multipath-tools: CVE-2022-41973 Symlink attack multipathd operates insecurely

Upstream-Status: Backport from https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f dev/shm may have unsafe permissions. Use /run instead. Use systemd's tmpfiles.d mechanism to create /run/multipath early during boot. For backward compatibilty, make the runtime directory configurable via the "runtimedir" make variable. QA Issue: non -dev/-dbg/nativesdk- package multipath-tools-libs contains symlink .so '/usr/lib/libdmmp.so' ... Fix this by making the new pattern for multipath-tools-libs package more specific. Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-05-02 10:27:56 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-05-05 07:20:59 -0400
commit: e39b002df9675776cc99dccdcac07607ce783b15 (patch)
tree: f6c63c140e2653b9ae505a3236cbcf0d0de0bf38
parent: eca75eba7d34612abe2234ea5bfd91a8b157c846 (diff)
download: meta-openembedded-e39b002df9675776cc99dccdcac07607ce783b15.tar.gz
2 files changed, 158 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch
new file mode 100644
index 0000000000..d06ef44f68
--- /dev/null
+++ b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch
@@ -0,0 +1,154 @@
+From cb57b930fa690ab79b3904846634681685e3470f Mon Sep 17 00:00:00 2001
+From: Martin Wilck <mwilck@suse.com>
+Date: Thu, 1 Sep 2022 19:21:30 +0200
+Subject: [PATCH] multipath-tools: use /run instead of /dev/shm
+/dev/shm may have unsafe permissions. Use /run instead.
+Use systemd's tmpfiles.d mechanism to create /run/multipath
+early during boot.
+For backward compatibilty, make the runtime directory configurable
+via the "runtimedir" make variable.
+Signed-off-by: Martin Wilck <mwilck@suse.com>
+Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com>
+CVE: CVE-2022-41973
+Upstream-Status: Backport [https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ .gitignore                                        |  2 ++
+ Makefile.inc                                      |  7 ++++++-
+ libmultipath/defaults.h                           |  3 +--
+ multipath/Makefile                                | 11 ++++++++---
+ multipath/{multipath.rules => multipath.rules.in} |  4 ++--
+ multipath/tmpfiles.conf.in                        |  1 +
+ 6 files changed, 20 insertions(+), 8 deletions(-)
+ rename multipath/{multipath.rules => multipath.rules.in} (95%)
+ create mode 100644 multipath/tmpfiles.conf.in
+diff --git a/.gitignore b/.gitignore
+index 9926756b..f90b0350 100644
+--- a/.gitignore
+++ b/.gitignore
+@@ -8,6 +8,8 @@
+ *.d
+ kpartx/kpartx
+ multipath/multipath
+multipath/multipath.rules
+multipath/tmpfiles.conf
+ multipathd/multipathd
+ mpathpersist/mpathpersist
+ .nfs*
+diff --git a/Makefile.inc b/Makefile.inc
+index 4eb08eed..648f91b4 100644
+--- a/Makefile.inc
+++ b/Makefile.inc
+@@ -44,6 +44,7 @@ exec_prefix   = $(prefix)
+ usr_prefix     = $(prefix)
+ bindir         = $(exec_prefix)/usr/sbin
+ libudevdir     = $(prefix)/$(SYSTEMDPATH)/udev
+tmpfilesdir    = $(prefix)/$(SYSTEMDPATH)/tmpfiles.d
+ udevrulesdir   = $(libudevdir)/rules.d
