ceph: Fix CVE-2021-3979

Ceph-volume does not properly control key sizes. Cherry-pick from github.com/ceph/ceph.git. Signed-off-by: Joe Slater <joe.slater@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
author: Joe Slater <joe.slater@windriver.com> 2022-08-10 13:18:44 -0700
committer: Bruce Ashfield <bruce.ashfield@gmail.com> 2022-08-20 23:23:08 -0400
commit: dccd964570f89f4a0cdf16eb54c4064823df372d (patch)
tree: becaf7094df008f71cc5acabcdff6fd7a9526105 /recipes-extended/ceph
parent: fc1df13027a8c1e615c0c31ee9e20490e931bcc4 (diff)
download: meta-virtualization-dccd964570f89f4a0cdf16eb54c4064823df372d.tar.gz
2 files changed, 159 insertions, 0 deletions
diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
new file mode 100644
index 00000000..081b32ba
--- /dev/null
+++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
@@ -0,0 +1,158 @@
+From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001
+From: Guillaume Abrioux <gabrioux@redhat.com>
+Date: Tue, 25 Jan 2022 10:25:53 +0100
+Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
+ceph-volume doesn't honour osd_dmcrypt_key_size.
+It means the default size is always applied.
+It also changes the default value in `get_key_size_from_conf()`
+From cryptsetup manpage:
+> For XTS mode you can optionally set a key size of 512 bits with the -s option.
+Using more than 512bits will end up with the following error message:
+```
+Key size in XTS mode must be 256 or 512 bits.
+```
+Fixes: https://tracker.ceph.com/issues/54006
+Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
+Upstream-Status: Backport
+ github.com/ceph/ceph.git
+ equivalent to cherry-pick of commit 47c33179f9a15ae95cc1579a421be89378602656
+CVE: CVE-2021-3979
+Signed-off-by: Joe Slater <joe.slater@windriver.com>
+---
+ .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
+ .../ceph_volume/util/encryption.py            | 34 ++++++++++-----
+ 2 files changed, 51 insertions(+), 24 deletions(-)
+diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+index e1420b440d3..c86dc50b7c7 100644
+--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+@@ -1,5 +1,31 @@
+ from ceph_volume.util import encryption
+import base64
+ 
+class TestGetKeySize(object):
+    def test_get_size_from_conf_default(self, conf_ceph_stub):
+        conf_ceph_stub('''
+        [global]
+        fsid=asdf
+        ''')
+        assert encryption.get_key_size_from_conf() == '512'
+
+    def test_get_size_from_conf_custom(self, conf_ceph_stub):
+        conf_ceph_stub('''
+        [global]
+        fsid=asdf
+        [osd]
+        osd_dmcrypt_key_size=256
+        ''')
+        assert encryption.get_key_size_from_conf() == '256'
+
+    def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
+        conf_ceph_stub('''
+        [global]
+        fsid=asdf
+        [osd]
+        osd_dmcrypt_key_size=1024
+        ''')
+        assert encryption.get_key_size_from_conf() == '512'
+ 
+ class TestStatus(object):
+ 
+@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
+ 
+ class TestDmcryptKey(object):
+ 
+-    def test_dmcrypt_with_default_size(self, conf_ceph_stub):
+-        conf_ceph_stub('[global]\nfsid=asdf-lkjh')
+-        result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
+-
+-    def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
+-        conf_ceph_stub('''
+-        [global]
+-        fsid=asdf
+-        [osd]
+-        osd_dmcrypt_size=8
+-        ''')
+    def test_dmcrypt(self):
+         result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
+        assert len(base64.b64decode(result)) == 128
+diff --git a/src/ceph-volume/ceph_volume/util/encryption.py b/src/ceph-volume/ceph_volume/util/encryption.py
+index 72a0ccf121e..2a2c03337b6 100644
+--- a/src/ceph-volume/ceph_volume/util/encryption.py
+++ b/src/ceph-volume/ceph_volume/util/encryption.py
+@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, get_part_entry_type
+ 
+ logger = logging.getLogger(__name__)
+ 
+-
+-def create_dmcrypt_key():
+def get_key_size_from_conf():
+     """
+-    Create the secret dm-crypt key used to decrypt a device.
+    Return the osd dmcrypt key size from config file.
+    Default is 512.
