[AUTO-CHERRYPICK] [Medium] patch openmpi to fix CVE-2022-47022 - branch main (#12132)

CBL-Mariner-Bot · jykanase · web-flow · commit 1a1c51bd6d85 · 2025-01-29T15:30:43.000-05:00
Co-authored-by: jykanase &lt;v-jykanase@microsoft.com&gt;
diff --git a/SPECS/openmpi/CVE-2022-47022.patch b/SPECS/openmpi/CVE-2022-47022.patch
@@ -0,0 +1,69 @@
+From 6f10f14877d8637a3d561b2eb00e56bb3da178c2 Mon Sep 17 00:00:00 2001
+From: jykanase <v-jykanase@microsoft.com>
+Date: Wed, 29 Jan 2025 07:14:24 +0000
+Subject: [PATCH] CVE-2022-47022
+
+Source Link: https://github.com/open-mpi/hwloc/commit/ac1f8db9a0790d2bf153711ff4cbf6101f89aace
+---
+ .../hwloc/hwloc201/hwloc/hwloc/topology-linux.c   | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/opal/mca/hwloc/hwloc201/hwloc/hwloc/topology-linux.c b/opal/mca/hwloc/hwloc201/hwloc/hwloc/topology-linux.c
+index 2c60b1e..62ddedf 100644
+--- a/opal/mca/hwloc/hwloc201/hwloc/hwloc/topology-linux.c
++++ b/opal/mca/hwloc/hwloc201/hwloc/hwloc/topology-linux.c
+@@ -806,6 +806,8 @@ hwloc_linux_set_tid_cpubind(hwloc_topology_t topology __hwloc_attribute_unused,
+ 
+   setsize = CPU_ALLOC_SIZE(last+1);
+   plinux_set = CPU_ALLOC(last+1);
++  if (!plinux_set)
++    return -1;
+ 
+   CPU_ZERO_S(setsize, plinux_set);
+   hwloc_bitmap_foreach_begin(cpu, hwloc_set)
+@@ -886,7 +888,10 @@ hwloc_linux_find_kernel_nr_cpus(hwloc_topology_t topology)
+   while (1) {
+     cpu_set_t *set = CPU_ALLOC(nr_cpus);
+     size_t setsize = CPU_ALLOC_SIZE(nr_cpus);
+-    int err = sched_getaffinity(0, setsize, set); /* always works, unless setsize is too small */
++    int err;
++    if (!set)
++      return -1; /* caller will return an error, and we'll try again later */
++    err = sched_getaffinity(0, setsize, set); /* always works, unless setsize is too small */
+     CPU_FREE(set);
+     nr_cpus = setsize * 8; /* that's the value that was actually tested */
+     if (!err)
+@@ -914,8 +919,12 @@ hwloc_linux_get_tid_cpubind(hwloc_topology_t topology __hwloc_attribute_unused,
+ 
+   /* find the kernel nr_cpus so as to use a large enough cpu_set size */
+   kernel_nr_cpus = hwloc_linux_find_kernel_nr_cpus(topology);
++  if (kernel_nr_cpus < 0)
++    return -1;
+   setsize = CPU_ALLOC_SIZE(kernel_nr_cpus);
+   plinux_set = CPU_ALLOC(kernel_nr_cpus);
++  if (!plinux_set)
++    return -1;
+ 
+   err = sched_getaffinity(tid, setsize, plinux_set);
+ 
+@@ -1269,6 +1278,8 @@ hwloc_linux_set_thread_cpubind(hwloc_topology_t topology, pthread_t tid, hwloc_c
+ 
+      setsize = CPU_ALLOC_SIZE(last+1);
+      plinux_set = CPU_ALLOC(last+1);
++     if (!plinux_set)
++       return -1;
+ 
+      CPU_ZERO_S(setsize, plinux_set);
+      hwloc_bitmap_foreach_begin(cpu, hwloc_set)
+@@ -1360,6 +1371,8 @@ hwloc_linux_get_thread_cpubind(hwloc_topology_t topology, pthread_t tid, hwloc_b
+ 
+      setsize = CPU_ALLOC_SIZE(last+1);
+      plinux_set = CPU_ALLOC(last+1);
++     if (!plinux_set)
++       return -1;
+ 
+      err = pthread_getaffinity_np(tid, setsize, plinux_set);
+      if (err) {
+-- 
+2.45.2
+
diff --git a/SPECS/openmpi/openmpi.spec b/SPECS/openmpi/openmpi.spec
@@ -28,7 +28,7 @@
 Summary:        Open Message Passing Interface
 Name:           openmpi%{?_cc_name_suffix}
 Version:        4.1.4
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        BSD AND MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -38,6 +38,7 @@ Source0:        https://www.open-mpi.org/software/ompi/v4.1/downloads/openmpi-%{
 Source1:        openmpi.module.in
 Source3:        openmpi.pth.py3
 Source4:        macros.openmpi
+Patch0:         CVE-2022-47022.patch
 BuildRequires:  gcc-c++
 BuildRequires:  gcc-gfortran
 BuildRequires:  hwloc-devel
@@ -303,6 +304,9 @@ make check
 %{python3_sitearch}/openmpi.pth
 
 %changelog
+* Wed Jan 29 2025 Jyoti Kanase <v-jykanase@microsoft.com> - 4.1.4-12
+- Patch to fix CVE-2022-47022.
+
 * Tue Sep 26 2023 Sumedh Sharma <sumsharma@microsoft.com> - 4.1.4-11
 - Bump version to recompile with pmix update for CVE-2023-41915
 
