3 files changed, 160 insertions, 0 deletions
diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
new file mode 100644
index 0000000000..8e0a06cbc7
--- /dev/null
+++ b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
@@ -0,0 +1,77 @@
+From ced5fa8b170ad448f4076e24a10c731b5cfb36ce Mon Sep 17 00:00:00 2001
+From: Blazej Kucman <blazej.kucman@intel.com>
+Date: Fri, 3 Dec 2021 15:31:15 +0100
+Subject: mdadm: block creation with long names
+This fixes buffer overflows in create_mddev(). It prohibits
+creation with not supported names for DDF and native. For IMSM,
+mdadm will do silent cut to 16 later.
+Signed-off-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
+Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
+Signed-off-by: Jes Sorensen <jsorensen@fb.com>
+---
+Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=ced5fa8b170ad448f4076e24a10c731b5cfb36ce]
+CVE: CVE-2023-28736
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ mdadm.8.in | 5 +++++
+ mdadm.c    | 9 ++++++++-
+ mdadm.h    | 5 +++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+diff --git a/mdadm.8.in b/mdadm.8.in
+index 28d773c2..68e100cb 100644
+--- a/mdadm.8.in
+++ b/mdadm.8.in
+@@ -2186,6 +2186,11 @@ is run, but will be created by
+ .I udev
+ once the array becomes active.
+ 
+The max length md-device name is limited to 32 characters.
+Different metadata types have more strict limitation
+(like IMSM where only 16 characters are allowed).
+For that reason, long name could be truncated or rejected, it depends on metadata policy.
+
+ As devices are added, they are checked to see if they contain RAID
+ superblocks or filesystems.  They are also checked to see if the variance in
+ device size exceeds 1%.
+diff --git a/mdadm.c b/mdadm.c
+index 91e67467..26299b2e 100644
+--- a/mdadm.c
+++ b/mdadm.c
+@@ -1359,9 +1359,16 @@ int main(int argc, char *argv[])
+                        mdfd = open_mddev(devlist->devname, 1);
+                        if (mdfd < 0)
+                                exit(1);
+-               } else
+               } else {
+                       char *bname = basename(devlist->devname);
+
+                       if (strlen(bname) > MD_NAME_MAX) {
+                               pr_err("Name %s is too long.\n", devlist->devname);
+                               exit(1);
+                       }
+                        /* non-existent device is OK */
+                        mdfd = open_mddev(devlist->devname, 0);
+               }
+                if (mdfd == -2) {
+                        pr_err("device %s exists but is not an md array.\n", devlist->devname);
+                        exit(1);
+diff --git a/mdadm.h b/mdadm.h
+index 54567396..c7268a71 100644
+--- a/mdadm.h
+++ b/mdadm.h
+@@ -1880,3 +1880,8 @@ enum r0layout {
+ #define INVALID_SECTORS 1
+ /* And another special number needed for --data_offset=variable */
+ #define VARIABLE_OFFSET 3
+
+/**
+ * This is true for native and DDF, IMSM allows 16.
+ */
+#define MD_NAME_MAX 32
+-- 
+cgit 
diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
new file mode 100644
index 0000000000..1e2990d79a
--- /dev/null
+++ b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
@@ -0,0 +1,80 @@
+From 7d374a1869d3a84971d027a7f4233878c8f25a62 Mon Sep 17 00:00:00 2001
+From: Mateusz Grzonka <mateusz.grzonka@intel.com>
+Date: Tue, 27 Jul 2021 10:25:18 +0200
+Subject: Fix memory leak after "mdadm --detail"
+Signed-off-by: Mateusz Grzonka <mateusz.grzonka@intel.com>
+Signed-off-by: Jes Sorensen <jsorensen@fb.com>
+---
+Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=7d374a1869d3a84971d027a7f4233878c8f25a62]
+CVE: CVE-2023-28938
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ 
+ Detail.c | 20 +++++++++-----------
+ 1 file changed, 9 insertions(+), 11 deletions(-)
+diff --git a/Detail.c b/Detail.c
+index ad56344f..d3af0ab5 100644
+--- a/Detail.c
+++ b/Detail.c
+@@ -66,11 +66,11 @@ int Detail(char *dev, struct context *c)
+        int spares = 0;
+        struct stat stb;
+        int failed = 0;
+-       struct supertype *st;
+       struct supertype *st = NULL;
+        char *subarray = NULL;
+        int max_disks = MD_SB_DISKS; /* just a default */
+        struct mdinfo *info = NULL;
+-       struct mdinfo *sra;
+       struct mdinfo *sra = NULL;
+        struct mdinfo *subdev;
+        char *member = NULL;
+        char *container = NULL;
+@@ -93,8 +93,7 @@ int Detail(char *dev, struct context *c)
+        if (!sra) {
+                if (md_get_array_info(fd, &array)) {
+                        pr_err("%s does not appear to be an md device\n", dev);
+-                       close(fd);
+-                       return rv;
+                       goto out;
+                }
+        }
+        external = (sra != NULL && sra->array.major_version == -1 &&
+@@ -108,16 +107,13 @@ int Detail(char *dev, struct context *c)
