Message ID | 20221221070408.1871070-1-yogita.urade@windriver.com |
---|---|
State | New |
Headers | show |
Series | [meta-oe,1/1] multipath-tools: fix CVE-2022-41973 | expand |
Hi Yogita, Please add CVE ID and Upstream-Status in main patch as well Regards, Archana
Hi Archana, The same patch which I sent on 19th Dec, for the kirkstone branch, in that I added the CVE ID & upstream-status. But @Chen, Qi<mailto:Qi.Chen@windriver.com> suggest me to remove that because it was already added in the patch. This is same patch, only difference is that this is for the master branch. Regards, Yogita Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows From: Polampalli, Archana<mailto:Archana.Polampalli@windriver.com> Sent: 21 December 2022 13:35 To: openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>; Urade, Yogita<mailto:Yogita.Urade@windriver.com> Cc: G Pillai, Hari<mailto:Hari.GPillai@windriver.com> Subject: Re: [oe][meta-oe][PATCH 1/1] multipath-tools: fix CVE-2022-41973 Hi Yogita, Please add CVE ID and Upstream-Status in main patch as well Regards, Archana From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> on behalf of Urade, Yogita via lists.openembedded.org <Yogita.Urade=windriver.com@lists.openembedded.org> Sent: Wednesday, December 21, 2022 12:34 PM To: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> Cc: G Pillai, Hari <Hari.GPillai@windriver.com>; Urade, Yogita <Yogita.Urade@windriver.com> Subject: [oe][meta-oe][PATCH 1/1] multipath-tools: fix CVE-2022-41973 multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root. References: https://nvd.nist.gov/vuln/detail/CVE-2022-41973 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> --- ...ath-tools-use-run-instead-of-dev-shm.patch | 159 ++++++++++++++++++ .../multipath-tools/multipath-tools_0.8.4.bb | 4 + 2 files changed, 163 insertions(+) create mode 100644 meta-oe/recipes-support/multipath-tools/files/0001-multipath-tools-use-run-instead-of-dev-shm.patch diff --git a/meta-oe/recipes-support/multipath-tools/files/0001-multipath-tools-use-run-instead-of-dev-shm.patch b/meta-oe/recipes-support/multipath-tools/files/0001-multipath-tools-use-run-instead-of-dev-shm.patch new file mode 100644 index 000000000..dd6af413e --- /dev/null +++ b/meta-oe/recipes-support/multipath-tools/files/0001-multipath-tools-use-run-instead-of-dev-shm.patch @@ -0,0 +1,159 @@ +From 23e13a52a6213b11eda9a3b09df455f495f74e8d Mon Sep 17 00:00:00 2001 +From: Yogita Urade <yogita.urade@windriver.com> +Date: Tue, 13 Dec 2022 09:18:33 +0000 +Subject: [PATCH] multipath-tools: use /run instead of /dev/shm + +/dev/shm may have unsafe permissions. Use /run instead. +Use systemd's tmpfiles.d mechanism to create /run/multipath +early during boot. + +For backward compatibilty, make the runtime directory configurable +via the "runtimedir" make variable. + +Signed-off-by: Martin Wilck <mwilck@suse.com> +Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com> + +CVE: CVE-2022-41973 + +References: +https://nvd.nist.gov/vuln/detail/CVE-2022-41973 + +Upstream-Status: Backport [https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + .gitignore | 2 ++ + Makefile.inc | 7 ++++++- + libmultipath/defaults.h | 3 +-- + multipath/Makefile | 11 ++++++++--- + multipath/{multipath.rules => multipath.rules.in} | 