[dunfell,01/13] mdadm: Backport fix for CVE-2023-28736

Message ID	fb37fa3661095b8ebe68c2ffa36aabf35da30b91.1696102675.git.steve@sakoman.com
State	Accepted, archived
Commit	fb37fa3661095b8ebe68c2ffa36aabf35da30b91
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.160.46, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 01/13] mdadm: Backport fix for CVE-2023-28736 Date: Sat, 30 Sep 2023 09:39:58 -1000 Message-Id: <fb37fa3661095b8ebe68c2ffa36aabf35da30b91.1696102675.git.steve@sakoman.com> In-Reply-To: <cover.1696102675.git.steve@sakoman.com> References: <cover.1696102675.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[dunfell,01/13] mdadm: Backport fix for CVE-2023-28736 \| expand [dunfell,01/13] mdadm: Backport fix for CVE-2023-28736 [dunfell,02/13] libwebp: Fix CVE-2023-5129 [dunfell,03/13] libxpm: fix CVE-2022-46285 [dunfell,04/13] nasm: fix CVE-2022-44370 [dunfell,05/13] ghostscript: fix CVE-2023-36664 [dunfell,06/13] qemu: fix CVE-2020-24165 [dunfell,07/13] go: Fix CVE-2023-39318 and CVE-2023-39319 [dunfell,08/13] python3: update to 3.8.18 [dunfell,09/13] nasm: update 2.15.03 -> 2.15.05 [dunfell,10/13] linux-yocto/5.4: update to v5.4.252 [dunfell,11/13] linux-yocto/5.4: update to v5.4.254 [dunfell,12/13] linux-yocto/5.4: update to v5.4.256 [dunfell,13/13] linux-yocto/5.4: update to v5.4.257

Message ID

fb37fa3661095b8ebe68c2ffa36aabf35da30b91.1696102675.git.steve@sakoman.com

State

Accepted, archived

Commit

fb37fa3661095b8ebe68c2ffa36aabf35da30b91

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 01/13] mdadm: Backport fix for CVE-2023-28736
Date: Sat, 30 Sep 2023 09:39:58 -1000
Message-Id: 
 <fb37fa3661095b8ebe68c2ffa36aabf35da30b91.1696102675.git.steve@sakoman.com>
In-Reply-To: <cover.1696102675.git.steve@sakoman.com>
References: <cover.1696102675.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[dunfell,01/13] mdadm: Backport fix for CVE-2023-28736 | expand

Commit Message

Steve Sakoman Sept. 30, 2023, 7:39 p.m. UTC

From: Ashish Sharma <asharma@mvista.com>

Signed-off-by: Ashish Sharma <asharma@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 .../mdadm/files/CVE-2023-28736.patch          | 77 +++++++++++++++++++
 meta/recipes-extended/mdadm/mdadm_4.1.bb      |  1 +
 2 files changed, 78 insertions(+)
 create mode 100644 meta/recipes-extended/mdadm/files/CVE-2023-28736.patch

diff --git a/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
new file mode 100644
index 0000000000..8e0a06cbc7
--- /dev/null
+++ b/meta/recipes-extended/mdadm/files/CVE-2023-28736.patch
@@ -0,0 +1,77 @@ 
+From ced5fa8b170ad448f4076e24a10c731b5cfb36ce Mon Sep 17 00:00:00 2001
+From: Blazej Kucman <blazej.kucman@intel.com>
+Date: Fri, 3 Dec 2021 15:31:15 +0100
+Subject: mdadm: block creation with long names
+
+This fixes buffer overflows in create_mddev(). It prohibits
+creation with not supported names for DDF and native. For IMSM,
+mdadm will do silent cut to 16 later.
+
+Signed-off-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
+Signed-off-by: Blazej Kucman <blazej.kucman@intel.com>
+Signed-off-by: Jes Sorensen <jsorensen@fb.com>
+---
+
+Upstream-Status: Backport from [https://git.kernel.org/pub/scm/utils/mdadm/mdadm.git/patch/?id=ced5fa8b170ad448f4076e24a10c731b5cfb36ce]
+CVE: CVE-2023-28736
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ mdadm.8.in | 5 +++++
+ mdadm.c    | 9 ++++++++-
+ mdadm.h    | 5 +++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/mdadm.8.in b/mdadm.8.in
+index 28d773c2..68e100cb 100644
+--- a/mdadm.8.in
++++ b/mdadm.8.in
+@@ -2186,6 +2186,11 @@ is run, but will be created by
+ .I udev
+ once the array becomes active.
+ 
++The max length md-device name is limited to 32 characters.
++Different metadata types have more strict limitation
++(like IMSM where only 16 characters are allowed).
++For that reason, long name could be truncated or rejected, it depends on metadata policy.
++
+ As devices are added, they are checked to see if they contain RAID
+ superblocks or filesystems.  They are also checked to see if the variance in
+ device size exceeds 1%.
+diff --git a/mdadm.c b/mdadm.c
+index 91e67467..26299b2e 100644
+--- a/mdadm.c
++++ b/mdadm.c
+@@ -1359,9 +1359,16 @@ int main(int argc, char *argv[])
+ 			mdfd = open_mddev(devlist->devname, 1);
+ 			if (mdfd < 0)
+ 				exit(1);
+-		} else
++		} else {
++			char *bname = basename(devlist->devname);
++
++			if (strlen(bname) > MD_NAME_MAX) {
++				pr_err("Name %s is too long.\n", devlist->devname);
++				exit(1);
++			}
+ 			/* non-existent device is OK */
+ 			mdfd = open_mddev(devlist->devname, 0);
++		}
+ 		if (mdfd == -2) {
+ 			pr_err("device %s exists but is not an md array.\n", devlist->devname);
+ 			exit(1);
+diff --git a/mdadm.h b/mdadm.h
+index 54567396..c7268a71 100644
+--- a/mdadm.h
++++ b/mdadm.h
+@@ -1880,3 +1880,8 @@ enum r0layout {
+ #define INVALID_SECTORS 1
+ /* And another special number needed for --data_offset=variable */
+ #define VARIABLE_OFFSET 3
++
++/**
++ * This is true for native and DDF, IMSM allows 16.
++ */
++#define MD_NAME_MAX 32
+-- 
+cgit 
+
diff --git a/meta/recipes-extended/mdadm/mdadm_4.1.bb b/meta/recipes-extended/mdadm/mdadm_4.1.bb
index bb77759cf9..5238a41df2 100644
--- a/meta/recipes-extended/mdadm/mdadm_4.1.bb
+++ b/meta/recipes-extended/mdadm/mdadm_4.1.bb
@@ -24,6 +24,7 @@  SRC_URI = "${KERNELORG_MIRROR}/linux/utils/raid/mdadm/${BPN}-${PV}.tar.xz \
            file://0001-mdadm-add-option-y-for-use-syslog-to-recive-event-re.patch \
            file://include_sysmacros.patch \
            file://0001-mdadm-skip-test-11spare-migration.patch \
+           file://CVE-2023-28736.patch \
            "
 
 SRC_URI[md5sum] = "51bf3651bd73a06c413a2f964f299598"

[dunfell,01/13] mdadm: Backport fix for CVE-2023-28736

Commit Message

Patch