From b9616990e2ee330d78ffc8c5efedfb0689ca3f79 Mon Sep 17 00:00:00 2001 From: Wenchao Hao Date: Thu, 4 Feb 2021 21:54:06 +0800 Subject: [PATCH 1/2] ceph: Fix CVE-2020-25678 Signed-off-by: Wenchao Hao --- ...mand-MMonCommandAck-don-t-log-values.patch | 106 ++++++++++++++ ...nfig-set-and-config-key-set-dispatch.patch | 77 ++++++++++ ...r.cc-don-t-dump-all-keys-and-values-.patch | 32 +++++ ...nfig-values-to-mgr-log-in-config_cal.patch | 52 +++++++ ...r.cc-don-t-log-config-values-in-refr.patch | 32 +++++ ...les.cc-don-t-log-config-value-in-get.patch | 32 +++++ ...-TOPNSPC-common-for-crimson-compatib.patch | 131 ++++++++++++++++++ ceph.spec | 13 +- 8 files changed, 474 insertions(+), 1 deletion(-) create mode 100644 0001-messages-MMonCommand-MMonCommandAck-don-t-log-values.patch create mode 100644 0002-mon-don-t-log-config-set-and-config-key-set-dispatch.patch create mode 100644 0003-mon-ConfigMonitor.cc-don-t-dump-all-keys-and-values-.patch create mode 100644 0004-mgr-don-t-add-config-values-to-mgr-log-in-config_cal.patch create mode 100644 0005-mon-ConfigMonitor.cc-don-t-log-config-values-in-refr.patch create mode 100644 0006-mgr-ActivePyModules.cc-don-t-log-config-value-in-get.patch create mode 100644 0007-mon-messages-use-TOPNSPC-common-for-crimson-compatib.patch diff --git a/0001-messages-MMonCommand-MMonCommandAck-don-t-log-values.patch b/0001-messages-MMonCommand-MMonCommandAck-don-t-log-values.patch new file mode 100644 index 0000000..1837ab3 --- /dev/null +++ b/0001-messages-MMonCommand-MMonCommandAck-don-t-log-values.patch @@ -0,0 +1,106 @@ +From 3d54660ca1a9a7ae54e884c3181fca17a40d8cd3 Mon Sep 17 00:00:00 2001 +From: Neha Ojha +Date: Thu, 3 Dec 2020 19:18:04 +0000 +Subject: [PATCH] messages/MMonCommand, MMonCommandAck: don't log values for + "config set" and "config-key set" + +This acts like a big hammer to avoid adding sensitive information, like passwords +into mon/mgr/cluster logs when using "config set" and "config-key set" to set keys +whose values should be secure. + +Conflict: To avoid conflict, patch origin patch manually, then generate this patch + +Fixes: https://tracker.ceph.com/issues/37503 +Signed-off-by: Neha Ojha +--- + src/messages/MMonCommand.h | 23 ++++++++++++++++++++--- + src/messages/MMonCommandAck.h | 24 +++++++++++++++++++++++- + 2 files changed, 43 insertions(+), 4 deletions(-) + +diff --git a/src/messages/MMonCommand.h b/src/messages/MMonCommand.h +index afb3142..88e59bf 100644 +--- a/src/messages/MMonCommand.h ++++ b/src/messages/MMonCommand.h +@@ -15,6 +15,7 @@ + #ifndef CEPH_MMONCOMMAND_H + #define CEPH_MMONCOMMAND_H + ++#include "common/cmdparse.h" + #include "messages/PaxosServiceMessage.h" + + #include +@@ -39,10 +40,26 @@ private: + public: + std::string_view get_type_name() const override { return "mon_command"; } + void print(ostream& o) const override { ++ cmdmap_t cmdmap; ++ std::ostringstream ss; ++ string prefix; ++ ceph::common::cmdmap_from_json(cmd, &cmdmap, ss); ++ ceph::common::cmd_getval(cmdmap, "prefix", prefix); ++ // Some config values contain sensitive data, so don't log them + o << "mon_command("; +- for (unsigned i=0; i { +@@ -35,7 +36,28 @@ private: + public: + std::string_view get_type_name() const override { return "mon_command"; } + void