4 ++-- + multipath/tmpfiles.conf.in | 1 + + 6 files changed, 20 insertions(+), 8 deletions(-) + rename multipath/{multipath.rules => multipath.rules.in} (95%) + create mode 100644 multipath/tmpfiles.conf.in + +diff --git a/.gitignore b/.gitignore +index 9926756b..f90b0350 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -8,6 +8,8 @@ + *.d + kpartx/kpartx + multipath/multipath ++multipath/multipath.rules ++multipath/tmpfiles.conf + multipathd/multipathd + mpathpersist/mpathpersist + .nfs* +diff --git a/Makefile.inc b/Makefile.inc +index 4eb08eed..648f91b4 100644 +--- a/Makefile.inc ++++ b/Makefile.inc +@@ -44,6 +44,7 @@ exec_prefix = $(prefix) + usr_prefix = $(prefix) + bindir = $(exec_prefix)/usr/sbin + libudevdir = $(prefix)/$(SYSTEMDPATH)/udev ++tmpfilesdir = $(prefix)/$(SYSTEMDPATH)/tmpfiles.d + udevrulesdir = $(libudevdir)/rules.d + multipathdir = $(TOPDIR)/libmultipath + man8dir = $(prefix)/usr/share/man/man8 +@@ -60,6 +61,7 @@ libdmmpdir = $(TOPDIR)/libdmmp + nvmedir = $(TOPDIR)/libmultipath/nvme + includedir = $(prefix)/usr/include + pkgconfdir = $(usrlibdir)/pkgconfig ++runtimedir := /$(RUN) + + GZIP = gzip -9 -c + RM = rm -f +@@ -95,7 +97,10 @@ OPTFLAGS += -Wextra -Wstrict-prototypes -Wformat=2 -Werror=implicit-int \ + -Wno-unused-parameter -Werror=cast-qual \ + -Werror=discarded-qualifiers + +-CPPFLAGS := -Wp,-D_FORTIFY_SOURCE=2 ++CPPFLAGS := $(FORTIFY_OPT) \ ++ -DBIN_DIR=\"$(bindir)\" -DMULTIPATH_DIR=\"$(plugindir)\" -DRUN_DIR=\"${RUN}\" \ ++ -DRUNTIME_DIR=\"$(runtimedir)\" \ ++ -DCONFIG_DIR=\"$(configdir)\" -DEXTRAVERSION=\"$(EXTRAVERSION)\" -MMD -MP + CFLAGS := $(OPTFLAGS) -DBIN_DIR=\"$(bindir)\" -DLIB_STRING=\"${LIB}\" -DRUN_DIR=\"${RUN}\" \ + -MMD -MP $(CFLAGS) + BIN_CFLAGS = -fPIE -DPIE +diff --git a/libmultipath/defaults.h b/libmultipath/defaults.h +index c2164c16..908e0ca3 100644 +--- a/libmultipath/defaults.h ++++ b/libmultipath/defaults.h +@@ -64,8 +64,7 @@ + #define DEFAULT_WWIDS_FILE "/etc/multipath/wwids" + #define DEFAULT_PRKEYS_FILE "/etc/multipath/prkeys" + #define DEFAULT_CONFIG_DIR "/etc/multipath/conf.d" +-#define MULTIPATH_SHM_BASE "/dev/shm/multipath/" +- ++#define MULTIPATH_SHM_BASE RUNTIME_DIR "/multipath/" + + static inline char *set_default(char *str) + { +diff --git a/multipath/Makefile b/multipath/Makefile +index e720c7f6..28976546 100644 +--- a/multipath/Makefile ++++ b/multipath/Makefile +@@ -12,7 +12,7 @@ EXEC = multipath + + OBJS = main.o + +-all: $(EXEC) ++all: $(EXEC) multipath.rules tmpfiles.conf + + $(EXEC): $(OBJS) $(multipathdir)/libmultipath.so $(mpathcmddir)/libmpathcmd.so + $(CC) $(CFLAGS) $(OBJS) -o $(EXEC) $(LDFLAGS) $(LIBDEPS) +@@ -26,7 +26,9 @@ install: + $(INSTALL_PROGRAM) -m 755 mpathconf $(DESTDIR)$(bindir)/ + $(INSTALL_PROGRAM) -d $(DESTDIR)$(udevrulesdir) + $(INSTALL_PROGRAM) -m 644 11-dm-mpath.rules $(DESTDIR)$(udevrulesdir) +- $(INSTALL_PROGRAM) -m 644 $(EXEC).rules $(DESTDIR)$(libudevdir)/rules.d/62-multipath.rules ++ $(INSTALL_PROGRAM) -m 644 multipath.rules $(DESTDIR)$(udevrulesdir)/56-multipath.rules ++ $(INSTALL_PROGRAM) -d $(DESTDIR)$(tmpfilesdir) ++ $(INSTALL_PROGRAM) -m 644 tmpfiles.conf $(DESTDIR)$(tmpfilesdir)/multipath.conf + $(INSTALL_PROGRAM) -d $(DESTDIR)$(man8dir) + $(INSTALL_PROGRAM) -m 644 $(EXEC).8.gz $(DESTDIR)$(man8dir) + $(INSTALL_PROGRAM) -d $(DESTDIR)$(man5dir) +@@ -43,9 +45,12 @@ uninstall: + $(RM) $(DESTDIR)$(man8dir)/mpathconf.8.gz + + clean: dep_clean +- $(RM) core *.o $(EXEC) *.gz ++ $(RM) core *.o $(EXEC) multipath.rules tmpfiles.conf + + include $(wildcard $(OBJS:.o=.d)) + + dep_clean: + $(RM) $(OBJS:.o=.d) ++ ++%: %.in ++ sed 's,@RUNTIME_DIR@,$(runtimedir),' $< >$@ +diff --git a/multipath/multipath.rules b/multipath/multipath.rules.in +similarity index 95% +rename from multipath/multipath.rules +rename to multipath/multipath.rules.in +index 0486bf70..5fb499e6 100644 +--- a/multipath/multipath.rules ++++ b/multipath/multipath.rules.in +@@ -1,8 +1,8 @@ + # Set DM_MULTIPATH_DEVICE_PATH if the device should be handled by multipath + SUBSYSTEM!="block", GOTO="end_mpath" + KERNEL!="sd*|dasd*|nvme*", GOTO="end_mpath" +-ACTION=="remove", TEST=="/dev/shm/multipath/find_multipaths/$major:$minor", \ +- RUN+="/usr/bin/rm -f /dev/shm/multipath/find_multipaths/$major:$minor" ++ACTION=="remove", TEST=="@RUNTIME_DIR@/multipath/find_multipaths/$major:$minor", \ ++ RUN+="/usr/bin/rm -f @RUNTIME_DIR@/multipath/find_multipaths/$major:$minor" + ACTION!="add|change", GOTO="end_mpath" + + IMPORT{cmdline}="nompath" +diff --git a/multipath/tmpfiles.conf.in b/multipath/tmpfiles.conf.in +new file mode 100644 +index 00000000..21be438a +--- /dev/null ++++ b/multipath/tmpfiles.conf.in +@@ -0,0 +1 @@ ++d @RUNTIME_DIR@/multipath 0700 root root - +-- +2.32.0 + diff --git a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb index 5a8db0877..8f15c2c21 100644 --- a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb +++ b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb @@ -48,6 +48,7 @@ SRC_URI = "git://github.com/opensvc/multipath-tools.git;protocol=http;branch=mas file://0001-add-explicit-dependency-on-libraries.patch \ file://0001-fix-boolean-value-with-json-c-0.14.patch \ file://0001-libmultipath-uevent.c-fix-error-handling-for-udev_mo.patch \ + file://0001-multipath-tools-use-run-instead-of-dev-shm.patch \ " LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2" @@ -120,3 +121,6 @@ FILES:kpartx = "${base_sbindir}/kpartx \ RDEPENDS:${PN} += "kpartx" PARALLEL_MAKE = "" + +FILES:${PN}-libs += "usr/lib" +FILES:${PN}-libs += "usr/lib/tmpfiles.d" -- 2.32.0
diff --git a/meta-oe/recipes-support/multipath-tools/files/0001-multipath-tools-use-run-instead-of-dev-shm.patch b/meta-oe/recipes-support/multipath-tools/files/0001-multipath-tools-use-run-instead-of-dev-shm.patch new file mode 100644 index 000000000..dd6af413e --- /dev/null +++ b/meta-oe/recipes-support/multipath-tools/files/0001-multipath-tools-use-run-instead-of-dev-shm.patch @@ -0,0 +1,159 @@ +From 23e13a52a6213b11eda9a3b09df455f495f74e8d Mon Sep 17 00:00:00 2001 +From: Yogita Urade <yogita.urade@windriver.com> +Date: Tue, 13 Dec 2022 09:18:33 +0000 +Subject: [PATCH] multipath-tools: use /run instead of /dev/shm + +/dev/shm may have unsafe permissions. Use /run instead. +Use systemd's tmpfiles.d mechanism to create /run/multipath +early during boot. + +For backward compatibilty, make the runtime directory configurable +via the "runtimedir" make variable. + +Signed-off-by: Martin Wilck <mwilck@suse.com> +Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com> + +CVE: CVE-2022-41973 + +References: +https://nvd.nist.gov/vuln/detail/CVE-2022-41973 + +Upstream-Status: Backport [https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + .gitignore | 2 ++ + Makefile.inc | 7 ++++++- + libmultipath/defaults.h | 3 +-- + multipath/Makefile | 11 ++++++++--- + multipath/{multipath.rules => multipath.rules.in} | 4 ++-- + multipath/tmpfiles.conf.in | 1 + + 6 files changed, 20 insertions(+), 8 deletions(-) + rename multipath/{multipath.rules => multipath.rules.in} (95%) + create mode 100644 multipath/tmpfiles.conf.in + +diff --git a/.gitignore b/.gitignore +index 9926756b..f90b0350 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -8,6 +8,8 @@ + *.d + kpartx/kpartx + multipath/multipath ++multipath/multipath.rules ++multipath/tmpfiles.conf + multipathd/multipathd + mpathpersist/mpathpersist + .nfs* +diff --git a/Makefile.inc b/Makefile.inc +index 4eb08eed..648f91b4 100644 +--- a/Makefile.inc ++++ b/Makefile.inc +@@ -44,6 +44,7 @@ exec_prefix = $(prefix) + usr_prefix = $(prefix) + bindir = $(exec_prefix)/usr/sbin + libudevdir = $(prefix)/$(SYSTEMDPATH)/udev ++tmpfilesdir = $(prefix)/$(SYSTEMDPATH)/tmpfiles.d + udevrulesdir = $(libudevdir)/rules.d + multipathdir = $(TOPDIR)/libmultipath + man8dir = $(prefix)/usr/share/man/man8 +@@ -60,6 +61,7 @@ libdmmpdir = $(TOPDIR)/libdmmp + nvmedir = $(TOPDIR)/libmultipath/nvme + includedir = $(prefix)/usr/include + pkgconfdir = $(usrlibdir)/pkgconfig ++runtimedir := /$(RUN) + + GZIP = gzip -9 -c + RM = rm -f +@@ -95,7 +97,10 @@ OPTFLAGS += -Wextra -Wstrict-prototypes -Wformat=2 -Werror=implicit-int \ + -Wno-unused-parameter -Werror=cast-qual \ + -Werror=discarded-qualifiers + +-CPPFLAGS := -Wp,-D_FORTIFY_SOURCE=2 ++CPPFLAGS := $(FORTIFY_OPT) \ ++ -DBIN_DIR=\"$(bindir)\" -DMULTIPATH_DIR=\"$(plugindir)\" -DRUN_DIR=\"${RUN}\" \ ++ -DRUNTIME_DIR=\"$(runtimedir)\" \ ++ -DCONFIG_DIR=\"$(configdir)\" -DEXTRAVERSION=\"$(EXTRAVERSION)\" -MMD -MP + CFLAGS := $(OPTFLAGS) -DBIN_DIR=\"$(bindir)\" -DLIB_STRING=\"${LIB}\" -DRUN_DIR=\"${RUN}\" \ + -MMD -MP $(CFLAGS) + BIN_CFLAGS = -fPIE -DPIE +diff --git a/libmultipath/defaults.h b/libmultipath/defaults.h +index c2164c16..908e0ca3 100644 +--- a/libmultipath/defaults.h ++++ b/libmultipath/defaults.h +@@ -64,8 +64,7 @@ + #define DEFAULT_WWIDS_FILE "/etc/multipath/wwids" + #define DEFAULT_PRKEYS_FILE "/etc/multipath/prkeys" + #define DEFAULT_CONFIG_DIR "/etc/multipath/conf.d" +-#define MULTIPATH_SHM_BASE "/dev/shm/multipath/" +- ++#define MULTIPATH_SHM_BASE RUNTIME_DIR "/multipath/" + + static inline char *set_default(char *str) + { +diff --git a/multipath/Makefile b/multipath/Makefile +index e720c7f6..28976546 100644 +--- a/multipath/Makefile ++++ b/multipath/Makefile +@@ -12,7 +12,7 @@ EXEC = multipath + + OBJS = main.o + +-all: $(EXEC) ++all: $(EXEC) multipath.rules tmpfiles.conf + + $(EXEC): $(OBJS) $(multipathdir)/libmultipath.so $(mpathcmddir)/libmpathcmd.so + $(CC) $(CFLAGS) $(OBJS) -o $(EXEC) $(LDFLAGS) $(LIBDEPS) +@@ -26,7 +26,9 @@ install: + $(INSTALL_PROGRAM) -m 755 mpathconf $(DESTDIR)$(bindir)/ + $(INSTALL_PROGRAM) -d $(DESTDIR)$(udevrulesdir) + $(INSTALL_PROGRAM) -m 644 11-dm-mpath.rules $(DESTDIR)$(udevrulesdir) +- $(INSTALL_PROGRAM) -m 644 $(EXEC).rules $(DESTDIR)$(libudevdir)/rules.d/62-multipath.rules ++ $(INSTALL_PROGRAM) -m 644 multipath.rules $(DESTDIR)$(udevrulesdir)/56-multipath.rules ++ $(INSTALL_PROGRAM) -d $(DESTDIR)$(tmpfilesdir) ++ $(INSTALL_PROGRAM) -m 644 tmpfiles.conf $(DESTDIR)$(tmpfilesdir)/multipath.conf + $(INSTALL_PROGRAM) -d $(DESTDIR)$(man8dir) + $(INSTALL_PROGRAM) -m 644 $(EXEC).8.gz $(DESTDIR)$(man8dir) + $(INSTALL_PROGRAM) -d $(DESTDIR)$(man5dir) +@@ -43,9 +45,12 @@ uninstall: + $(RM) $(DESTDIR)$(man8dir)/mpathconf.8.gz + + clean: dep_clean +- $(RM) core *.o $(EXEC) *.gz ++ $(RM) core *.o $(EXEC) multipath.rules tmpfiles.conf + + include $(wildcard $(OBJS:.o=.d)) + + dep_clean: + $(RM) $(OBJS:.o=.d) ++ ++%: %.in ++ sed 's,@RUNTIME_DIR@,$(runtimedir),' $< >$@ +diff --git a/multipath/multipath.rules b/multipath/multipath.rules.in +similarity index 95% +rename from multipath/multipath.rules +rename to multipath/multipath.rules.in +index 0486bf70..5fb499e6 100644 +--- a/multipath/multipath.rules ++++ b/multipath/multipath.rules.in +@@ -1,8 +1,8 @@ + # Set DM_MULTIPATH_DEVICE_PATH if the device should be handled by multipath + SUBSYSTEM!="block", GOTO="end_mpath" + KERNEL!="sd*|dasd*|nvme*", GOTO="end_mpath" +-ACTION=="remove", TEST=="/dev/shm/multipath/find_multipaths/$major:$minor", \ +- RUN+="/usr/bin/rm -f /dev/shm/multipath/find_multipaths/$major:$minor" ++ACTION=="remove", TEST=="@RUNTIME_DIR@/multipath/find_multipaths/$major:$minor", \ ++ RUN+="/usr/bin/rm -f @RUNTIME_DIR@/multipath/find_multipaths/$major:$minor" + ACTION!="add|change", GOTO="end_mpath" + + IMPORT{cmdline}="nompath" +diff --git a/multipath/tmpfiles.conf.in b/multipath/tmpfiles.conf.in +new file mode 100644 +index 00000000..21be438a +--- /dev/null ++++ b/multipath/tmpfiles.conf.in +@@ -0,0 +1 @@ ++d @RUNTIME_DIR@/multipath 0700 root root - +-- +2.32.0 + diff --git a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb index 5a8db0877..8f15c2c21 100644 --- a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb +++ b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb @@ -48,6 +48,7 @@ SRC_URI = "git://github.com/opensvc/multipath-tools.git;protocol=http;branch=mas file://0001-add-explicit-dependency-on-libraries.patch \ file://0001-fix-boolean-value-with-json-c-0.14.patch \ file://0001-libmultipath-uevent.c-fix-error-handling-for-udev_mo.patch \ + file://0001-multipath-tools-use-run-instead-of-dev-shm.patch \ " LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2" @@ -120,3 +121,6 @@ FILES:kpartx = "${base_sbindir}/kpartx \ RDEPENDS:${PN} += "kpartx" PARALLEL_MAKE = "" + +FILES:${PN}-libs += "usr/lib" +FILES:${PN}-libs += "usr/lib/tmpfiles.d"
multipath-tools 0.7.7 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited in conjunction with CVE-2022-41974. Local users able to access /dev/shm can change symlinks in multipathd due to incorrect symlink handling, which could lead to controlled file writes outside of the /dev/shm directory. This could be used indirectly for local privilege escalation to root. References: https://nvd.nist.gov/vuln/detail/CVE-2022-41973 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> --- ...ath-tools-use-run-instead-of-dev-shm.patch | 159 ++++++++++++++++++ .../multipath-tools/multipath-tools_0.8.4.bb | 4 + 2 files changed, 163 insertions(+) create mode 100644 meta-oe/recipes-support/multipath-tools/files/0001-multipath-tools-use-run-instead-of-dev-shm.patch