- all legacy (CephXAuthenticate < v3) are now forced do so in
> order to expose insecure global_id reclaim.
>
> Marking for stable since at least for 5.11 and 5.12 it is trivial
> (v2 -> v3).
>
> Cc: stable@vger.kernel.org # 5.11+
> URL: https://tracker.ceph.com/issues/50452
> Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Sage Weil <sage@redhat.com>
>
> ---
> net/ceph/auth_x.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c
> index ca44c327bace..79641c4afee9 100644
> --- a/net/ceph/auth_x.c
> +++ b/net/ceph/auth_x.c
> @@ -526,7 +526,7 @@ static int ceph_x_build_request(struct ceph_auth_client *ac,
> if (ret < 0)
> return ret;
>
> - auth->struct_v = 2; /* nautilus+ */
> + auth->struct_v = 3; /* nautilus+ */
> auth->key = 0;
> for (u = (u64 *)enc_buf; u + 1 <= (u64 *)(enc_buf + ret); u++)
> auth->key ^= *(__le64 *)u;
> --
> 2.19.2
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-27 16:07 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-25 20:05 [PATCH] libceph: bump CephXAuthenticate encoding version Ilya Dryomov
2021-04-27 16:07 ` Sage Weil
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).