From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: Joe Slater <joe.slater@windriver.com>
Cc: meta-virtualization@lists.yoctoproject.org, randy.macleod@windriver.com
Subject: Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979
Date: Wed, 10 Aug 2022 14:03:22 -0400 [thread overview]
Message-ID: <CADkTA4OXy5e59OChKrwZLF8u-Nv0YCKLPWUxq18qOFTf7i=hyA@mail.gmail.com> (raw)
In-Reply-To: <20220810173927.36905-1-joe.slater@windriver.com>
What about master ? Does it have the same issue ?
Bruce
On Wed, Aug 10, 2022 at 1:39 PM Joe Slater <joe.slater@windriver.com> wrote:
>
> Ceph-volume does not properly control key sizes.
>
> Cherry-pick from github.com/ceph/ceph.git.
>
> Signed-off-by: Joe Slater <joe.slater@windriver.com>
> ---
> .../ceph/ceph/CVE-2021-3979.patch | 158 ++++++++++++++++++
> recipes-extended/ceph/ceph_15.2.15.bb | 1 +
> 2 files changed, 159 insertions(+)
> create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch
>
> diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> new file mode 100644
> index 00000000..081b32ba
> --- /dev/null
> +++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
> @@ -0,0 +1,158 @@
> +From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001
> +From: Guillaume Abrioux <gabrioux@redhat.com>
> +Date: Tue, 25 Jan 2022 10:25:53 +0100
> +Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
> +
> +ceph-volume doesn't honour osd_dmcrypt_key_size.
> +It means the default size is always applied.
> +
> +It also changes the default value in `get_key_size_from_conf()`
> +
> +From cryptsetup manpage:
> +
> +> For XTS mode you can optionally set a key size of 512 bits with the -s option.
> +
> +Using more than 512bits will end up with the following error message:
> +
> +```
> +Key size in XTS mode must be 256 or 512 bits.
> +```
> +
> +Fixes: https://tracker.ceph.com/issues/54006
> +
> +Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
> +
> +Upstream-Status: Backport
> + github.com/ceph/ceph.git
> + equivalent to cherry-pick of commit 47c33179f9a15ae95cc1579a421be89378602656
> +
> +CVE: CVE-2021-3979
> +
> +Signed-off-by: Joe Slater <joe.slater@windriver.com>
> +---
> + .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
> + .../ceph_volume/util/encryption.py | 34 ++++++++++-----
> + 2 files changed, 51 insertions(+), 24 deletions(-)
> +
> +diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> +index e1420b440d3..c86dc50b7c7 100644
> +--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> ++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
> +@@ -1,5 +1,31 @@
> + from ceph_volume.util import encryption
> ++import base64
> +
> ++class TestGetKeySize(object):
> ++ def test_get_size_from_conf_default(self, conf_ceph_stub):
> ++ conf_ceph_stub('''
> ++ [global]
> ++ fsid=asdf
> ++ ''')
> ++ assert encryption.get_key_size_from_conf() == '512'
> ++
> ++ def test_get_size_from_conf_custom(self, conf_ceph_stub):
> ++ conf_ceph_stub('''
> ++ [global]
> ++ fsid=asdf
> ++ [osd]
> ++ osd_dmcrypt_key_size=256
> ++ ''')
> ++ assert encryption.get_key_size_from_conf() == '256'
> ++
> ++ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
> ++ conf_ceph_stub('''
> ++ [global]
> ++ fsid=asdf
> ++ [osd]
> ++ osd_dmcrypt_key_size=1024
> ++ ''')
> ++ assert encryption.get_key_size_from_conf() == '512'
> +
> + class TestStatus(object):
> +
> +@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
> +
> + class TestDmcryptKey(object):
> +
> +- def test_dmcrypt_with_default_size(self, conf_ceph_stub):
> +- conf_ceph_stub('[global]\nfsid=asdf-lkjh')
> +- result = encryption.create_dmcrypt_key()
> +- assert len(result) == 172
> +-
> +- def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
> +- conf_ceph_stub('''
> +- [global]
> +- fsid=asdf
> +- [osd]
> +- osd_dmcrypt_size=8
> +- ''')
> ++ def test_dmcrypt(self):
> + result = encryption.create_dmcrypt_key()
> +- assert len(result) == 172
> ++ assert len(base64.b64decode(result)) == 128
> +diff --git a/src/ceph-volume/ceph_volume/util/encryption.py b/src/ceph-volume/ceph_volume/util/encryption.py
> +index 72a0ccf121e..2a2c03337b6 100644
> +--- a/src/ceph-volume/ceph_volume/util/encryption.py
> ++++ b/src/ceph-volume/ceph_volume/util/encryption.py
> +@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, get_part_entry_type
> +
> + logger = logging.getLogger(__name__)
> +
> +-
> +-def create_dmcrypt_key():
> ++def get_key_size_from_conf():
> + """
> +- Create the secret dm-crypt key used to decrypt a device.