print(ostream& o) const override { +- o << "mon_command_ack(" << cmd << "=" << r << " " << rs << " v" << version << ")"; ++ cmdmap_t cmdmap; ++ std::ostringstream ss; ++ string prefix; ++ ceph::common::cmdmap_from_json(cmd, &cmdmap, ss); ++ ceph::common::cmd_getval(cmdmap, "prefix", prefix); ++ // Some config values contain sensitive data, so don't log them ++ o << "mon_command_ack("; ++ if (prefix == "config set") { ++ string name; ++ ceph::common::cmd_getval(cmdmap, "name", name); ++ o << "[{prefix=" << prefix ++ << ", name=" << name << "}]" ++ << "=" << r << " " << rs << " v" << version << ")"; ++ } else if (prefix == "config-key set") { ++ string key; ++ ceph::common::cmd_getval(cmdmap, "key", key); ++ o << "[{prefix=" << prefix << ", key=" << key << "}]" ++ << "=" << r << " " << rs << " v" << version << ")"; ++ } else { ++ o << cmd; ++ } ++ o << "=" << r << " " << rs << " v" << version << ")"; + } + + void encode_payload(uint64_t features) override { +-- +1.8.3.1 + diff --git a/0002-mon-don-t-log-config-set-and-config-key-set-dispatch.patch b/0002-mon-don-t-log-config-set-and-config-key-set-dispatch.patch new file mode 100644 index 0000000..56f18d5 --- /dev/null +++ b/0002-mon-don-t-log-config-set-and-config-key-set-dispatch.patch @@ -0,0 +1,77 @@ +From 4b83dfb1f74e8a59c802ff3c0eb4595f7e763762 Mon Sep 17 00:00:00 2001 +From: Neha Ojha +Date: Thu, 3 Dec 2020 19:24:39 +0000 +Subject: [PATCH] mon: don't log "config set" and "config-key set" dispatch and + finished messages + +Conflict: To avoid conflict, patch origin patch manually, then generate this patch + +Signed-off-by: Neha Ojha +--- + src/mon/Monitor.cc | 18 ++++++++++-------- + src/mon/Monitor.h | 9 ++++++++- + 2 files changed, 18 insertions(+), 9 deletions(-) + +diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc +index a01cd52..9c58288 100644 +--- a/src/mon/Monitor.cc ++++ b/src/mon/Monitor.cc +@@ -3337,18 +3337,20 @@ void Monitor::handle_command(MonOpRequestRef op) + if (!_allowed_command(session, service, prefix, cmdmap, + param_str_map, mon_cmd)) { + dout(1) << __func__ << " access denied" << dendl; +- (cmd_is_rw ? audit_clog->info() : audit_clog->debug()) +- << "from='" << session->name << " " << session->addrs << "' " +- << "entity='" << session->entity_name << "' " +- << "cmd=" << m->cmd << ": access denied"; ++ if (prefix != "config set" && prefix != "config-key set") ++ (cmd_is_rw ? audit_clog->info() : audit_clog->debug()) ++ << "from='" << session->name << " " << session->addrs << "' " ++ << "entity='" << session->entity_name << "' " ++ << "cmd=" << m->cmd << ": access denied"; + reply_command(op, -EACCES, "access denied", 0); + return; + } + +- (cmd_is_rw ? audit_clog->info() : audit_clog->debug()) +- << "from='" << session->name << " " << session->addrs << "' " +- << "entity='" << session->entity_name << "' " +- << "cmd=" << m->cmd << ": dispatch"; ++ if (prefix != "config set" && prefix != "config-key set") ++ (cmd_is_rw ? audit_clog->info() : audit_clog->debug()) ++ << "from='" << session->name << " " << session->addrs << "' " ++ << "entity='" << session->entity_name << "' " ++ << "cmd=" << m->cmd << ": dispatch"; + + if (mon_cmd->is_mgr()) { + const auto& hdr = m->get_header(); +diff --git a/src/mon/Monitor.h b/src/mon/Monitor.h +index c57c2ec..ad095f0 100644 +--- a/src/mon/Monitor.h ++++ b/src/mon/Monitor.h +@@ -41,6 +41,7 @@ + #include "MonCommand.h" + + ++#include "common/cmdparse.h" + #include "common/config_obs.h" + #include "common/LogClient.h" + #include "auth/AuthClient.h" +@@ -849,7 +850,13 @@ public: + ss << "session dropped for command "; + } + } +- ss << "cmd='" << m->cmd << "': finished"; ++ cmdmap_t cmdmap; ++ std::ostringstream ds; ++ string prefix; ++ ceph::common::cmdmap_from_json(m->cmd, &cmdmap, ds); ++ ceph::common::cmd_getval(cmdmap, "prefix", prefix); ++ if (prefix != "config set" && prefix != "config-key set") ++ ss << "cmd='" << m->cmd << "': finished"; + + mon->audit_clog->info() << ss.str(); + mon->reply_command(op, rc, rs, rdata, version); +-- +1.8.3.1 + diff --git a/0003-mon-ConfigMonitor.cc-don-t-dump-all-keys-and-values-.patch b/0003-mon-ConfigMonitor.cc-don-t-dump-all-keys-and-values-.patch new file mode 100644 index 0000000..b122156 --- /dev/null +++ b/0003-mon-ConfigMonitor.cc-don-t-dump-all-keys-and-values-.patch @@ -0,0 +1,32 @@ +From a68b4597785f92a0cb98440030be61f8004e3151 Mon Sep 17 00:00:00 2001 +From: Neha Ojha +Date: Thu, 3 Dec 2020 20:33:20 +0000 +Subject: [PATCH] mon/ConfigMonitor.cc: don't dump all keys and values in + config map + +Signed-off-by: Neha Ojha +--- + src/mon/ConfigMonitor.cc | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/src/mon/ConfigMonitor.cc b/src/mon/ConfigMonitor.cc +index 5198c06..45b8725 100644 +--- a/src/mon/ConfigMonitor.cc ++++ b/src/mon/ConfigMonitor.cc +@@ -800,13 +800,6 @@ void ConfigMonitor::load_config() + it->next(); + } + dout(10) << __func__ << " got " << num << " keys" << dendl; +- dout(20) << __func__ << " config map:\n"; +- JSONFormatter jf(true); +- jf.open_object_section("config_map"); +- config_map.dump(&jf); +- jf.close_section(); +- jf.flush(*_dout); +- *_dout << dendl; + + // refresh our own config + { +-- +1.8.3.1 + diff --git a/0004-mgr-don-t-add-config-values-to-mgr-log-in-config_cal.patch b/0004-mgr-don-t-add-config-values-to-mgr-log-in-config_cal.patch new file mode 100644 index 0000000..fa81833 --- /dev/null +++ b/0004-mgr-don-t-add-config-values-to-mgr-log-in-config_cal.patch @@ -0,0 +1,52 @@ +From 19000fad573138b2b0576c093237c4a708b76020 Mon Sep 17 00:00:00 2001 +From: Neha Ojha +Date: Thu, 3 Dec 2020 20:34:53 +0000 +Subject: [PATCH] mgr: don't add config values to mgr log in config_callback + and module_config + +The original code has been commented out and left for future debugging +purposes. + +Conflict: To avoid conflict, patch origin patch manually, then generate this patch + +Signed-off-by: Neha Ojha +--- + src/mgr/MgrStandby.cc | 5 ++++- + src/mgr/PyModuleRegistry.cc | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/mgr/MgrStandby.cc b/src/mgr/MgrStandby.cc +index ee246b8..baf7cac 100644 +--- a/src/mgr/MgrStandby.cc ++++ b/src/mgr/MgrStandby.cc +@@ -133,7 +133,10 @@ int MgrStandby::init() + // We must register our config callback before calling init(), so + // that we see the initial configuration message + monc.register_config_callback([this](const std::string &k, const std::string &v){ +- dout(10) << "config_callback: " << k << " : " << v << dendl; ++ // removing value to hide sensitive data going into