From 767dd826bc3b3609f5300d4f972cd98214047970 Mon Sep 17 00:00:00 2001 From: gqmiao Date: Mon, 28 Nov 2022 03:01:24 +0000 Subject: [PATCH] fix CVE-2022-41974 bugfix for mpathpersist and multipathd Signed-off-by: gqmiao --- ...-multipathd-parameter-invoking-seque.patch | 81 +++++++++++++++++++ multipath-tools.spec | 6 +- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 0023-multipathd-Fixed-multipathd-parameter-invoking-seque.patch diff --git a/0023-multipathd-Fixed-multipathd-parameter-invoking-seque.patch b/0023-multipathd-Fixed-multipathd-parameter-invoking-seque.patch new file mode 100644 index 0000000..32f379c --- /dev/null +++ b/0023-multipathd-Fixed-multipathd-parameter-invoking-seque.patch @@ -0,0 +1,81 @@ +From b7eebd396261199cd9722a2cba14698446740f0d Mon Sep 17 00:00:00 2001 +From: miaoguanqin +Date: Thu, 17 Nov 2022 21:19:39 +0800 +Subject: [PATCH] multipathd: Fixed multipathd parameter invoking sequence + changed problem in CVE-2022-41974. + +Users may fail to execute command: multipathd and mpathpersist. + +When we execute the command mpathpersist: +mpathpersist --out --register --param-sark=123 --prout-type=5 /dev/mapper/mpathb +It return an error : Missing arguement. The preceding command calls the function +cli_setprkey, which is called by checking whether the handle values are consistent +with the command input. CVE-2022-41974 changed the handler value of function and +changed the mode of calculating handle. The handler value is not equal to the +command input, causing multipathd can not execute the true funcion. It could be +an same error for executing multipoathd by the old mode. + +multipathd invokes the corresponding function based on the handle value. +CVE-2022-41964 changed the method of calculating handler value. Modify the handle +value so that the corresponding function can be correctly execute. + +Signed-off-by: miaoguanqin +Signed-off-by: lixiaokeng +--- + multipathd/callbacks.c | 18 +++++++++--------- + multipathd/cli.h | 9 ++++++++- + 2 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/multipathd/callbacks.c b/multipathd/callbacks.c +index fb87b280..f32666be 100644 +--- a/multipathd/callbacks.c ++++ b/multipathd/callbacks.c +@@ -57,16 +57,16 @@ void init_handler_callbacks(void) + set_handler_callback(VRB_RESTOREQ | Q1_MAPS, HANDLER(cli_restore_all_queueing)); + set_unlocked_handler_callback(VRB_QUIT, HANDLER(cli_quit)); + set_unlocked_handler_callback(VRB_SHUTDOWN, HANDLER(cli_shutdown)); +- set_handler_callback(VRB_GETPRSTATUS | Q1_MAP, HANDLER(cli_getprstatus)); +- set_handler_callback(VRB_SETPRSTATUS | Q1_MAP, HANDLER(cli_setprstatus)); +- set_handler_callback(VRB_UNSETPRSTATUS | Q1_MAP, HANDLER(cli_unsetprstatus)); ++ set_handler_callback(KEY_MAP | Q1_GETPRSTATUS, HANDLER(cli_getprstatus)); ++ set_handler_callback(KEY_MAP | Q1_SETSTATUS, HANDLER(cli_setprstatus)); ++ set_handler_callback(KEY_MAP | Q1_UNSETSTATUS, HANDLER(cli_unsetprstatus)); + set_handler_callback(VRB_FORCEQ | Q1_DAEMON, HANDLER(cli_force_no_daemon_q)); + set_handler_callback(VRB_RESTOREQ | Q1_DAEMON, HANDLER(cli_restore_no_daemon_q)); +- set_handler_callback(VRB_GETPRKEY | Q1_MAP, HANDLER(cli_getprkey)); +- set_handler_callback(VRB_SETPRKEY | Q1_MAP | Q2_KEY, HANDLER(cli_setprkey)); +- set_handler_callback(VRB_UNSETPRKEY | Q1_MAP, HANDLER(cli_unsetprkey)); +- set_handler_callback(VRB_SETMARGINAL | Q1_PATH, HANDLER(cli_set_marginal)); +- set_handler_callback(VRB_UNSETMARGINAL | Q1_PATH, HANDLER(cli_unset_marginal)); +- set_handler_callback(VRB_UNSETMARGINAL | Q1_MAP, ++ set_handler_callback(KEY_MAP | Q1_GETPRKEY, HANDLER(cli_getprkey)); ++ set_handler_callback(KEY_MAP | Q1_SETKEY | Q2_KEY, HANDLER(cli_setprkey)); ++ set_handler_callback(KEY_MAP | Q1_UNSETKEY, HANDLER(cli_unsetprkey)); ++ set_handler_callback(KEY_PATH | Q1_SETMARGINAL, HANDLER(cli_set_marginal)); ++ set_handler_callback(KEY_PATH | Q1_UNSETMARGINAL, HANDLER(cli_unset_marginal)); ++ set_handler_callback(KEY_MAP | Q1_UNSETMARGINAL, + HANDLER(cli_unset_all_marginal)); + } +diff --git a/multipathd/cli.h b/multipathd/cli.h +index c6b79c9d..08ee5c8d 100644 +--- a/multipathd/cli.h ++++ b/multipathd/cli.h +@@ -80,7 +80,14 @@ enum { + Q1_ALL = KEY_ALL << 8, + Q1_DAEMON = KEY_DAEMON << 8, + Q1_STATUS = KEY_STATUS << 8, +- ++ Q1_SETKEY = VRB_SETPRKEY << 8, ++ Q1_UNSETKEY = VRB_UNSETPRKEY << 8, ++ Q1_SETSTATUS = VRB_SETPRSTATUS << 8, ++ Q1_UNSETSTATUS = VRB_UNSETPRSTATUS << 8, ++ Q1_GETPRSTATUS = VRB_GETPRSTATUS << 8, ++ Q1_GETPRKEY = VRB_GETPRKEY << 8, ++ Q1_SETMARGINAL = VRB_SETMARGINAL << 8, ++ Q1_UNSETMARGINAL = VRB_UNSETMARGINAL << 8, + /* byte 2: qualifier 2 */ + Q2_FMT = KEY_FMT << 16, + Q2_RAW = KEY_RAW << 16, +-- +2.33.0 + diff --git a/multipath-tools.spec b/multipath-tools.spec index b892121..649acbe 100644 --- a/multipath-tools.spec +++ b/multipath-tools.spec @@ -1,7 +1,7 @@ #needsrootforbuild Name: multipath-tools Version: 0.8.7 -Release: 6 +Release: 7 Summary: Tools to manage multipath devices with the device-mapper License: GPL-2.0-or-later and LGPL-2.0-only URL: http://christophe.varoqui.free.fr/ @@ -31,6 +31,7 @@ Patch19: 0019-multipathd-add-and-set-cli_handlers-in-a-single-step.patch Patch20: 0020-multipathd-make-all-cli_handlers-static.patch Patch21: 0021-multipathd-Fix-command-completion-in-interactive-mod.patch Patch22: 0022-multipathd-more-robust-command-parsing.patch +Patch23: 0023-multipathd-Fixed-multipathd-parameter-invoking-seque.patch BuildRequires: multipath-tools, libcmocka, libcmocka-devel BuildRequires: gcc, libaio-devel, userspace-rcu-devel, device-mapper-devel >= 1.02.89 @@ -179,6 +180,9 @@ fi %changelog * Mon Oct 31 2022 wuguanghao - 0.8.7-6 +* Mon Nov 31 2022 miaoguanqin - 0.8.7-7 +- fix CVE-2022-41974 bugfix for mpathpersist and multipathd + - fix CVE-2022-41974 * Wed Oct 26 2022 shikemeng - 0.8.7-5 -- Gitee