> ++ Return the osd dmcrypt key size from config file.
> ++ Default is 512.
> + """
> +- # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
> +- # to the default of 1024
> +- dmcrypt_key_size = conf.ceph.get_safe(
> ++ default_key_size = '512'
> ++ key_size = conf.ceph.get_safe(
> + 'osd',
> + 'osd_dmcrypt_key_size',
> +- default=1024,
> +- )
> +- # The size of the key is defined in bits, so we must transform that
> +- # value to bytes (dividing by 8) because we read in bytes, not bits
> +- random_string = os.urandom(int(dmcrypt_key_size / 8))
> ++ default='512')
> ++
> ++ if key_size not in ['256', '512']:
> ++ logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
> ++ "Falling back to {}bits".format(key_size, default_key_size)))
> ++ return default_key_size
> ++
> ++ return key_size
> ++
> ++def create_dmcrypt_key():
> ++ """
> ++ Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key.
> ++ """
> ++ random_string = os.urandom(128)
> + key = base64.b64encode(random_string).decode('utf-8')
> + return key
> +
> +@@ -38,6 +46,8 @@ def luks_format(key, device):
> + command = [
> + 'cryptsetup',
> + '--batch-mode', # do not prompt
> ++ '--key-size',
> ++ get_key_size_from_conf(),
> + '--key-file', # misnomer, should be key
> + '-', # because we indicate stdin for the key here
> + 'luksFormat',
> +@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
> + """
> + command = [
> + 'cryptsetup',
> ++ '--key-size',
> ++ get_key_size_from_conf(),
> + '--key-file',
> + '-',
> + '--allow-discards', # allow discards (aka TRIM) requests for device
> +--
> +2.35.1
> +
> diff --git a/recipes-extended/ceph/ceph_15.2.15.bb b/recipes-extended/ceph/ceph_15.2.15.bb
> index 17dbcf35..b13ebb70 100644
> --- a/recipes-extended/ceph/ceph_15.2.15.bb
> +++ b/recipes-extended/ceph/ceph_15.2.15.bb
> @@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
> file://ceph.conf \
> file://0001-cmake-add-support-for-python3.10.patch \
> file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
> + file://CVE-2021-3979.patch \
> "
>
> SRC_URI[sha256sum] = "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
> --
> 2.35.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7514): https://lists.yoctoproject.org/g/meta-virtualization/message/7514
> Mute This Topic: https://lists.yoctoproject.org/mt/92941876/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
next prev parent reply other threads:[~2022-08-10 18:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-10 17:39 [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979 Joe Slater
2022-08-10 18:03 ` Bruce Ashfield [this message]
2022-08-10 18:26 ` [meta-virtualization] " Slater, Joseph
2022-08-10 18:34 ` Bruce Ashfield
2022-08-10 18:54 ` Slater, Joseph
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADkTA4OXy5e59OChKrwZLF8u-Nv0YCKLPWUxq18qOFTf7i=hyA@mail.gmail.com' \
--to=bruce.ashfield@gmail.com \
--cc=joe.slater@windriver.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=randy.macleod@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).