[AUTO-CHERRYPICK] ceph: patch multiple CVEs - branch main (#9086)

Co-authored-by: Henry Beberman <henry.beberman@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/ceph/CVE-2021-24032.patch

@@ -0,0 +1,64 @@
+Use umask() to Constrain Created File Permissions
+
+Signed-off-by: Henry Beberman <henry.beberman@microsoft.com>
+
+diff -Naur a/src/zstd/programs/fileio.c b/src/zstd/programs/fileio.c
+--- a/src/zstd/programs/fileio.c	2020-05-22 05:04:00.000000000 +0000
++++ b/src/zstd/programs/fileio.c	2024-05-08 21:47:49.022437794 +0000
+@@ -611,14 +611,11 @@
+             FIO_remove(dstFileName);
+     }   }
+ 
+-    {   FILE* const f = fopen( dstFileName, "wb" );
++    {   const int old_umask = UTIL_umask(0177); /* u-x,go-rwx */
++        FILE* const f = fopen( dstFileName, "wb" );
++        UTIL_umask(old_umask);
+         if (f == NULL) {
+             DISPLAYLEVEL(1, "zstd: %s: %s\n", dstFileName, strerror(errno));
+-        } else if (srcFileName != NULL
+-               && strcmp (srcFileName, stdinmark)
+-               && strcmp(dstFileName, nulmark) ) {
+-            /* reduce rights on newly created dst file while compression is ongoing */
+-            UTIL_chmod(dstFileName, 00600);
+         }
+         return f;
+     }
+diff -Naur a/src/zstd/programs/util.c b/src/zstd/programs/util.c
+--- a/src/zstd/programs/util.c	2020-05-22 05:04:00.000000000 +0000
++++ b/src/zstd/programs/util.c	2024-05-08 21:48:42.615068035 +0000
+@@ -137,6 +137,15 @@
+     return chmod(filename, permissions);
+ }
+ 
++int UTIL_umask(int mode) {
++#if PLATFORM_POSIX_VERSION > 0
++    return umask(mode);
++#else
++    /* do nothing, fake return value */
++    return mode;
++#endif
++}
++
+ int UTIL_setFileStat(const char *filename, stat_t *statbuf)
+ {
+     int res = 0;
+diff -Naur a/src/zstd/programs/util.h b/src/zstd/programs/util.h
+--- a/src/zstd/programs/util.h	2020-05-22 05:04:00.000000000 +0000
++++ b/src/zstd/programs/util.h	2024-05-08 21:50:01.135938005 +0000
+@@ -22,7 +22,7 @@
+ #include "platform.h"     /* PLATFORM_POSIX_VERSION, ZSTD_NANOSLEEP_SUPPORT, ZSTD_SETPRIORITY_SUPPORT */
+ #include <stddef.h>       /* size_t, ptrdiff_t */
+ #include <sys/types.h>    /* stat, utime */
+-#include <sys/stat.h>     /* stat, chmod */
++#include <sys/stat.h>     /* stat, chmod, umask */
+ #include "../lib/common/mem.h"          /* U64 */
+ 
+ 
+@@ -119,6 +119,7 @@
+ int UTIL_getFileStat(const char* infilename, stat_t* statbuf);
+ int UTIL_setFileStat(const char* filename, stat_t* statbuf);
+ int UTIL_chmod(char const* filename, mode_t permissions);   /*< like chmod, but avoid changing permission of /dev/null */
++int UTIL_umask(int mode);
+ int UTIL_compareStr(const void *p1, const void *p2);
+ const char* UTIL_getFileExtension(const char* infilename);
+ 

SPECS/ceph/CVE-2021-28361.patch

@@ -0,0 +1,42 @@
+From f3fd56fc3c73ee7595bbe7c69cf8048fe2577e1a Mon Sep 17 00:00:00 2001
+From: Tomasz Zawadzki <tomasz.zawadzki@intel.com>
+Date: Mon, 8 Feb 2021 10:28:44 -0500
+Subject: [PATCH] lib/iscsi: return immediately from iscsi_parse_params if len
+ is 0
+
+The spec does not disallow TEXT PDUs with no data.  In that
+case, just return immediately from iscsi_parse_params.