+     """
+-    # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
+-    # to the default of 1024
+-    dmcrypt_key_size = conf.ceph.get_safe(
+    default_key_size = '512'
+    key_size = conf.ceph.get_safe(
+         'osd',
+         'osd_dmcrypt_key_size',
+-        default=1024,
+-    )
+-    # The size of the key is defined in bits, so we must transform that
+-    # value to bytes (dividing by 8) because we read in bytes, not bits
+-    random_string = os.urandom(int(dmcrypt_key_size / 8))
+        default='512')
+
+    if key_size not in ['256', '512']:
+        logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
+                        "Falling back to {}bits".format(key_size, default_key_size)))
+        return default_key_size
+
+    return key_size
+
+def create_dmcrypt_key():
+    """
+    Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key.
+    """
+    random_string = os.urandom(128)
+     key = base64.b64encode(random_string).decode('utf-8')
+     return key
+ 
+@@ -38,6 +46,8 @@ def luks_format(key, device):
+     command = [
+         'cryptsetup',
+         '--batch-mode', # do not prompt
+        '--key-size',
+        get_key_size_from_conf(),
+         '--key-file', # misnomer, should be key
+         '-',          # because we indicate stdin for the key here
+         'luksFormat',
+@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
+     """
+     command = [
+         'cryptsetup',
+        '--key-size',
+        get_key_size_from_conf(),
+         '--key-file',
+         '-',
+         '--allow-discards',  # allow discards (aka TRIM) requests for device
+-- 
+2.35.1
diff --git a/recipes-extended/ceph/ceph_15.2.15.bb b/recipes-extended/ceph/ceph_15.2.15.bb
index 0fb32b26..f2ece8c7 100644
--- a/recipes-extended/ceph/ceph_15.2.15.bb
+++ b/recipes-extended/ceph/ceph_15.2.15.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
           file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
           file://0001-buffer.h-add-missing-header-file-due-to-gcc-upgrade.patch \
           file://0002-common-fix-FTBFS-due-to-dout-need_dynamic-on-GCC-12.patch \
+           file://CVE-2021-3979.patch \
 "
 SRC_URI[sha256sum] = "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
author	Joe Slater <joe.slater@windriver.com>	2022-08-10 13:18:44 -0700
committer	Bruce Ashfield <bruce.ashfield@gmail.com>	2022-08-20 23:23:08 -0400
commit	dccd964570f89f4a0cdf16eb54c4064823df372d (patch)
tree	becaf7094df008f71cc5acabcdff6fd7a9526105 /recipes-extended/ceph
parent	fc1df13027a8c1e615c0c31ee9e20490e931bcc4 (diff)
download	meta-virtualization-dccd964570f89f4a0cdf16eb54c4064823df372d.tar.gz

diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch b/recipes-extended/ceph/ceph/CVE-2021-3979.patch new file mode 100644 index 00000000..081b32ba --- /dev/null +++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
@@ -0,0 +1,158 @@
		1	From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001
		2	From: Guillaume Abrioux <gabrioux@redhat.com>
		3	Date: Tue, 25 Jan 2022 10:25:53 +0100
		4	Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
		5
		6	ceph-volume doesn't honour osd_dmcrypt_key_size.
		7	It means the default size is always applied.
		8
		9	It also changes the default value in `get_key_size_from_conf()`
		10
		11	From cryptsetup manpage:
		12
		13	> For XTS mode you can optionally set a key size of 512 bits with the -s option.
		14
		15	Using more than 512bits will end up with the following error message:
		16
		17	```
		18	Key size in XTS mode must be 256 or 512 bits.
		19	```
		20
		21	Fixes: https://tracker.ceph.com/issues/54006
		22
		23	Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
		24
		25	Upstream-Status: Backport
		26	github.com/ceph/ceph.git
		27	equivalent to cherry-pick of commit 47c33179f9a15ae95cc1579a421be89378602656
		28
		29	CVE: CVE-2021-3979
		30
		31	Signed-off-by: Joe Slater <joe.slater@windriver.com>
		32	---
		33	.../ceph_volume/tests/util/test_encryption.py \| 41 +++++++++++++------
		34	.../ceph_volume/util/encryption.py \| 34 ++++++++++-----
		35	2 files changed, 51 insertions(+), 24 deletions(-)
		36
		37	diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
		38	index e1420b440d3..c86dc50b7c7 100644
		39	--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
		40	+++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
		41	@@ -1,5 +1,31 @@
		42	from ceph_volume.util import encryption
		43	+import base64
		44
		45	+class TestGetKeySize(object):
