aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch100
-rw-r--r--recipes-extended/ceph/ceph/0002-mon-enforce-caps-for-pre-octopus-client-tell-command.patch95
-rw-r--r--recipes-extended/ceph/ceph/0003-PendingReleaseNotes-note-about-security-fix.patch31
-rw-r--r--recipes-extended/ceph/ceph_15.2.0.bb3
4 files changed, 229 insertions, 0 deletions
diff --git a/recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch b/recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch
new file mode 100644
index 0000000..de191bf
--- /dev/null
+++ b/recipes-extended/ceph/ceph/0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch
@@ -0,0 +1,100 @@
+From de67c1dab5597c91538970421b25f6ec667af492 Mon Sep 17 00:00:00 2001
+From: Josh Durgin <jdurgin@redhat.com>
+Date: Mon, 4 May 2020 17:03:35 -0400
+Subject: [PATCH 1/3] mgr: require all caps for pre-octopus tell commands
+
+This matches the requirements for admin socket commands
+sent via tell elsewhere.
+
+Signed-off-by: Josh Durgin <jdurgin@redhat.com>
+
+Upstream-status: Backport
+[https://github.com/ceph/ceph/commit/347003e13167c428187a5450517850f4d85e09ad]
+
+Signed-off-by: Liu Haitao <haitao.liu@windriver.com>
+---
+ src/mgr/DaemonServer.cc | 37 ++++++++++++++++++++++---------------
+ 1 file changed, 22 insertions(+), 15 deletions(-)
+
+diff --git a/src/mgr/DaemonServer.cc b/src/mgr/DaemonServer.cc
+index becd428a..527326e3 100644
+--- a/src/mgr/DaemonServer.cc
++++ b/src/mgr/DaemonServer.cc
+@@ -808,20 +808,12 @@ public:
+ bool DaemonServer::handle_command(const ref_t<MCommand>& m)
+ {
+ std::lock_guard l(lock);
+- // a blank fsid in MCommand signals a legacy client sending a "mon-mgr" CLI
+- // command.
+- if (m->fsid != uuid_d()) {
+- cct->get_admin_socket()->queue_tell_command(m);
++ auto cmdctx = std::make_shared<CommandContext>(m);
++ try {
++ return _handle_command(cmdctx);
++ } catch (const bad_cmd_get& e) {
++ cmdctx->reply(-EINVAL, e.what());
+ return true;
+- } else {
+- // legacy client; send to CLI processing
+- auto cmdctx = std::make_shared<CommandContext>(m);
+- try {
+- return _handle_command(cmdctx);
+- } catch (const bad_cmd_get& e) {
+- cmdctx->reply(-EINVAL, e.what());
+- return true;
+- }
+ }
+ }
+
+@@ -853,8 +845,12 @@ bool DaemonServer::_handle_command(
+ std::shared_ptr<CommandContext>& cmdctx)
+ {
+ MessageRef m;
++ bool admin_socket_cmd = false;
+ if (cmdctx->m_tell) {
+ m = cmdctx->m_tell;
++ // a blank fsid in MCommand signals a legacy client sending a "mon-mgr" CLI
++ // command.