mgr logs ++ // leaving this for debugging purposes ++ // dout(10) << "config_callback: " << k << " : " << v << dendl; ++ dout(10) << "config_callback: " << k << " : " << dendl; + if (k.substr(0, 4) == "mgr/") { + const std::string global_key = PyModule::config_prefix + k.substr(4); + py_module_registry.handle_config(global_key, v); +diff --git a/src/mgr/PyModuleRegistry.cc b/src/mgr/PyModuleRegistry.cc +index da4a5a3..3170fde 100644 +--- a/src/mgr/PyModuleRegistry.cc ++++ b/src/mgr/PyModuleRegistry.cc +@@ -427,7 +427,10 @@ void PyModuleRegistry::handle_config(const std::string &k, const std::string &v) + std::lock_guard l(module_config.lock); + + if (!v.empty()) { +- dout(4) << "Loaded module_config entry " << k << ":" << v << dendl; ++ // removing value to hide sensitive data going into mgr logs ++ // leaving this for debugging purposes ++ // dout(10) << "Loaded module_config entry " << k << ":" << v << dendl; ++ dout(10) << "Loaded module_config entry " << k << ":" << dendl; + module_config.config[k] = v; + } else { + module_config.config.erase(k); +-- +1.8.3.1 + diff --git a/0005-mon-ConfigMonitor.cc-don-t-log-config-values-in-refr.patch b/0005-mon-ConfigMonitor.cc-don-t-log-config-values-in-refr.patch new file mode 100644 index 0000000..b930141 --- /dev/null +++ b/0005-mon-ConfigMonitor.cc-don-t-log-config-values-in-refr.patch @@ -0,0 +1,32 @@ +From 77932ae49bffd03f905f1039ae4add303738eec6 Mon Sep 17 00:00:00 2001 +From: Neha Ojha +Date: Thu, 3 Dec 2020 21:00:51 +0000 +Subject: [PATCH] mon/ConfigMonitor.cc: don't log config values in + refresh_config + +Conflict: To avoid conflict, patch origin patch manually, then generate this patch + +Signed-off-by: Neha Ojha +--- + src/mon/ConfigMonitor.cc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/mon/ConfigMonitor.cc b/src/mon/ConfigMonitor.cc +index 45b8725..148a6c5 100644 +--- a/src/mon/ConfigMonitor.cc ++++ b/src/mon/ConfigMonitor.cc +@@ -880,8 +880,9 @@ bool ConfigMonitor::refresh_config(MonSession *s) + dout(20) << __func__ << " no change, " << out << dendl; + return false; + } +- +- dout(20) << __func__ << " " << out << dendl; ++ // removing this to hide sensitive data going into logs ++ // leaving this for debugging purposes ++ // dout(20) << __func__ << " " << out << dendl; + s->last_config = out; + s->any_config = true; + return true; +-- +1.8.3.1 + diff --git a/0006-mgr-ActivePyModules.cc-don-t-log-config-value-in-get.patch b/0006-mgr-ActivePyModules.cc-don-t-log-config-value-in-get.patch new file mode 100644 index 0000000..894d8b8 --- /dev/null +++ b/0006-mgr-ActivePyModules.cc-don-t-log-config-value-in-get.patch @@ -0,0 +1,32 @@ +From f4b3d6b7692332c329b567d91460b8ada96741e2 Mon Sep 17 00:00:00 2001 +From: Neha Ojha +Date: Thu, 3 Dec 2020 21:54:23 +0000 +Subject: [PATCH] mgr/ActivePyModules.cc: don't log config value in + get_typed_config + +Conflict: To avoid conflict, patch origin patch manually, then generate this patch + +Signed-off-by: Neha Ojha +--- + src/mgr/ActivePyModules.cc | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/mgr/ActivePyModules.cc b/src/mgr/ActivePyModules.cc +index d50c2cf..33652ab 100644 +--- a/src/mgr/ActivePyModules.cc ++++ b/src/mgr/ActivePyModules.cc +@@ -599,7 +599,10 @@ PyObject *ActivePyModules::get_typed_config( + derr << "Module '" << module_name << "' is not available" << dendl; + Py_RETURN_NONE; + } +- dout(10) << __func__ << " " << final_key << " found: " << value << dendl; ++ // removing value to hide sensitive data going into mgr logs ++ // leaving this for debugging purposes ++ // dout(10) << __func__ << " " << final_key << " found: " << value << dendl; ++ dout(10) << __func__ << " " << final_key << " found" << dendl; + return module->get_typed_option_value(key, value); + } + PyEval_RestoreThread(tstate); +-- +1.8.3.1 + diff --git a/0007-mon-messages-use-TOPNSPC-common-for-crimson-compatib.patch b/0007-mon-messages-use-TOPNSPC-common-for-crimson-compatib.patch new file mode 100644 index 0000000..db5ac06 --- /dev/null +++ b/0007-mon-messages-use-TOPNSPC-common-for-crimson-compatib.patch @@ -0,0 +1,131 @@ +From 9f80520670e72f9b34f362db74acade464766e5a Mon Sep 17 00:00:00 2001 +From: Neha Ojha +Date: Sat, 5 Dec 2020 01:22:11 +0000 +Subject: [PATCH] mon, messages: use TOPNSPC::common for crimson compatibility + +Conflict: To avoid conflict, patch origin patch manually, then generate this patch + +Signed-off-by: Neha Ojha +--- + src/messages/MMonCommand.h | 12 +++++++----- + src/messages/MMonCommandAck.h | 12 +++++++----- + src/mon/Monitor.h | 6 +++--- + 3 files changed, 17 insertions(+), 13 deletions(-) + +diff --git a/src/messages/MMonCommand.h b/src/messages/MMonCommand.h +index 88e59bf..7d870b2 100644 +--- a/src/messages/MMonCommand.h ++++ b/src/messages/MMonCommand.h +@@ -15,12 +15,14 @@ + #ifndef CEPH_MMONCOMMAND_H + #define CEPH_MMONCOMMAND_H + +-#include "common/cmdparse.h" + #include "messages/PaxosServiceMessage.h" + + #include + #include + ++using TOPNSPC::common::cmdmap_from_json; ++using TOPNSPC::common::cmd_getval; ++ + class MMonCommand : public MessageInstance { + public: + friend factory; +@@ -43,17 +45,17 @@ public: + cmdmap_t cmdmap; + std::ostringstream ss; + string prefix; +- ceph::common::cmdmap_from_json(cmd, &cmdmap, ss); +- ceph::common::cmd_getval(cmdmap, "prefix", prefix); ++ cmdmap_from_json(cmd, &cmdmap, ss); ++ cmd_getval(cmdmap, "prefix", prefix); + // Some config values contain sensitive data, so don't log them + o << "mon_command("; + if (prefix == "config set") { + string name; +- ceph::common::cmd_getval(cmdmap, "name", name); ++ cmd_getval(cmdmap, "name", name); + o << "[{prefix=" << prefix << ", name=" << name << "}]"; + } else if (prefix == "config-key set") { + string key; +- ceph::common::cmd_getval(cmdmap, "key", key); ++ cmd_getval(cmdmap, "key", key); + o << "[{prefix=" << prefix << ", key=" << key << "}]"; + } else { + for (unsigned i=0; i { + public: + friend factory; +@@ -39,19 +41,19 @@ public: + cmdmap_t cmdmap; + std::ostringstream ss; + string prefix; +- ceph::common::cmdmap_from_json(cmd, &cmdmap, ss); +- ceph::common::cmd_getval(cmdmap, "prefix", prefix); ++ cmdmap_from_json(cmd, &cmdmap, ss); ++ cmd_getval(cmdmap, "prefix", prefix); + // Some config values contain sensitive data, so don't log them + o << "mon_command_ack("; + if (prefix == "config set") { + string name; +- ceph::common::cmd_getval(cmdmap, "name", name); ++ cmd_getval(cmdmap, "name", name); + o << "[{prefix=" << prefix + << ", name=" << name << "}]" + << "=" << r << " " << rs << " v" << version << ")"; + } else if (prefix == "config-key set") { + string key; +- ceph::common::cmd_getval(cmdmap, "key", key); ++ cmd_getval(cmdmap, "key", key); + o << "[{prefix=" << prefix << ", key=" << key << "}]" + << "=" << r << " " << rs << " v" << version << ")"; + } else { +diff --git a/src/mon/Monitor.h b/src/mon/Monitor.h +index ad095f0..68102ed 100644 +--- a/src/mon/Monitor.h ++++ b/src/mon/Monitor.h +@@ -41,7 +41,6 @@ + #include "MonCommand.h" + + +-#include "common/cmdparse.h" + #include "common/config_obs.h" + #include "common/LogClient.h" + #include "auth/AuthClient.h" +@@ -56,6 +55,7 @@ + #include "mon/MonOpRequest.h" + #include "common/WorkQueue.h" + ++using namespace TOPNSPC::common; + + #define CEPH_MON_PROTOCOL 13 /* cluster internal */ + +@@ -853,8 +853,8 @@ public: + cmdmap_t cmdmap; + std::ostringstream ds; + string prefix; +- ceph::common::cmdmap_from_json(m->cmd, &cmdmap, ds); +- ceph::common::cmd_getval(cmdmap, "prefix", prefix); ++ cmdmap_from_json(m->cmd, &cmdmap, ds); ++ cmd_getval(cmdmap, "prefix", prefix); + if (prefix != "config set" && prefix != "config-key set") + ss << "cmd='" << m->cmd << "': finished"; + +-- +1.8.3.1 + diff --git a/ceph.spec b/ceph.spec index c2ce837..1d0bff2 100644 --- a/ceph.spec +++ b/ceph.spec @@ -110,7 +110,7 @@ ################################################################################# Name: ceph Version: 14.2.15 -Release: 1%{?dist} +Release: 2%{?dist} %if 0%{?fedora} || 0%{?rhel} || 0%{?openEuler} Epoch: 2 %endif @@ -127,6 +127,14 @@ Group: System/Filesystems URL: http://ceph.com/ Source0: %{?_remote_tarball_prefix}ceph-14.2.15.tar.gz +Patch1: 0001-messages-MMonCommand-MMonCommandAck-don-t-log-values.patch +Patch2: 0002-mon-don-t-log-config-set-and-config-key-set-dispatch.patch +Patch3: 0003-mon-ConfigMonitor.cc-don-t-dump-all-keys-and-values-.patch +Patch4: 0004-mgr-don-t-add-config-values-to-mgr-log-in-config_cal.patch +Patch5: 0005-mon-ConfigMonitor.cc-don-t-log-config-values-in-refr.patch +Patch6: 0006-mgr-ActivePyModules.cc-don-t-log-config-value-in-get.patch +Patch7: 0007-mon-messages-use-TOPNSPC-common-for-crimson-compatib.patch + %if 0%{?suse_version} # _insert_obs_source_lines_here ExclusiveArch: x86_64 aarch64 ppc64le s390x @@ -2313,6 +2321,9 @@ exit 0 %changelog +* Thu Feb 4 2021 Wenchao Hao - 1:14.2.15-2 +- Fix CVE-2020-25678 + * Fri Jan 22 2021 yanglongkang - 1:14.2.15-1 - update to 14.2.15 -- Gitee From c56c58cbe69e0a005a3438ebeeb314b27c38cb99 Mon Sep 17 00:00:00 2001 From: Zhiqiang Liu Date: Fri, 5 Feb 2021 09:21:21 +0800 Subject: [PATCH 2/2] Do not patch 0007 --- ceph.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ceph.spec b/ceph.spec index 1d0bff2..a2d384a 100644 --- a/ceph.spec +++ b/ceph.spec @@ -133,7 +133,7 @@ Patch3: 0003-mon-ConfigMonitor.cc-don-t-dump-all-keys-and-values-.patch Patch4: 0004-mgr-don-t-add-config-values-to-mgr-log-in-config_cal.patch Patch5: 0005-mon-ConfigMonitor.cc-don-t-log-config-values-in-refr.patch Patch6: 0006-mgr-ActivePyModules.cc-don-t-log-config-value-in-get.patch -Patch7: 0007-mon-messages-use-TOPNSPC-common-for-crimson-compatib.patch +#Patch7: 0007-mon-messages-use-TOPNSPC-common-for-crimson-compatib.patch %if 0%{?suse_version} # _insert_obs_source_lines_here -- Gitee