+                            sra->devs == NULL) {
+                                pr_err("Array associated with md device %s does not exist.\n",
+                                       dev);
+-                               close(fd);
+-                               sysfs_free(sra);
+-                               return rv;
+                               goto out;
+                        }
+                        array = sra->array;
+                } else {
+                        pr_err("cannot get array detail for %s: %s\n",
+                               dev, strerror(errno));
+-                       close(fd);
+-                       return rv;
+                       goto out;
+                }
+        }
+ 
+@@ -827,10 +823,12 @@ out:
+        close(fd);
+        free(subarray);
+        free(avail);
+-       for (d = 0; d < n_devices; d++)
+-               free(devices[d]);
+       if (devices)
+               for (d = 0; d < n_devices; d++)
+                       free(devices[d]);
+        free(devices);
+        sysfs_free(sra);
+       free(st);
+        return rv;
+ }
+ 
+-- 
+cgit 
diff --git a/meta/recipes-extended/mdadm/mdadm_4.1.bb b/meta/recipes-extended/mdadm/mdadm_4.1.bb
index 001d3331a7..ca326fd1cb 100644
--- a/meta/recipes-extended/mdadm/mdadm_4.1.bb
+++ b/meta/recipes-extended/mdadm/mdadm_4.1.bb
@@ -1,5 +1,6 @@
 SUMMARY = "Tool for managing software RAID under Linux"
 HOMEPAGE = "http://www.kernel.org/pub/linux/utils/raid/mdadm/"
+DESCRIPTION = "mdadm is a Linux utility used to manage and monitor software RAID devices."
 # Some files are GPLv2+ while others are GPLv2.
 LICENSE = "GPLv2 & GPLv2+"
@@ -23,6 +24,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \
           file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \
           file://include_sysmacros.patch \
           file://0001-mdadm-skip-test-11spare-migration.patch \
+           file://CVE-2023-28736.patch \
+           file://CVE-2023-28938.patch \
           "
 SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598"

diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch new file mode 100644 index 0000000000..8e0a06cbc7 --- /dev/null +++ b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
@@ -0,0 +1,77 @@
		1	From ced5fa8b170ad448f4076e24a10c731b5cfb36ce Mon Sep 17 00:00:00 2001
		2	From: Blazej Kucman <blazej.kucman@intel.com>
		3	Date: Fri, 3 Dec 2021 15:31:15 +0100
		4	Subject: mdadm: block creation with long names
		5
		6	This fixes buffer overflows in create_mddev(). It prohibits
		7	creation with not supported names for DDF and native. For IMSM,
		8	mdadm will do silent cut to 16 later.
		9
		10	Signed-off-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
		11	Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
		12	Signed-off-by: Jes Sorensen <jsorensen@fb.com>
		13	---
		14
		15	Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=ced5fa8b170ad448f4076e24a10c731b5cfb36ce]
		16	CVE: CVE-2023-28736
		17	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		18
		19	mdadm.8.in \| 5 +++++
		20	mdadm.c \| 9 ++++++++-
		21	mdadm.h \| 5 +++++
		22	3 files changed, 18 insertions(+), 1 deletion(-)
		23
		24	diff --git a/mdadm.8.in b/mdadm.8.in
		25	index 28d773c2..68e100cb 100644
		26	--- a/mdadm.8.in
		27	+++ b/mdadm.8.in
		28	@@ -2186,6 +2186,11 @@ is run, but will be created by
		29	.I udev
		30	once the array becomes active.
		31
		32	+The max length md-device name is limited to 32 characters.
		33	+Different metadata types have more strict limitation
		34	+(like IMSM where only 16 characters are allowed).
		35	+For that reason, long name could be truncated or rejected, it depends on metadata policy.
		36	+
		37	As devices are added, they are checked to see if they contain RAID
		38	superblocks or filesystems. They are also checked to see if the variance in
		39	device size exceeds 1%.
		40	diff --git a/mdadm.c b/mdadm.c
		41	index 91e67467..26299b2e 100644
		42	--- a/mdadm.c
		43	+++ b/mdadm.c
		44	@@ -1359,9 +1359,16 @@ int main(int argc, char *argv[])
		45	mdfd = open_mddev(devlist->devname, 1);
		46	if (mdfd < 0)
		47	exit(1);
		48	- } else
		49	+ } else {
		50	+ char *bname = basename(devlist->devname);
		51	+
		52	+ if (strlen(bname) > MD_NAME_MAX) {
		53	+ pr_err("Name %s is too long.\n", devlist->devname);
		54	+ exit(1);
		55	+ }
		56	/* non-existent device is OK */
		57	mdfd = open_mddev(devlist->devname, 0);
		58	+ }
		59	if (mdfd == -2) {
		60	pr_err("device %s exists but is not an md array.\n", devlist->devname);
		61	exit(1);
		62	diff --git a/mdadm.h b/mdadm.h
		63	index 54567396..c7268a71 100644
		64	--- a/mdadm.h
		65	+++ b/mdadm.h
		66	@@ -1880,3 +1880,8 @@ enum r0layout {
		67	#define INVALID_SECTORS 1
		68	/* And another special number needed for --data_offset=variable */
		69	#define VARIABLE_OFFSET 3
		70	+
		71	+/**
		72	+ * This is true for native and DDF, IMSM allows 16.
