From 8edfbd69e7f7976e4f2ddc3fe415a4cbb97bb2ed Mon Sep 17 00:00:00 2001 From: wang kun Date: Wed, 17 Sep 2025 11:26:48 +0800 Subject: [PATCH] fix CVE-2021-3979 --- 0019-fix-CVE-2021-3979.patch | 147 +++++++++++++++++++++++++++++++++++ ceph.spec | 6 +- 2 files changed, 152 insertions(+), 1 deletion(-) create mode 100644 0019-fix-CVE-2021-3979.patch diff --git a/0019-fix-CVE-2021-3979.patch b/0019-fix-CVE-2021-3979.patch new file mode 100644 index 0000000..ef7d82f --- /dev/null +++ b/0019-fix-CVE-2021-3979.patch @@ -0,0 +1,147 @@ +From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001 +From: Guillaume Abrioux +Date: Tue, 25 Jan 2022 10:25:53 +0100 +Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option + +ceph-volume doesn't honour osd_dmcrypt_key_size. +It means the default size is always applied. + +It also changes the default value in `get_key_size_from_conf()` + +From cryptsetup manpage: + +> For XTS mode you can optionally set a key size of 512 bits with the -s option. + +Using more than 512bits will end up with the following error message: + +``` +Key size in XTS mode must be 256 or 512 bits. +``` + +Fixes: https://tracker.ceph.com/issues/54006 + +Signed-off-by: Guillaume Abrioux +--- + .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------ + .../ceph_volume/util/encryption.py | 34 ++++++++++----- + 2 files changed, 51 insertions(+), 24 deletions(-) + +diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py +index e1420b440d391..c86dc50b7c756 100644 +--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py ++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py +@@ -1,5 +1,31 @@ + from ceph_volume.util import encryption ++import base64 + ++class TestGetKeySize(object): ++ def test_get_size_from_conf_default(self, conf_ceph_stub): ++ conf_ceph_stub(''' ++ [global] ++ fsid=asdf ++ ''') ++ assert encryption.get_key_size_from_conf() == '512' ++ ++ def test_get_size_from_conf_custom(self, conf_ceph_stub): ++ conf_ceph_stub(''' ++ [global] ++ fsid=asdf ++ [osd] ++ osd_dmcrypt_key_size=256 ++ ''') ++ assert encryption.get_key_size_from_conf() == '256' ++ ++ def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub): ++ conf_ceph_stub(''' ++ [global] ++ fsid=asdf ++ [osd] ++ osd_dmcrypt_key_size=1024 ++ ''') ++ assert encryption.get_key_size_from_conf() == '512' + + class TestStatus(object): + +@@ -37,17 +63,6 @@ def test_mapper_does_not_exist(self, fake_run): + + class TestDmcryptKey(object): + +- def test_dmcrypt_with_default_size(self, conf_ceph_stub): +- conf_ceph_stub('[global]\nfsid=asdf-lkjh') +- result = encryption.create_dmcrypt_key() +- assert len(result) == 172 +- +- def test_dmcrypt_with_custom_size(self, conf_ceph_stub): +- conf_ceph_stub(''' +- [global] +- fsid=asdf +- [osd] +- osd_dmcrypt_size=8 +- ''') ++ def test_dmcrypt(self): + result = encryption.create_dmcrypt_key() +- assert len(result) == 172 ++ assert len(base64.b64decode(result)) == 128 +diff --git a/src/ceph-volume/ceph_volume/util/encryption.py b/src/ceph-volume/ceph_volume/util/encryption.py +index 72a0ccf121e97..2a2c03337b61f 100644 +--- a/src/ceph-volume/ceph_volume/util/encryption.py ++++ b/src/ceph-volume/ceph_volume/util/encryption.py +@@ -9,21 +9,29 @@ + + logger = logging.getLogger(__name__) + +- +-def create_dmcrypt_key(): ++def get_key_size_from_conf(): + """ +- Create the secret dm-crypt key used to decrypt a device. ++ Return the osd dmcrypt key size from config file. ++ Default is 512. + """ +- # get the customizable dmcrypt key size (in bits) from ceph.conf fallback +- # to the default of 1024 +- dmcrypt_key_size = conf.ceph.get_safe( ++ default_key_size = '512' ++ key_size = conf.ceph.get_safe( + 'osd', + 'osd_dmcrypt_key_size', +- default=1024, +- ) +- # The size of the key is defined in bits, so we must transform that +- # value to bytes (dividing by 8) because we read in bytes, not bits +- random_string = os.urandom(int(dmcrypt_key_size / 8)) ++ default='512') ++ ++ if key_size not in ['256', '512']: ++ logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). " ++ "Falling back to {}bits".format(key_size, default_key_size))) ++ return default_key_size ++ ++ return key_size ++ ++def create_dmcrypt_key(): ++ """ ++ Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key. ++ """ ++ random_string = os.urandom(128) + key = base64.b64encode(random_string).decode('utf-8') + return key + +@@ -38,6 +46,8 @@ def luks_format(key, device): + command = [ + 'cryptsetup', + '--batch-mode', # do not prompt ++ '--key-size', ++ get_key_size_from_conf(), + '--key-file', # misnomer, should be key + '-', # because we indicate stdin for the key here + 'luksFormat', +@@ -83,6 +93,8 @@ def luks_open(key, device, mapping): + """ + command = [ + 'cryptsetup', ++ '--key-size', ++ get_key_size_from_conf(), + '--key-file', + '-', + '--allow-discards', # allow discards (aka TRIM) requests for device diff --git a/ceph.spec b/ceph.spec index 59a0b45..568c7bb 100644 --- a/ceph.spec +++ b/ceph.spec @@ -125,7 +125,7 @@ ################################################################################# Name: ceph Version: 16.2.7 -Release: 22 +Release: 23 %if 0%{?fedora} || 0%{?rhel} || 0%{?openEuler} Epoch: 2 %endif @@ -161,6 +161,7 @@ Patch15: 0015-ceph-volume-add-judgment-for-ceph-volume-lvm-activat.patch Patch16: 0016-fix-CVE-2023-46159.patch Patch17: 0017-fix-osd-activate-error-when-node-reboot.patch Patch18: 0018-fix-CVE-2024-48916.patch +Patch19: 0019-fix-CVE-2021-3979.patch %if 0%{?suse_version} # _insert_obs_source_lines_here ExclusiveArch: x86_64 aarch64 ppc64le s390x @@ -2505,6 +2506,9 @@ exit 0 %config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml %changelog +* Wed Sep 17 2025 wang kun - 2:16.2.7-23 +- fix CVE-2021-3979 + * Fri Feb 21 2025 wangzengliang - 2:16.2.7-22 - fix-CVE-2024-48916 -- Gitee