+
+This avoids a NULL pointer dereference with a TEXT PDU that has
+no data, but CONTINUE flag is set.
+
+Signed-off-by: Tomasz Zawadzki <tomasz.zawadzki@intel.com>
+Signed-off-by: Jim Harris <james.r.harris@intel.com>
+Change-Id: I2605293daf171633a45132d7b5532fdfc9128aff
+Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/6319
+Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
+Reviewed-by: Ziye Yang <ziye.yang@intel.com>
+Reviewed-by: Shuhei Matsumoto <shuhei.matsumoto.xt@hitachi.com>
+Reviewed-by: Ben Walker <benjamin.walker@intel.com>
+Reviewed-by: Paul Luse <paul.e.luse@intel.com>
+Signed-off-by: Henry Beberman <henry.beberman@microsoft.com>
+diff -Naur a/src/spdk/lib/iscsi/param.c b/src/spdk/lib/iscsi/param.c
+--- a/src/spdk/lib/iscsi/param.c	2020-07-31 07:07:10.000000000 +0000
++++ b/src/spdk/lib/iscsi/param.c	2024-05-09 17:34:00.036617778 +0000
+@@ -315,6 +315,16 @@
+ 	char *p;
+ 	int i;
+ 
++	/* Spec does not disallow TEXT PDUs with zero length, just return
++	 * immediately in that case, since there is no param data to parse
++	 * and any existing partial parameter would remain as-is.
++	 */
++	if (len == 0) {
++		return 0;
++	}
++
++	assert(data != NULL);
++
+ 	/* strip the partial text parameters if previous PDU have C enabled */
+ 	if (partial_parameter && *partial_parameter) {
+ 		for (i = 0; i < len && data[i] != '\0'; i++) {

SPECS/ceph/CVE-2022-3650.patch

@@ -0,0 +1,255 @@
+From e6f1f52409c52c3fd9434015a04065c89d762a21 Mon Sep 17 00:00:00 2001
+From: Guillaume Abrioux <gabrioux@redhat.com>
+Date: Thu, 24 Feb 2022 17:39:10 +0100
+Subject: [PATCH 1/6] Revert "src/ceph-crash.in: remove unused frame in
+ handler()"
+
+This reverts commit 432c766a99f70884049bf7a1f268287a5a809777.
+
+unused but required:
+
+```
+Traceback (most recent call last):
+File "/usr/bin/ceph-crash", line 102, in <module>
+main()
+File "/usr/bin/ceph-crash", line 98, in main
+time.sleep(args.delay * 60)
+TypeError: handler() takes exactly 1 argument (2 given)
+```
+
+Fixes: https://tracker.ceph.com/issues/54422
+
+Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
+Signed-off-by-: Henry Beberman <henry.beberman@microsoft.com>
+(cherry picked from commit 02e8e7d6e6d31b4735115f7820e015fc54997d9f)
+---
+ src/ceph-crash.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/ceph-crash.in b/src/ceph-crash.in
+index ae0e4f516464f..4502618fcf7aa 100755
+--- a/src/ceph-crash.in
++++ b/src/ceph-crash.in
+@@ -79,7 +79,7 @@ def scrape_path(path):
+                     (metapath, p, os.path.join('posted/', p))
+                 )
+ 
+-def handler(signum):
++def handler(signum, frame):
+     print('*** Interrupted with signal %d ***' % signum)
+     sys.exit(0)
+ 
+
+From 50d16ef5e4be857ddc2dcad1bed190c725efef1f Mon Sep 17 00:00:00 2001
+From: Guillaume Abrioux <gabrioux@redhat.com>
+Date: Thu, 24 Feb 2022 17:45:41 +0100
+Subject: [PATCH 2/6] ceph-crash: fix some flake8 issues
+
+ceph-crash.in:21:1: E302 expected 2 blank lines, found 1
+ceph-crash.in:32:80: E501 line too long (86 > 79 characters)