		73	+ */
		74	+#define MD_NAME_MAX 32
		75	--
		76	cgit
		77


diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch new file mode 100644 index 0000000000..1e2990d79a --- /dev/null +++ b/meta/recipes-extended/mdadm/files/CVE-2023-28938.patch
@@ -0,0 +1,80 @@
		1	From 7d374a1869d3a84971d027a7f4233878c8f25a62 Mon Sep 17 00:00:00 2001
		2	From: Mateusz Grzonka <mateusz.grzonka@intel.com>
		3	Date: Tue, 27 Jul 2021 10:25:18 +0200
		4	Subject: Fix memory leak after "mdadm --detail"
		5
		6	Signed-off-by: Mateusz Grzonka <mateusz.grzonka@intel.com>
		7	Signed-off-by: Jes Sorensen <jsorensen@fb.com>
		8	---
		9	Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=7d374a1869d3a84971d027a7f4233878c8f25a62]
		10	CVE: CVE-2023-28938
		11	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		12
		13	Detail.c \| 20 +++++++++-----------
		14	1 file changed, 9 insertions(+), 11 deletions(-)
		15
		16	diff --git a/Detail.c b/Detail.c
		17	index ad56344f..d3af0ab5 100644
		18	--- a/Detail.c
		19	+++ b/Detail.c
		20	@@ -66,11 +66,11 @@ int Detail(char dev, struct context c)
		21	int spares = 0;
		22	struct stat stb;
		23	int failed = 0;
		24	- struct supertype *st;
		25	+ struct supertype *st = NULL;
		26	char *subarray = NULL;
		27	int max_disks = MD_SB_DISKS; /* just a default */
		28	struct mdinfo *info = NULL;
		29	- struct mdinfo *sra;
		30	+ struct mdinfo *sra = NULL;
		31	struct mdinfo *subdev;
		32	char *member = NULL;
		33	char *container = NULL;
		34	@@ -93,8 +93,7 @@ int Detail(char dev, struct context c)
		35	if (!sra) {
		36	if (md_get_array_info(fd, &array)) {
		37	pr_err("%s does not appear to be an md device\n", dev);
		38	- close(fd);
		39	- return rv;
		40	+ goto out;
		41	}
		42	}
		43	external = (sra != NULL && sra->array.major_version == -1 &&
		44	@@ -108,16 +107,13 @@ int Detail(char dev, struct context c)
		45	sra->devs == NULL) {
		46	pr_err("Array associated with md device %s does not exist.\n",
		47	dev);
		48	- close(fd);
		49	- sysfs_free(sra);
		50	- return rv;
		51	+ goto out;
		52	}
		53	array = sra->array;
		54	} else {
		55	pr_err("cannot get array detail for %s: %s\n",
		56	dev, strerror(errno));
		57	- close(fd);
		58	- return rv;
		59	+ goto out;
		60	}
		61	}
		62
		63	@@ -827,10 +823,12 @@ out:
		64	close(fd);
		65	free(subarray);
		66	free(avail);
		67	- for (d = 0; d < n_devices; d++)
		68	- free(devices[d]);
		69	+ if (devices)
		70	+ for (d = 0; d < n_devices; d++)
		71	+ free(devices[d]);
		72	free(devices);
		73	sysfs_free(sra);
		74	+ free(st);
		75	return rv;
		76	}
		77
		78	--
		79	cgit
		80


diff --git a/meta/recipes-extended/mdadm/mdadm_4.1.bb b/meta/recipes-extended/mdadm/mdadm_4.1.bb index 001d3331a7..ca326fd1cb 100644 --- a/meta/recipes-extended/mdadm/mdadm_4.1.bb +++ b/meta/recipes-extended/mdadm/mdadm_4.1.bb
@@ -1,5 +1,6 @@
1	SUMMARY = "Tool for managing software RAID under Linux"	1	SUMMARY = "Tool for managing software RAID under Linux"
2	HOMEPAGE = "http://www.kernel.org/pub/linux/utils/raid/mdadm/"	2	HOMEPAGE = "http://www.kernel.org/pub/linux/utils/raid/mdadm/"
		3	DESCRIPTION = "mdadm is a Linux utility used to manage and monitor software RAID devices."
3		4
4	# Some files are GPLv2+ while others are GPLv2.	5	# Some files are GPLv2+ while others are GPLv2.
5	LICENSE = "GPLv2 & GPLv2+"	6	LICENSE = "GPLv2 & GPLv2+"
@@ -23,6 +24,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \
23	file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \	24	file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \
24	file://include_sysmacros.patch \	25	file://include_sysmacros.patch \
25	file://0001-mdadm-skip-test-11spare-migration.patch \	26	file://0001-mdadm-skip-test-11spare-migration.patch \
		27	file://CVE-2023-28736.patch \
		28	file://CVE-2023-28938.patch \
26	"	29	"
27		30
28	SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598"	31	SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598"