+ multipathdir   = $(TOPDIR)/libmultipath
+ man8dir                = $(prefix)/usr/share/man/man8
+@@ -60,6 +61,7 @@ libdmmpdir    = $(TOPDIR)/libdmmp
+ nvmedir                = $(TOPDIR)/libmultipath/nvme
+ includedir     = $(prefix)/usr/include
+ pkgconfdir     = $(usrlibdir)/pkgconfig
+runtimedir      := /$(RUN)
+ 
+ GZIP           = gzip -9 -c
+ RM             = rm -f
+@@ -95,7 +97,10 @@ OPTFLAGS       += -Wextra -Wstrict-prototypes -Wformat=2 -Werror=implicit-int \
+                   -Wno-unused-parameter -Werror=cast-qual \
+                   -Werror=discarded-qualifiers
+ 
+-CPPFLAGS       := -Wp,-D_FORTIFY_SOURCE=2 
+CPPFLAGS       := $(FORTIFY_OPT) \
+                  -DBIN_DIR=\"$(bindir)\" -DMULTIPATH_DIR=\"$(plugindir)\" -DRUN_DIR=\"${RUN}\" \
+                  -DRUNTIME_DIR=\"$(runtimedir)\" \
+                  -DCONFIG_DIR=\"$(configdir)\" -DEXTRAVERSION=\"$(EXTRAVERSION)\" -MMD -MP 
+ CFLAGS         := $(OPTFLAGS) -DBIN_DIR=\"$(bindir)\" -DLIB_STRING=\"${LIB}\" -DRUN_DIR=\"${RUN}\" \
+                   -MMD -MP $(CFLAGS)
+ BIN_CFLAGS     = -fPIE -DPIE
+diff --git a/libmultipath/defaults.h b/libmultipath/defaults.h
+index c2164c16..908e0ca3 100644
+--- a/libmultipath/defaults.h
+++ b/libmultipath/defaults.h
+@@ -64,8 +64,7 @@
+ #define DEFAULT_WWIDS_FILE     "/etc/multipath/wwids"
+ #define DEFAULT_PRKEYS_FILE    "/etc/multipath/prkeys"
+ #define DEFAULT_CONFIG_DIR     "/etc/multipath/conf.d"
+-#define MULTIPATH_SHM_BASE     "/dev/shm/multipath/"
+-
+#define MULTIPATH_SHM_BASE     RUNTIME_DIR "/multipath/"
+ 
+ static inline char *set_default(char *str)
+ {
+diff --git a/multipath/Makefile b/multipath/Makefile
+index e720c7f6..28976546 100644
+--- a/multipath/Makefile
+++ b/multipath/Makefile
+@@ -12,7 +12,7 @@ EXEC = multipath
+ 
+ OBJS = main.o
+ 
+-all: $(EXEC)
+all: $(EXEC) multipath.rules tmpfiles.conf
+ 
+ $(EXEC): $(OBJS) $(multipathdir)/libmultipath.so $(mpathcmddir)/libmpathcmd.so
+        $(CC) $(CFLAGS) $(OBJS) -o $(EXEC) $(LDFLAGS) $(LIBDEPS)
+@@ -26,7 +26,9 @@ install:
+        $(INSTALL_PROGRAM) -m 755 mpathconf $(DESTDIR)$(bindir)/
+        $(INSTALL_PROGRAM) -d $(DESTDIR)$(udevrulesdir)
+        $(INSTALL_PROGRAM) -m 644 11-dm-mpath.rules $(DESTDIR)$(udevrulesdir)
+-       $(INSTALL_PROGRAM) -m 644 $(EXEC).rules $(DESTDIR)$(libudevdir)/rules.d/62-multipath.rules
+       $(INSTALL_PROGRAM) -m 644 multipath.rules $(DESTDIR)$(udevrulesdir)/56-multipath.rules
+       $(INSTALL_PROGRAM) -d $(DESTDIR)$(tmpfilesdir)
+       $(INSTALL_PROGRAM) -m 644 tmpfiles.conf $(DESTDIR)$(tmpfilesdir)/multipath.conf
+        $(INSTALL_PROGRAM) -d $(DESTDIR)$(man8dir)
+        $(INSTALL_PROGRAM) -m 644 $(EXEC).8.gz $(DESTDIR)$(man8dir)
+        $(INSTALL_PROGRAM) -d $(DESTDIR)$(man5dir)
+@@ -43,9 +45,12 @@ uninstall:
+        $(RM) $(DESTDIR)$(man8dir)/mpathconf.8.gz
+ 
+ clean: dep_clean
+-       $(RM) core *.o $(EXEC) *.gz
+       $(RM) core *.o $(EXEC) multipath.rules tmpfiles.conf
+ 
+ include $(wildcard $(OBJS:.o=.d))
+ 
+ dep_clean:
+        $(RM) $(OBJS:.o=.d)
+
+%:     %.in
