From: Joe Slater <joe.slater@windriver.com>
To: <meta-virtualization@lists.yoctoproject.org>
Cc: <joe.slater@windriver.com>, <randy.macleod@windriver.com>
Subject: [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979
Date: Wed, 10 Aug 2022 10:39:27 -0700 [thread overview]
Message-ID: <20220810173927.36905-1-joe.slater@windriver.com> (raw)
Ceph-volume does not properly control key sizes.
Cherry-pick from github.com/ceph/ceph.git.
Signed-off-by: Joe Slater <joe.slater@windriver.com>
---
.../ceph/ceph/CVE-2021-3979.patch | 158 ++++++++++++++++++
recipes-extended/ceph/ceph_15.2.15.bb | 1 +
2 files changed, 159 insertions(+)
create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch
diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
new file mode 100644
index 00000000..081b32ba
--- /dev/null
+++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
@@ -0,0 +1,158 @@
+From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001
+From: Guillaume Abrioux <gabrioux@redhat.com>
+Date: Tue, 25 Jan 2022 10:25:53 +0100
+Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
+
+ceph-volume doesn't honour osd_dmcrypt_key_size.
+It means the default size is always applied.
+
+It also changes the default value in `get_key_size_from_conf()`
+
+From cryptsetup manpage:
+
+> For XTS mode you can optionally set a key size of 512 bits with the -s option.
+
+Using more than 512bits will end up with the following error message:
+
+```
+Key size in XTS mode must be 256 or 512 bits.
+```
+
+Fixes: https://tracker.ceph.com/issues/54006
+
+Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
+
+Upstream-Status: Backport
+ github.com/ceph/ceph.git
+ equivalent to cherry-pick of commit 47c33179f9a15ae95cc1579a421be89378602656
+
+CVE: CVE-2021-3979
+
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
+ .../ceph_volume/util/encryption.py | 34 ++++++++++-----
+ 2 files changed, 51 insertions(+), 24 deletions(-)
+
+diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+index e1420b440d3..c86dc50b7c7 100644
+--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+@@ -1,5 +1,31 @@
+ from ceph_volume.util import encryption
++import base64
+
++class TestGetKeySize(object):
++ def test_get_size_from_conf_default(self, conf_ceph_stub):
++ conf_ceph_stub('''
++ [global]
++ fsid=asdf
++ ''')
++ assert encryption.get_key_size_from_conf() == '512'
++
++ def test_get_size_from_conf_custom(self, conf_ceph_stub):
++ conf_ceph_stub('''
++ [global]
++ fsid=asdf
++ [osd]
++ osd_dmcrypt_key_size=256
++ ''')
++ assert encryption.get_key_size_from_conf() == '256'
++
++ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
++ conf_ceph_stub('''
++ [global]
++ fsid=asdf
++ [osd]
++ osd_dmcrypt_key_size=1024
++ ''')
++ assert encryption.get_key_size_from_conf() == '512'
+
+ class TestStatus(object):
+
+@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
+
+ class TestDmcryptKey(object):
+
+- def test_dmcrypt_with_default_size(self, conf_ceph_stub):
+- conf_ceph_stub('[global]\nfsid=asdf-lkjh')
+- result = encryption.create_dmcrypt_key()
+- assert len(result) == 172
+-
+- def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
+- conf_ceph_stub('''
+- [global]
+- fsid=asdf
+- [osd]
+- osd_dmcrypt_size=8
+- ''')
++ def test_dmcrypt(self):
+ result = encryption.create_dmcrypt_key()
+- assert len(result) == 172
++ assert len(base64.b64decode(result)) == 128
+diff --git a/src/ceph-volume/ceph_volume/util/encryption.py b/src/ceph-volume/ceph_volume/util/encryption.py
+index 72a0ccf121e..2a2c03337b6 100644
+--- a/src/ceph-volume/ceph_volume/util/encryption.py
++++ b/src/ceph-volume/ceph_volume/util/encryption.py
+@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, get_part_entry_type
+
+ logger = logging.getLogger(__name__)
+
+-
+-def create_dmcrypt_key():
++def get_key_size_from_conf():
+ """
+- Create the secret dm-crypt key used to decrypt a device.
++ Return the osd dmcrypt key size from config file.
++ Default is 512.
+ """
+- # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
+- # to the default of 1024
+- dmcrypt_key_size = conf.ceph.get_safe(
++ default_key_size = '512'
++ key_size = conf.ceph.get_safe(
+ 'osd',
+ 'osd_dmcrypt_key_size',
+- default=1024,
+- )
+- # The size of the key is defined in bits, so we must transform that
+- # value to bytes (dividing by 8) because we read in bytes, not bits
+- random_string = os.urandom(int(dmcrypt_key_size / 8))
++ default='512')
++
++ if key_size not in ['256', '512']:
++ logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
++ "Falling back to {}bits".format(key_size, default_key_size)))
++ return default_key_size
++
++ return key_size
++
++def create_dmcrypt_key():
++ """
++ Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key.
++ """
++ random_string = os.urandom(128)
+ key = base64.b64encode(random_string).decode('utf-8')
+ return key
+
+@@ -38,6 +46,8 @@ def luks_format(key, device):
+ command = [
+ 'cryptsetup',
+ '--batch-mode', # do not prompt
++ '--key-size',
++ get_key_size_from_conf(),
+ '--key-file', # misnomer, should be key
+ '-', # because we indicate stdin for the key here
+ 'luksFormat',
+@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
+ """
+ command = [
+ 'cryptsetup',
++ '--key-size',
++ get_key_size_from_conf(),
+ '--key-file',
+ '-',
+ '--allow-discards', # allow discards (aka TRIM) requests for device
+--
+2.35.1
+
diff --git a/recipes-extended/ceph/ceph_15.2.15.bb b/recipes-extended/ceph/ceph_15.2.15.bb
index 17dbcf35..b13ebb70 100644
--- a/recipes-extended/ceph/ceph_15.2.15.bb
+++ b/recipes-extended/ceph/ceph_15.2.15.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
file://ceph.conf \
file://0001-cmake-add-support-for-python3.10.patch \
file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
+ file://CVE-2021-3979.patch \
"
SRC_URI[sha256sum] = "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
--
2.35.1
next reply other threads:[~2022-08-10 17:39 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-10 17:39 Joe Slater [this message]
2022-08-10 18:03 ` [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979 Bruce Ashfield
2022-08-10 18:26 ` Slater, Joseph
2022-08-10 18:34 ` Bruce Ashfield
2022-08-10 18:54 ` Slater, Joseph
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220810173927.36905-1-joe.slater@windriver.com \
--to=joe.slater@windriver.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=randy.macleod@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).