++ admin_socket_cmd = (cmdctx->m_tell->fsid != uuid_d());
+ } else {
+ m = cmdctx->m_mgr;
+ }
+@@ -888,7 +884,10 @@ bool DaemonServer::_handle_command(
+
+ dout(10) << "decoded-size=" << cmdctx->cmdmap.size() << " prefix=" << prefix << dendl;
+
+- if (prefix == "get_command_descriptions") {
++ // this is just for mgr commands - admin socket commands will fall
++ // through and use the admin socket version of
++ // get_command_descriptions
++ if (prefix == "get_command_descriptions" && !admin_socket_cmd) {
+ dout(10) << "reading commands from python modules" << dendl;
+ const auto py_commands = py_modules.get_commands();
+
+@@ -925,7 +924,10 @@ bool DaemonServer::_handle_command(
+
+ bool is_allowed = false;
+ ModuleCommand py_command;
+- if (!mgr_cmd) {
++ if (admin_socket_cmd) {
++ // admin socket commands require all capabilities
++ is_allowed = session->caps.is_allow_all();
++ } else if (!mgr_cmd) {
+ // Resolve the command to the name of the module that will
+ // handle it (if the command exists)
+ auto py_commands = py_modules.get_py_commands();
+@@ -958,6 +960,11 @@ bool DaemonServer::_handle_command(
+ << "entity='" << session->entity_name << "' "
+ << "cmd=" << cmdctx->cmd << ": dispatch";
+
++ if (admin_socket_cmd) {
++ cct->get_admin_socket()->queue_tell_command(cmdctx->m_tell);
++ return true;
++ }
++
+ // ----------------
+ // service map commands
+ if (prefix == "service dump") {
+--
+2.25.1
+
diff --git a/recipes-extended/ceph/ceph/0002-mon-enforce-caps-for-pre-octopus-client-tell-command.patch b/recipes-extended/ceph/ceph/0002-mon-enforce-caps-for-pre-octopus-client-tell-command.patch
new file mode 100644
index 0000000..79f2174
--- /dev/null
+++ b/recipes-extended/ceph/ceph/0002-mon-enforce-caps-for-pre-octopus-client-tell-command.patch
@@ -0,0 +1,95 @@
+From ddbac9b2779172876ebd2d26b68b04b02350a125 Mon Sep 17 00:00:00 2001
+From: Josh Durgin <jdurgin@redhat.com>
+Date: Thu, 23 Apr 2020 00:22:10 -0400
+Subject: [PATCH 2/3] mon: enforce caps for pre-octopus client tell commands
+
+This affects only the commands whitelisted here - in particular
+injectargs requires write access to the monitors.
+
+Signed-off-by: Josh Durgin <jdurgin@redhat.com>
+
+Upstream-status: Backport
+[https://github.com/ceph/ceph/commit/fc5e56b75a97c4652c87e9959aad1c4dec45010d]
+
+Signed-off-by: Liu Haitao <haitao.liu@windriver.com>
+---
+ src/mon/Monitor.cc | 56 +++++++++++++++++++++++-----------------------
+ 1 file changed, 28 insertions(+), 28 deletions(-)
+
+diff --git a/src/mon/Monitor.cc b/src/mon/Monitor.cc
+index b7cb3eae..eecd2f68 100644
+--- a/src/mon/Monitor.cc
++++ b/src/mon/Monitor.cc
+@@ -3226,34 +3226,6 @@ void Monitor::handle_command(MonOpRequestRef op)
+ return;
+ }
+
+- // compat kludge for legacy clients trying to tell commands that are
+- // new. see bottom of MonCommands.h. we need to handle both (1)
+- // pre-octopus clients and (2) octopus clients with a mix of pre-octopus
+- // and octopus mons.
+- if ((!HAVE_FEATURE(m->get_connection()->get_features(), SERVER_OCTOPUS) ||
+- monmap->min_mon_release < ceph_release_t::octopus) &&
+- (prefix == "injectargs" ||
+- prefix == "smart" ||
+- prefix == "mon_status" ||
+- prefix == "heap")) {
+- if (m->get_connection()->get_messenger() == 0) {
+- // Prior to octopus, monitors might forward these messages
+- // around. that was broken at baseline, and if we try to process
+- // this message now, it will assert out when we try to send a
+- // message in reply from the asok/tell worker (see
+- // AnonConnection). Just reply with an error.
+- dout(5) << __func__ << " failing forwarded command from a (presumably) "
+- << "pre-octopus peer" << dendl;
+- reply_command(
+- op, -EBUSY,
+- "failing forwarded tell command in mixed-version mon cluster", 0);
+- return;
+- }
+- dout(5) << __func__ << " passing command to tell/asok" << dendl;
+- cct->get_admin_socket()->queue_tell_command(m);
+- return;
+- }
+-
+ string module;
+ string err;
+
+@@ -3368,6 +3340,34 @@ void Monitor::handle_command(MonOpRequestRef op)
+ << "entity='" << session->entity_name << "' "
+ << "cmd=" << m->cmd << ": dispatch";
+
++ // compat kludge for legacy clients trying to tell commands that are
++ // new. see bottom of MonCommands.h. we need to handle both (1)
++ // pre-octopus clients and (2) octopus clients with a mix of pre-octopus
++ // and octopus mons.