+       sed 's,@RUNTIME_DIR@,$(runtimedir),' $< >$@     
+diff --git a/multipath/multipath.rules b/multipath/multipath.rules.in
+similarity index 95%
+rename from multipath/multipath.rules
+rename to multipath/multipath.rules.in
+index 0486bf70..5fb499e6 100644
+--- a/multipath/multipath.rules
+++ b/multipath/multipath.rules.in
+@@ -1,8 +1,8 @@
+ # Set DM_MULTIPATH_DEVICE_PATH if the device should be handled by multipath
+ SUBSYSTEM!="block", GOTO="end_mpath"
+ KERNEL!="sd*|dasd*|nvme*", GOTO="end_mpath"
+-ACTION=="remove", TEST=="/dev/shm/multipath/find_multipaths/$major:$minor", \
+-       RUN+="/usr/bin/rm -f /dev/shm/multipath/find_multipaths/$major:$minor"
+ACTION=="remove", TEST=="@RUNTIME_DIR@/multipath/find_multipaths/$major:$minor", \
+       RUN+="/usr/bin/rm -f @RUNTIME_DIR@/multipath/find_multipaths/$major:$minor"
+ ACTION!="add|change", GOTO="end_mpath"
+ 
+ IMPORT{cmdline}="nompath"
+diff --git a/multipath/tmpfiles.conf.in b/multipath/tmpfiles.conf.in
+new file mode 100644
+index 00000000..21be438a
+--- /dev/null
+++ b/multipath/tmpfiles.conf.in
+@@ -0,0 +1 @@
+d @RUNTIME_DIR@/multipath 0700 root root -
+-- 
+2.25.1
diff --git a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb
index 90cfd7d202..23273f5d5b 100644
--- a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb
+++ b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb
@@ -45,6 +45,7 @@ SRC_URI = "git://github.com/opensvc/multipath-tools.git;protocol=http;branch=mas
           file://0031-Always-use-devmapper-for-kpartx.patch \
           file://0001-fix-bug-of-do_compile-and-do_install.patch \
           file://0001-add-explicit-dependency-on-libraries.patch \
+           file://CVE-2022-41973.patch \
           "
 LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"
@@ -117,3 +118,6 @@ FILES_kpartx = "${base_sbindir}/kpartx \
 RDEPENDS_${PN} += "kpartx"
 PARALLEL_MAKE = ""
+FILES:${PN}-libs += "usr/lib/*.so.*"
+FILES:${PN}-libs += "usr/lib/tmpfiles.d/*"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-05-02 10:27:56 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-05-05 07:20:59 -0400
commit	e39b002df9675776cc99dccdcac07607ce783b15 (patch)
tree	f6c63c140e2653b9ae505a3236cbcf0d0de0bf38
parent	eca75eba7d34612abe2234ea5bfd91a8b157c846 (diff)
download	meta-openembedded-e39b002df9675776cc99dccdcac07607ce783b15.tar.gz

diff --git a/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch new file mode 100644 index 0000000000..d06ef44f68 --- /dev/null +++ b/meta-oe/recipes-support/multipath-tools/files/CVE-2022-41973.patch
@@ -0,0 +1,154 @@
		1	From cb57b930fa690ab79b3904846634681685e3470f Mon Sep 17 00:00:00 2001
		2	From: Martin Wilck <mwilck@suse.com>
		3	Date: Thu, 1 Sep 2022 19:21:30 +0200
		4	Subject: [PATCH] multipath-tools: use /run instead of /dev/shm
		5
		6	/dev/shm may have unsafe permissions. Use /run instead.
		7	Use systemd's tmpfiles.d mechanism to create /run/multipath
		8	early during boot.
		9
		10	For backward compatibilty, make the runtime directory configurable
		11	via the "runtimedir" make variable.
