diff --git a/0032-Fix-memory-leak-after-mdadm-detail.patch b/0032-Fix-memory-leak-after-mdadm-detail.patch new file mode 100644 index 0000000000000000000000000000000000000000..7f30c5ef5a3b5e23b0f3e4dceaecdc281413f94b --- /dev/null +++ b/0032-Fix-memory-leak-after-mdadm-detail.patch @@ -0,0 +1,76 @@ +From 7d374a1869d3a84971d027a7f4233878c8f25a62 Mon Sep 17 00:00:00 2001 +From: Mateusz Grzonka +Date: Tue, 27 Jul 2021 10:25:18 +0200 +Subject: [PATCH] Fix memory leak after "mdadm --detail" + +Signed-off-by: Mateusz Grzonka +Signed-off-by: Jes Sorensen +--- + Detail.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +diff --git a/Detail.c b/Detail.c +index ad56344f..d3af0ab5 100644 +--- a/Detail.c ++++ b/Detail.c +@@ -66,11 +66,11 @@ int Detail(char *dev, struct context *c) + int spares = 0; + struct stat stb; + int failed = 0; +- struct supertype *st; ++ struct supertype *st = NULL; + char *subarray = NULL; + int max_disks = MD_SB_DISKS; /* just a default */ + struct mdinfo *info = NULL; +- struct mdinfo *sra; ++ struct mdinfo *sra = NULL; + struct mdinfo *subdev; + char *member = NULL; + char *container = NULL; +@@ -93,8 +93,7 @@ int Detail(char *dev, struct context *c) + if (!sra) { + if (md_get_array_info(fd, &array)) { + pr_err("%s does not appear to be an md device\n", dev); +- close(fd); +- return rv; ++ goto out; + } + } + external = (sra != NULL && sra->array.major_version == -1 && +@@ -108,16 +107,13 @@ int Detail(char *dev, struct context *c) + sra->devs == NULL) { + pr_err("Array associated with md device %s does not exist.\n", + dev); +- close(fd); +- sysfs_free(sra); +- return rv; ++ goto out; + } + array = sra->array; + } else { + pr_err("cannot get array detail for %s: %s\n", + dev, strerror(errno)); +- close(fd); +- return rv; ++ goto out; + } + } + +@@ -827,10 +823,12 @@ out: + close(fd); + free(subarray); + free(avail); +- for (d = 0; d < n_devices; d++) +- free(devices[d]); ++ if (devices) ++ for (d = 0; d < n_devices; d++) ++ free(devices[d]); + free(devices); + sysfs_free(sra); ++ free(st); + return rv; + } + +-- +2.27.0 + diff --git a/0033-mdadm-block-creation-with-long-names.patch b/0033-mdadm-block-creation-with-long-names.patch new file mode 100644 index 0000000000000000000000000000000000000000..187d9d7229a4c835c18077636dc395d5682f86a2 --- /dev/null +++ b/0033-mdadm-block-creation-with-long-names.patch @@ -0,0 +1,72 @@ +From ced5fa8b170ad448f4076e24a10c731b5cfb36ce Mon Sep 17 00:00:00 2001 +From: Blazej Kucman +Date: Fri, 3 Dec 2021 15:31:15 +0100 +Subject: [PATCH] mdadm: block creation with long names + +This fixes buffer overflows in create_mddev(). It prohibits +creation with not supported names for DDF and native. For IMSM, +mdadm will do silent cut to 16 later. + +Signed-off-by: Mariusz Tkaczyk +Signed-off-by: Blazej Kucman +Signed-off-by: Jes Sorensen +--- + mdadm.8.in | 5 +++++ + mdadm.c | 9 ++++++++- + mdadm.h | 5 +++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + +diff --git a/mdadm.8.in b/mdadm.8.in +index 28d773c2..68e100cb 100644 +--- a/mdadm.8.in ++++ b/mdadm.8.in +@@ -2186,6 +2186,11 @@ is run, but will be created by + .I udev + once the array becomes active. + ++The max length md-device name is limited to 32 characters. ++Different metadata types have more strict limitation ++(like IMSM where only 16 characters are allowed). ++For that reason, long name could be truncated or rejected, it depends on metadata policy. ++ + As devices are added, they are checked to see if they contain RAID + superblocks or filesystems. They are also checked to see if the variance in + device size exceeds 1%. +diff --git a/mdadm.c b/mdadm.c +index 91e67467..26299b2e 100644 +--- a/mdadm.c ++++ b/mdadm.c +@@ -1359,9 +1359,16 @@ int main(int argc, char *argv[]) + mdfd = open_mddev(devlist->devname, 1); + if (mdfd < 0) + exit(1); +- } else ++ } else { ++ char *bname = basename(devlist->devname); ++ ++ if (strlen(bname) > MD_NAME_MAX) { ++ pr_err("Name %s is too long.\n", devlist->devname); ++ exit(1); ++ } + /* non-existent device is OK */ + mdfd = open_mddev(devlist->devname, 0); ++ } + if (mdfd == -2) { + pr_err("device %s exists but is not an md array.\n", devlist->devname); + exit(1); +diff --git a/mdadm.h b/mdadm.h +index 54567396..c7268a71 100644 +--- a/mdadm.h ++++ b/mdadm.h +@@ -1880,3 +1880,8 @@ enum r0layout { + #define INVALID_SECTORS 1 + /* And another special number needed for --data_offset=variable */ + #define VARIABLE_OFFSET 3 ++ ++/** ++ * This is true for native and DDF, IMSM allows 16. ++ */ ++#define MD_NAME_MAX 32 +-- +2.27.0 + diff --git a/mdadm.spec b/mdadm.spec index b00b7c24f0f408d17afac48ab526faae011d5eff..86836fdd93de0f6aa9c85df24f71e4ffc133934a 100644 --- a/mdadm.spec +++ b/mdadm.spec @@ -1,6 +1,6 @@ Name: mdadm Version: 4.1 -Release: 9 +Release: 10 Summary: The software RAID arrays user manage tools License: GPLv2+ URL: http://www.kernel.org/pub/linux/utils/raid/mdadm/ @@ -41,6 +41,8 @@ Patch28: 0028-mdadm-fix-coredump-of-mdadm-monitor-r.patch Patch29: 0029-mdadm-Fix-mdadm-r-remove-option-regresision.patch Patch30: 0030-monitor-Avoid-segfault-when-calling-NULL-get_bad_blo.patch Patch31: 0031-fix-NULL-dereference-in-super_by_fd.patch +Patch32: 0032-Fix-memory-leak-after-mdadm-detail.patch +Patch33: 0033-mdadm-block-creation-with-long-names.patch BuildRequires: systemd gcc binutils Requires(post): systemd coreutils @@ -106,6 +108,9 @@ install -d -m 710 %{buildroot}/var/run/mdadm/ %{_mandir}/man*/* %changelog +* Thu Sep 7 2023 miaoguanqin - 4.1-10 +- fix CVE-2023-28736 and CVE-2023-28938 for mdadm + * Thu Apr 20 2023 tangyuchen - 4.1-9 - fix crond cannot find command mdadm