From 15854dc716330aa102abda830da63d3e39cd64f6 Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Wed, 27 Sep 2023 20:08:09 +0530 Subject: mdadm: Backport fix for CVE-2023-28736 (From OE-Core rev: fb37fa3661095b8ebe68c2ffa36aabf35da30b91) Signed-off-by: Ashish Sharma Signed-off-by: Steve Sakoman --- .../mdadm/files/CVE-2023-28736.patch | 77 ++++++++++++++++++++++ meta/recipes-extended/mdadm/mdadm_4.1.bb | 1 + 2 files changed, 78 insertions(+) create mode 100644 meta/recipes-extended/mdadm/files/CVE-2023-28736.patch (limited to 'meta/recipes-extended') diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch new file mode 100644 index 0000000000..8e0a06cbc7 --- /dev/null +++ b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch @@ -0,0 +1,77 @@ +From ced5fa8b170ad448f4076e24a10c731b5cfb36ce Mon Sep 17 00:00:00 2001 +From: Blazej Kucman +Date: Fri, 3 Dec 2021 15:31:15 +0100 +Subject: mdadm: block creation with long names + +This fixes buffer overflows in create_mddev(). It prohibits +creation with not supported names for DDF and native. For IMSM, +mdadm will do silent cut to 16 later. + +Signed-off-by: Mariusz Tkaczyk +Signed-off-by: Blazej Kucman +Signed-off-by: Jes Sorensen +--- + +Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=ced5fa8b170ad448f4076e24a10c731b5cfb36ce] +CVE: CVE-2023-28736 +Signed-off-by: Ashish Sharma + + mdadm.8.in | 5 +++++ + mdadm.c | 9 ++++++++- + mdadm.h | 5 +++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/mdadm.8.in b/mdadm.8.in +index 28d773c2..68e100cb 100644 +--- a/mdadm.8.in ++++ b/mdadm.8.in +@@ -2186,6 +2186,11 @@ is run, but will be created by + .I udev + once the array becomes active. + ++The max length md-device name is limited to 32 characters. ++Different metadata types have more strict limitation ++(like IMSM where only 16 characters are allowed). ++For that reason, long name could be truncated or rejected, it depends on metadata policy. ++ + As devices are added, they are checked to see if they contain RAID + superblocks or filesystems. They are also checked to see if the variance in + device size exceeds 1%. +diff --git a/mdadm.c b/mdadm.c +index 91e67467..26299b2e 100644 +--- a/mdadm.c ++++ b/mdadm.c +@@ -1359,9 +1359,16 @@ int main(int argc, char *argv[]) + mdfd = open_mddev(devlist->devname, 1); + if (mdfd < 0) + exit(1); +- } else ++ } else { ++ char *bname = basename(devlist->devname); ++ ++ if (strlen(bname) > MD_NAME_MAX) { ++ pr_err("Name %s is too long.\n", devlist->devname); ++ exit(1); ++ } + /* non-existent device is OK */ + mdfd = open_mddev(devlist->devname, 0); ++ } + if (mdfd == -2) { + pr_err("device %s exists but is not an md array.\n", devlist->devname); + exit(1); +diff --git a/mdadm.h b/mdadm.h +index 54567396..c7268a71 100644 +--- a/mdadm.h ++++ b/mdadm.h +@@ -1880,3 +1880,8 @@ enum r0layout { + #define INVALID_SECTORS 1 + /* And another special number needed for --data_offset=variable */ + #define VARIABLE_OFFSET 3 ++ ++/** ++ * This is true for native and DDF, IMSM allows 16. ++ */ ++#define MD_NAME_MAX 32 +-- +cgit + diff --git a/meta/recipes-extended/mdadm/mdadm_4.1.bb b/meta/recipes-extended/mdadm/mdadm_4.1.bb index bb77759cf9..5238a41df2 100644 --- a/meta/recipes-extended/mdadm/mdadm_4.1.bb +++ b/meta/recipes-extended/mdadm/mdadm_4.1.bb @@ -24,6 +24,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \ file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \ file://include_sysmacros.patch \ file://0001-mdadm-skip-test-11spare-migration.patch \ + file://CVE-2023-28736.patch \ " SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598" -- cgit v1.2.3-54-g00ecf