		12
		13	Signed-off-by: Martin Wilck <mwilck@suse.com>
		14	Reviewed-by: Benjamin Marzinski <bmarzins@redhat.com>
		15
		16	CVE: CVE-2022-41973
		17	Upstream-Status: Backport [https://github.com/opensvc/multipath-tools/commit/cb57b930fa690ab79b3904846634681685e3470f]
		18	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		19	---
		20	.gitignore \| 2 ++
		21	Makefile.inc \| 7 ++++++-
		22	libmultipath/defaults.h \| 3 +--
		23	multipath/Makefile \| 11 ++++++++---
		24	multipath/{multipath.rules => multipath.rules.in} \| 4 ++--
		25	multipath/tmpfiles.conf.in \| 1 +
		26	6 files changed, 20 insertions(+), 8 deletions(-)
		27	rename multipath/{multipath.rules => multipath.rules.in} (95%)
		28	create mode 100644 multipath/tmpfiles.conf.in
		29
		30	diff --git a/.gitignore b/.gitignore
		31	index 9926756b..f90b0350 100644
		32	--- a/.gitignore
		33	+++ b/.gitignore
		34	@@ -8,6 +8,8 @@
		35	*.d
		36	kpartx/kpartx
		37	multipath/multipath
		38	+multipath/multipath.rules
		39	+multipath/tmpfiles.conf
		40	multipathd/multipathd
		41	mpathpersist/mpathpersist
		42	.nfs*
		43	diff --git a/Makefile.inc b/Makefile.inc
		44	index 4eb08eed..648f91b4 100644
		45	--- a/Makefile.inc
		46	+++ b/Makefile.inc
		47	@@ -44,6 +44,7 @@ exec_prefix = $(prefix)
		48	usr_prefix = $(prefix)
		49	bindir = $(exec_prefix)/usr/sbin
		50	libudevdir = $(prefix)/$(SYSTEMDPATH)/udev
		51	+tmpfilesdir = $(prefix)/$(SYSTEMDPATH)/tmpfiles.d
		52	udevrulesdir = $(libudevdir)/rules.d
		53	multipathdir = $(TOPDIR)/libmultipath
		54	man8dir = $(prefix)/usr/share/man/man8
		55	@@ -60,6 +61,7 @@ libdmmpdir = $(TOPDIR)/libdmmp
		56	nvmedir = $(TOPDIR)/libmultipath/nvme
		57	includedir = $(prefix)/usr/include
		58	pkgconfdir = $(usrlibdir)/pkgconfig
		59	+runtimedir := /$(RUN)
		60
		61	GZIP = gzip -9 -c
		62	RM = rm -f
		63	@@ -95,7 +97,10 @@ OPTFLAGS += -Wextra -Wstrict-prototypes -Wformat=2 -Werror=implicit-int \
		64	-Wno-unused-parameter -Werror=cast-qual \
		65	-Werror=discarded-qualifiers
		66
		67	-CPPFLAGS := -Wp,-D_FORTIFY_SOURCE=2
		68	+CPPFLAGS := $(FORTIFY_OPT) \
		69	+ -DBIN_DIR=\"$(bindir)\" -DMULTIPATH_DIR=\"$(plugindir)\" -DRUN_DIR=\"${RUN}\" \
		70	+ -DRUNTIME_DIR=\"$(runtimedir)\" \
		71	+ -DCONFIG_DIR=\"$(configdir)\" -DEXTRAVERSION=\"$(EXTRAVERSION)\" -MMD -MP
		72	CFLAGS := $(OPTFLAGS) -DBIN_DIR=\"$(bindir)\" -DLIB_STRING=\"${LIB}\" -DRUN_DIR=\"${RUN}\" \
		73	-MMD -MP $(CFLAGS)
		74	BIN_CFLAGS = -fPIE -DPIE
		75	diff --git a/libmultipath/defaults.h b/libmultipath/defaults.h
		76	index c2164c16..908e0ca3 100644
		77	--- a/libmultipath/defaults.h
		78	+++ b/libmultipath/defaults.h
		79	@@ -64,8 +64,7 @@
		80	#define DEFAULT_WWIDS_FILE "/etc/multipath/wwids"
		81	#define DEFAULT_PRKEYS_FILE "/etc/multipath/prkeys"
		82	#define DEFAULT_CONFIG_DIR "/etc/multipath/conf.d"
		83	-#define MULTIPATH_SHM_BASE "/dev/shm/multipath/"
		84	-
		85	+#define MULTIPATH_SHM_BASE RUNTIME_DIR "/multipath/"
		86
		87	static inline char set_default(char str)
		88	{
		89	diff --git a/multipath/Makefile b/multipath/Makefile
		90	index e720c7f6..28976546 100644
		91	--- a/multipath/Makefile
		92	+++ b/multipath/Makefile
		93	@@ -12,7 +12,7 @@ EXEC = multipath
		94
		95	OBJS = main.o
		96
		97	-all: $(EXEC)
		98	+all: $(EXEC) multipath.rules tmpfiles.conf
		99
		100	$(EXEC): $(OBJS) $(multipathdir)/libmultipath.so $(mpathcmddir)/libmpathcmd.so
		101	$(CC) $(CFLAGS) $(OBJS) -o $(EXEC) $(LDFLAGS) $(LIBDEPS)