		46	+ def test_get_size_from_conf_default(self, conf_ceph_stub):
		47	+ conf_ceph_stub('''
		48	+ [global]
		49	+ fsid=asdf
		50	+ ''')
		51	+ assert encryption.get_key_size_from_conf() == '512'
		52	+
		53	+ def test_get_size_from_conf_custom(self, conf_ceph_stub):
		54	+ conf_ceph_stub('''
		55	+ [global]
		56	+ fsid=asdf
		57	+ [osd]
		58	+ osd_dmcrypt_key_size=256
		59	+ ''')
		60	+ assert encryption.get_key_size_from_conf() == '256'
		61	+
		62	+ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
		63	+ conf_ceph_stub('''
		64	+ [global]
		65	+ fsid=asdf
		66	+ [osd]
		67	+ osd_dmcrypt_key_size=1024
		68	+ ''')
		69	+ assert encryption.get_key_size_from_conf() == '512'
		70
		71	class TestStatus(object):
		72
		73	@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
		74
		75	class TestDmcryptKey(object):
		76
		77	- def test_dmcrypt_with_default_size(self, conf_ceph_stub):
		78	- conf_ceph_stub('[global]\nfsid=asdf-lkjh')
		79	- result = encryption.create_dmcrypt_key()
		80	- assert len(result) == 172
		81	-
		82	- def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
		83	- conf_ceph_stub('''
		84	- [global]
		85	- fsid=asdf
		86	- [osd]
		87	- osd_dmcrypt_size=8
		88	- ''')
		89	+ def test_dmcrypt(self):
		90	result = encryption.create_dmcrypt_key()
		91	- assert len(result) == 172
		92	+ assert len(base64.b64decode(result)) == 128
		93	diff --git a/src/ceph-volume/ceph_volume/util/encryption.py b/src/ceph-volume/ceph_volume/util/encryption.py
		94	index 72a0ccf121e..2a2c03337b6 100644
		95	--- a/src/ceph-volume/ceph_volume/util/encryption.py
		96	+++ b/src/ceph-volume/ceph_volume/util/encryption.py
		97	@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, get_part_entry_type
		98
		99	logger = logging.getLogger(__name__)
		100
		101	-
		102	-def create_dmcrypt_key():
		103	+def get_key_size_from_conf():
		104	"""
		105	- Create the secret dm-crypt key used to decrypt a device.
		106	+ Return the osd dmcrypt key size from config file.
		107	+ Default is 512.
		108	"""
		109	- # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
		110	- # to the default of 1024
		111	- dmcrypt_key_size = conf.ceph.get_safe(
		112	+ default_key_size = '512'
		113	+ key_size = conf.ceph.get_safe(
		114	'osd',
		115	'osd_dmcrypt_key_size',
		116	- default=1024,
		117	- )
		118	- # The size of the key is defined in bits, so we must transform that
		119	- # value to bytes (dividing by 8) because we read in bytes, not bits
		120	- random_string = os.urandom(int(dmcrypt_key_size / 8))
		121	+ default='512')
		122	+
		123	+ if key_size not in ['256', '512']:
		124	+ logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
		125	+ "Falling back to {}bits".format(key_size, default_key_size)))
		126	+ return default_key_size
		127	+
		128	+ return key_size
		129	+
		130	+def create_dmcrypt_key():
		131	+ """
		132	+ Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key.
		133	+ """
		134	+ random_string = os.urandom(128)
		135	key = base64.b64encode(random_string).decode('utf-8')
		136	return key
		137
		138	@@ -38,6 +46,8 @@ def luks_format(key, device):
		139	command = [
		140	'cryptsetup',
		141	'--batch-mode', # do not prompt
		142	+ '--key-size',
		143	+ get_key_size_from_conf(),
		144	'--key-file', # misnomer, should be key
		145	'-', # because we indicate stdin for the key here
		146	'luksFormat',
		147	@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
		148	"""
		149	command = [
		150	'cryptsetup',
		151	+ '--key-size',
		152	+ get_key_size_from_conf(),
		153	'--key-file',
		154	'-',
		155	'--allow-discards', # allow discards (aka TRIM) requests for device
		156	--
		157	2.35.1
		158


diff --git a/recipes-extended/ceph/ceph_15.2.15.bb b/recipes-extended/ceph/ceph_15.2.15.bb index 0fb32b26..f2ece8c7 100644 --- a/recipes-extended/ceph/ceph_15.2.15.bb +++ b/recipes-extended/ceph/ceph_15.2.15.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
16	file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \	16	file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
17	file://0001-buffer.h-add-missing-header-file-due-to-gcc-upgrade.patch \	17	file://0001-buffer.h-add-missing-header-file-due-to-gcc-upgrade.patch \
18	file://0002-common-fix-FTBFS-due-to-dout-need_dynamic-on-GCC-12.patch \	18	file://0002-common-fix-FTBFS-due-to-dout-need_dynamic-on-GCC-12.patch \
		19	file://CVE-2021-3979.patch \
19	"	20	"
20		21
21	SRC_URI[sha256sum] = "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"	22	SRC_URI[sha256sum] = "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"