+ceph-crash.in:82:1: E302 expected 2 blank lines, found 1
+ceph-crash.in:86:1: E302 expected 2 blank lines, found 1
+
+Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
+(cherry picked from commit 0aee76965f92865d7f6e28b73b46dbdb5f1f9463)
+---
+ src/ceph-crash.in | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/ceph-crash.in b/src/ceph-crash.in
+index 4502618fcf7aa..916f0664a9456 100755
+--- a/src/ceph-crash.in
++++ b/src/ceph-crash.in
+@@ -18,6 +18,7 @@ auth_names = ['client.crash.%s' % socket.gethostname(),
+               'client.crash',
+               'client.admin']
+ 
++
+ def parse_args():
+     parser = argparse.ArgumentParser()
+     parser.add_argument(
+@@ -29,7 +30,8 @@ def parse_args():
+     )
+     parser.add_argument(
+         '--name', '-n',
+-        help='ceph name to authenticate as (default: try client.crash, client.admin)')
++        help='ceph name to authenticate as '
++             '(default: try client.crash, client.admin)')
+     parser.add_argument(
+         '--log-level', '-l',
+         help='log level output (default: INFO), support INFO or DEBUG')
+@@ -79,10 +81,12 @@ def scrape_path(path):
+                     (metapath, p, os.path.join('posted/', p))
+                 )
+ 
++
+ def handler(signum, frame):
+     print('*** Interrupted with signal %d ***' % signum)
+     sys.exit(0)
+ 
++
+ def main():
+     global auth_names
+     # exit code 0 on SIGINT, SIGTERM
+
+From 544f5035a6c7880756149c59a8f1b793d1dfd14b Mon Sep 17 00:00:00 2001
+From: Tim Serong <tserong@suse.com>
+Date: Wed, 2 Nov 2022 14:23:20 +1100
+Subject: [PATCH 3/6] ceph-crash: fix stderr handling
+
+Popen.communicate() returns a tuple (stdout, stderr), and stderr
+will be of type bytes, hence the need to decode it before checking
+if it's an empty string or not.
+
+Fixes: a77b47eeeb5770eeefcf4619ab2105ee7a6a003e
+Signed-off-by: Tim Serong <tserong@suse.com>
+(cherry picked from commit 45915540559126a652f8d9d105723584cfc63439)
+---
+ src/ceph-crash.in | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/ceph-crash.in b/src/ceph-crash.in
+index 916f0664a9456..453efb7aa10d0 100755
+--- a/src/ceph-crash.in
++++ b/src/ceph-crash.in
+@@ -50,7 +50,8 @@ def post_crash(path):
+             stderr=subprocess.PIPE,
+         )
+         f = open(os.path.join(path, 'meta'), 'rb')
+-        stderr = pr.communicate(input=f.read())
++        (_, stderr) = pr.communicate(input=f.read())
++        stderr = stderr.decode()
+         rc = pr.wait()
+         f.close()
+         if rc != 0 or stderr != "":
+
+From d2a9a539d72e01750dcc245a11962fe574777cc0 Mon Sep 17 00:00:00 2001
+From: Tim Serong <tserong@suse.com>
+Date: Wed, 2 Nov 2022 14:27:47 +1100
+Subject: [PATCH 4/6] ceph-crash: drop privleges to run as "ceph" user, rather
+ than root
+
+If privileges cannot be dropped, log an error and exit.  This commit
+also catches and logs exceptions when scraping the crash path, without
+which ceph-crash would just exit if it encountered an error.
