[Pkg-ceph-commits] [ceph] 06/09: Upstream fix for CVE-2016-5009 (mon DoS)
Gaudenz Steinlin
gaudenz at moszumanska.debian.org
Thu Jan 5 10:05:29 UTC 2017
This is an automated email from the git hooks/post-receive script.
gaudenz pushed a commit to branch jessie
in repository ceph.
commit 514d48222d437e1738570c0efe5e553d83aaa1bd
Author: Gaudenz Steinlin <gaudenz at debian.org>
Date: Tue Dec 27 22:03:27 2016 +0100
Upstream fix for CVE-2016-5009 (mon DoS)
Closes: #829661
---
debian/patches/cve-2016-5009_mon_dos.patch | 99 ++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 100 insertions(+)
diff --git a/debian/patches/cve-2016-5009_mon_dos.patch b/debian/patches/cve-2016-5009_mon_dos.patch
new file mode 100644
index 0000000..0f3058a
--- /dev/null
+++ b/debian/patches/cve-2016-5009_mon_dos.patch
@@ -0,0 +1,99 @@
+commit b78a1be835706e7dabc505be343945d0ac05697d
+Author: Kefu Chai <kchai at redhat.com>
+Date: Thu Jun 30 13:24:22 2016 +0800
+
+ mon: Monitor: validate prefix on handle_command()
+
+ Fixes: http://tracker.ceph.com/issues/16297
+
+ Signed-off-by: You Ji <youji at ebay.com>
+ (cherry picked from commit 7cb3434fed03a5497abfd00bcec7276b70df0654)
+
+ Conflicts:
+ src/mon/Monitor.cc (the signature of Monitor::reply_command()
+ changed a little bit in master, so adapt the
+ commit to work with the old method)
+
+--- a/src/mon/Monitor.cc
++++ b/src/mon/Monitor.cc
+@@ -2214,7 +2214,19 @@
+ return;
+ }
+
+- cmd_getval(g_ceph_context, cmdmap, "prefix", prefix);
++ // check return value. If no prefix parameter provided,
++ // return value will be false, then return error info.
++ if(!cmd_getval(g_ceph_context, cmdmap, "prefix", prefix)) {
++ reply_command(m, -EINVAL, "command prefix not found", 0);
++ return;
++ }
++
++ // check prefix is empty
++ if (prefix.empty()) {
++ reply_command(m, -EINVAL, "command prefix must not be empty", 0);
++ return;
++ }
++
+ if (prefix == "get_command_descriptions") {
+ bufferlist rdata;
+ Formatter *f = new_formatter("json");
+@@ -2235,6 +2247,15 @@
+ boost::scoped_ptr<Formatter> f(new_formatter(format));
+
+ get_str_vec(prefix, fullcmd);
++
++ // make sure fullcmd is not empty.
++ // invalid prefix will cause empty vector fullcmd.
++ // such as, prefix=";,,;"
++ if (fullcmd.empty()) {
++ reply_command(m, -EINVAL, "command requires a prefix to be valid", 0);
++ return;
++ }
++
+ module = fullcmd[0];
+
+ // validate command is in leader map
+--- a/src/test/librados/cmd.cc
++++ b/src/test/librados/cmd.cc
+@@ -49,6 +49,41 @@
+ rados_buffer_free(buf);
+ rados_buffer_free(st);
+
++ cmd[0] = (char *)"";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "{}", 2, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"abc\":\"something\"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"prefix\":\"\"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"prefix\":\" \"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"prefix\":\";;;,,,;;,,\"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
++ cmd[0] = (char *)"{\"prefix\":\"extra command\"}";
++ ASSERT_EQ(-EINVAL, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
++ rados_buffer_free(buf);
++ rados_buffer_free(st);
++
+ cmd[0] = (char *)"{\"prefix\":\"mon_status\"}";
+ ASSERT_EQ(0, rados_mon_command(cluster, (const char **)cmd, 1, "", 0, &buf, &buflen, &st, &stlen));
+ ASSERT_LT(0u, buflen);
diff --git a/debian/patches/series b/debian/patches/series
index 4395db6..ec086af 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,6 +17,7 @@ rbdmap2-hooks.patch
CVE-2015-5245.patch
## Security
+cve-2016-5009_mon_dos.patch
cve-2016-9579_short_cors_request.patch
## Debian
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ceph/ceph.git
More information about the Pkg-ceph-commits
mailing list