++ if ((!HAVE_FEATURE(m->get_connection()->get_features(), SERVER_OCTOPUS) ||
++ monmap->min_mon_release < ceph_release_t::octopus) &&
++ (prefix == "injectargs" ||
++ prefix == "smart" ||
++ prefix == "mon_status" ||
++ prefix == "heap")) {
++ if (m->get_connection()->get_messenger() == 0) {
++ // Prior to octopus, monitors might forward these messages
++ // around. that was broken at baseline, and if we try to process
++ // this message now, it will assert out when we try to send a
++ // message in reply from the asok/tell worker (see
++ // AnonConnection). Just reply with an error.
++ dout(5) << __func__ << " failing forwarded command from a (presumably) "
++ << "pre-octopus peer" << dendl;
++ reply_command(
++ op, -EBUSY,
++ "failing forwarded tell command in mixed-version mon cluster", 0);
++ return;
++ }
++ dout(5) << __func__ << " passing command to tell/asok" << dendl;
++ cct->get_admin_socket()->queue_tell_command(m);
++ return;
++ }
++
+ if (mon_cmd->is_mgr()) {
+ const auto& hdr = m->get_header();
+ uint64_t size = hdr.front_len + hdr.middle_len + hdr.data_len;
+--
+2.25.1
+
diff --git a/recipes-extended/ceph/ceph/0003-PendingReleaseNotes-note-about-security-fix.patch b/recipes-extended/ceph/ceph/0003-PendingReleaseNotes-note-about-security-fix.patch
new file mode 100644
index 0000000..ed2a63e
--- /dev/null
+++ b/recipes-extended/ceph/ceph/0003-PendingReleaseNotes-note-about-security-fix.patch
@@ -0,0 +1,31 @@
+From 56800925651857821034ac9c8ec82d45635cc3b8 Mon Sep 17 00:00:00 2001
+From: Josh Durgin <jdurgin@redhat.com>
+Date: Wed, 13 May 2020 21:34:56 -0700
+Subject: [PATCH 3/3] PendingReleaseNotes: note about security fix
+
+Signed-off-by: Josh Durgin <jdurgin@redhat.com>
+
+Upstream-status: Backport
+[https://github.com/ceph/ceph/commit/06f239fc35f35865d2cf92dda1ac8f4d5fe82bde]
+
+Signed-off-by: Liu Haitao <haitao.liu@windriver.com>
+---
+ PendingReleaseNotes | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/PendingReleaseNotes b/PendingReleaseNotes
+index c9fd4c79..6e07ce6d 100644
+--- a/PendingReleaseNotes
++++ b/PendingReleaseNotes
+@@ -1,6 +1,8 @@
+ >=15.0.0
+ --------
+
++* CVE-2020-10736: Fixes an authorization bypass in monitor and manager daemons
++
+ * The RGW "num_rados_handles" has been removed.
+ * If you were using a value of "num_rados_handles" greater than 1
+ multiply your current "objecter_inflight_ops" and
+--
+2.25.1
+
diff --git a/recipes-extended/ceph/ceph_15.2.0.bb b/recipes-extended/ceph/ceph_15.2.0.bb
index e41aa2f..9423faa 100644
--- a/recipes-extended/ceph/ceph_15.2.0.bb
+++ b/recipes-extended/ceph/ceph_15.2.0.bb
@@ -17,6 +17,9 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
file://0001-rgw-reject-unauthenticated-response-header-actions.patch \
file://0001-rgw-EPERM-to-ERR_INVALID_REQUEST.patch \
file://0001-rgw-reject-control-characters-in-response-header-act.patch \
+ file://0001-mgr-require-all-caps-for-pre-octopus-tell-commands.patch \
+ file://0002-mon-enforce-caps-for-pre-octopus-client-tell-command.patch \
+ file://0003-PendingReleaseNotes-note-about-security-fix.patch \
"
SRC_URI[md5sum] = "1f9af648b4c6d19975aab2583ab99710"