+
+Fixes: CVE-2022-3650
+Fixes: https://tracker.ceph.com/issues/57967
+Signed-off-by: Tim Serong <tserong@suse.com>
+(cherry picked from commit 130c9626598bc3a75942161e6cce7c664c447382)
+---
+ src/ceph-crash.in | 24 +++++++++++++++++++++++-
+ 1 file changed, 23 insertions(+), 1 deletion(-)
+
+diff --git a/src/ceph-crash.in b/src/ceph-crash.in
+index 453efb7aa10d0..d5c7260614e49 100755
+--- a/src/ceph-crash.in
++++ b/src/ceph-crash.in
+@@ -3,8 +3,10 @@
+ # vim: ts=4 sw=4 smarttab expandtab
+ 
+ import argparse
++import grp
+ import logging
+ import os
++import pwd
+ import signal
+ import socket
+ import subprocess
+@@ -88,8 +90,25 @@ def handler(signum, frame):
+     sys.exit(0)
+ 
+ 
++def drop_privs():
++    if os.getuid() == 0:
++        try:
++            ceph_uid = pwd.getpwnam("ceph").pw_uid
++            ceph_gid = grp.getgrnam("ceph").gr_gid
++            os.setgroups([])
++            os.setgid(ceph_gid)
++            os.setuid(ceph_uid)
++        except Exception as e:
++            log.error(f"Unable to drop privileges: {e}")
++            sys.exit(1)
++
++
+ def main():
+     global auth_names
++
++    # run as unprivileged ceph user
++    drop_privs()
++
+     # exit code 0 on SIGINT, SIGTERM
+     signal.signal(signal.SIGINT, handler)
+     signal.signal(signal.SIGTERM, handler)
+@@ -108,7 +127,10 @@ def main():
+ 
+     log.info("monitoring path %s, delay %ds" % (args.path, args.delay * 60.0))
+     while True:
+-        scrape_path(args.path)
++        try:
++            scrape_path(args.path)
++        except Exception as e:
++            log.error(f"Error scraping {args.path}: {e}")
+         if args.delay == 0:
+             sys.exit(0)
+         time.sleep(args.delay * 60)
+
+From 1a990887fc604674bb64e2b85b971522c72d7cd0 Mon Sep 17 00:00:00 2001
+From: Tim Serong <tserong@suse.com>
+Date: Thu, 8 Dec 2022 11:09:16 +1100
+Subject: [PATCH 5/6] qa/workunits/rados/test_crash: chown crash files to ceph
+ user
+
+Fixes: https://tracker.ceph.com/issues/58098
+Signed-off-by: Tim Serong <tserong@suse.com>
+(cherry picked from commit 93c0456159a87bb9c28b9b60998baeba1600af5f)
+---
+ qa/workunits/rados/test_crash.sh | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/qa/workunits/rados/test_crash.sh b/qa/workunits/rados/test_crash.sh
+index 6608d7872e232..26a4c9bdc151f 100755
+--- a/qa/workunits/rados/test_crash.sh
++++ b/qa/workunits/rados/test_crash.sh
+@@ -24,6 +24,11 @@ for f in $(find $TESTDIR/archive/coredump -type f); do
+ 	fi
+ done
+ 
++# ceph-crash runs as the unprivileged "ceph" user, but when under test
++# the ceph osd daemons are running as root, so their crash files aren't
++# readable.  let's chown them so they behave as they would in real life.
++sudo chown -R ceph:ceph /var/lib/ceph/crash
++
+ # let daemon find crashdumps on startup
+ sudo systemctl restart ceph-crash
+ sleep 30
+
+From 541ad16f64c93fc966ee167b9ef1ace1f5156678 Mon Sep 17 00:00:00 2001
+From: Tim Serong <tserong@suse.com>
+Date: Thu, 8 Dec 2022 11:54:17 +1100
+Subject: [PATCH 6/6] ceph-crash: log warning if crash directory unreadable
+
+This is to aid in debugging in case crashes aren't posted as expected
+(see https://tracker.ceph.com/issues/58098 for discussion).
+
+Signed-off-by: Tim Serong <tserong@suse.com>
+(cherry picked from commit d139f6d112e6118f0f458dbfff9550b3ce312d20)
+---
+ src/ceph-crash.in | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/ceph-crash.in b/src/ceph-crash.in
+index d5c7260614e49..74e50e2b253f3 100755
+--- a/src/ceph-crash.in
++++ b/src/ceph-crash.in
+@@ -66,6 +66,9 @@ def post_crash(path):
+ def scrape_path(path):
+     for p in os.listdir(path):
+         crashpath = os.path.join(path, p)
++        if not os.access(crashpath, os.R_OK):
++            log.warning('unable to read crash path %s' % (crashpath))
++            continue
+         metapath = os.path.join(crashpath, 'meta')
+         donepath = os.path.join(crashpath, 'done')
+         if os.path.isfile(metapath):