		102	@@ -26,7 +26,9 @@ install:
		103	$(INSTALL_PROGRAM) -m 755 mpathconf $(DESTDIR)$(bindir)/
		104	$(INSTALL_PROGRAM) -d $(DESTDIR)$(udevrulesdir)
		105	$(INSTALL_PROGRAM) -m 644 11-dm-mpath.rules $(DESTDIR)$(udevrulesdir)
		106	- $(INSTALL_PROGRAM) -m 644 $(EXEC).rules $(DESTDIR)$(libudevdir)/rules.d/62-multipath.rules
		107	+ $(INSTALL_PROGRAM) -m 644 multipath.rules $(DESTDIR)$(udevrulesdir)/56-multipath.rules
		108	+ $(INSTALL_PROGRAM) -d $(DESTDIR)$(tmpfilesdir)
		109	+ $(INSTALL_PROGRAM) -m 644 tmpfiles.conf $(DESTDIR)$(tmpfilesdir)/multipath.conf
		110	$(INSTALL_PROGRAM) -d $(DESTDIR)$(man8dir)
		111	$(INSTALL_PROGRAM) -m 644 $(EXEC).8.gz $(DESTDIR)$(man8dir)
		112	$(INSTALL_PROGRAM) -d $(DESTDIR)$(man5dir)
		113	@@ -43,9 +45,12 @@ uninstall:
		114	$(RM) $(DESTDIR)$(man8dir)/mpathconf.8.gz
		115
		116	clean: dep_clean
		117	- $(RM) core .o $(EXEC) .gz
		118	+ $(RM) core *.o $(EXEC) multipath.rules tmpfiles.conf
		119
		120	include $(wildcard $(OBJS:.o=.d))
		121
		122	dep_clean:
		123	$(RM) $(OBJS:.o=.d)
		124	+
		125	+%: %.in
		126	+ sed 's,@RUNTIME_DIR@,$(runtimedir),' $< >$@
		127	diff --git a/multipath/multipath.rules b/multipath/multipath.rules.in
		128	similarity index 95%
		129	rename from multipath/multipath.rules
		130	rename to multipath/multipath.rules.in
		131	index 0486bf70..5fb499e6 100644
		132	--- a/multipath/multipath.rules
		133	+++ b/multipath/multipath.rules.in
		134	@@ -1,8 +1,8 @@
		135	# Set DM_MULTIPATH_DEVICE_PATH if the device should be handled by multipath
		136	SUBSYSTEM!="block", GOTO="end_mpath"
		137	KERNEL!="sd\|dasd\|nvme*", GOTO="end_mpath"
		138	-ACTION=="remove", TEST=="/dev/shm/multipath/find_multipaths/$major:$minor", \
		139	- RUN+="/usr/bin/rm -f /dev/shm/multipath/find_multipaths/$major:$minor"
		140	+ACTION=="remove", TEST=="@RUNTIME_DIR@/multipath/find_multipaths/$major:$minor", \
		141	+ RUN+="/usr/bin/rm -f @RUNTIME_DIR@/multipath/find_multipaths/$major:$minor"
		142	ACTION!="add\|change", GOTO="end_mpath"
		143
		144	IMPORT{cmdline}="nompath"
		145	diff --git a/multipath/tmpfiles.conf.in b/multipath/tmpfiles.conf.in
		146	new file mode 100644
		147	index 00000000..21be438a
		148	--- /dev/null
		149	+++ b/multipath/tmpfiles.conf.in
		150	@@ -0,0 +1 @@
		151	+d @RUNTIME_DIR@/multipath 0700 root root -
		152	--
		153	2.25.1
		154


diff --git a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb index 90cfd7d202..23273f5d5b 100644 --- a/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb +++ b/meta-oe/recipes-support/multipath-tools/multipath-tools_0.8.4.bb
@@ -45,6 +45,7 @@ SRC_URI = "git://github.com/opensvc/multipath-tools.git;protocol=http;branch=mas
45	file://0031-Always-use-devmapper-for-kpartx.patch \	45	file://0031-Always-use-devmapper-for-kpartx.patch \
46	file://0001-fix-bug-of-do_compile-and-do_install.patch \	46	file://0001-fix-bug-of-do_compile-and-do_install.patch \
47	file://0001-add-explicit-dependency-on-libraries.patch \	47	file://0001-add-explicit-dependency-on-libraries.patch \
		48	file://CVE-2022-41973.patch \
48	"	49	"
49		50
50	LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"	51	LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2"
@@ -117,3 +118,6 @@ FILES_kpartx = "${base_sbindir}/kpartx \
117		118
118	RDEPENDS_${PN} += "kpartx"	119	RDEPENDS_${PN} += "kpartx"
119	PARALLEL_MAKE = ""	120	PARALLEL_MAKE = ""
		121
		122	FILES:${PN}-libs += "usr/lib/.so."
		123	FILES:${PN}-libs += "usr/lib/tmpfiles.d/*"