Patch "libceph: bump CephXAuthenticate encoding version" has been added to the 5.12-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Fri, 07 May 2021 16:17:03 +0200

This is a note to let you know that I've just added the patch titled

    libceph: bump CephXAuthenticate encoding version

to the 5.12-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     libceph-bump-cephxauthenticate-encoding-version.patch
and it can be found in the queue-5.12 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 7807dafda21a549403d922da98dde0ddfeb70d08 Mon Sep 17 00:00:00 2001
From: Ilya Dryomov <idryomov@xxxxxxxxx>
Date: Wed, 14 Apr 2021 10:38:40 +0200
Subject: libceph: bump CephXAuthenticate encoding version

From: Ilya Dryomov <idryomov@xxxxxxxxx>

commit 7807dafda21a549403d922da98dde0ddfeb70d08 upstream.

A dummy v3 encoding (exactly the same as v2) was introduced so that
the monitors can distinguish broken clients that may not include their
auth ticket in CEPHX_GET_AUTH_SESSION_KEY request on reconnects, thus
failing to prove previous possession of their global_id (one part of
CVE-2021-20288).

The kernel client has always included its auth ticket, so it is
compatible with enforcing mode as is.  However we want to bump the
encoding version to avoid having to authenticate twice on the initial
connect -- all legacy (CephXAuthenticate < v3) are now forced do so in
order to expose insecure global_id reclaim.

Marking for stable since at least for 5.11 and 5.12 it is trivial
(v2 -> v3).

Cc: stable@xxxxxxxxxxxxxxx # 5.11+
URL: https://tracker.ceph.com/issues/50452
Signed-off-by: Ilya Dryomov <idryomov@xxxxxxxxx>
Reviewed-by: Sage Weil <sage@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 net/ceph/auth_x.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/ceph/auth_x.c
+++ b/net/ceph/auth_x.c
@@ -526,7 +526,7 @@ static int ceph_x_build_request(struct c
 		if (ret < 0)
 			return ret;
 
-		auth->struct_v = 2;  /* nautilus+ */
+		auth->struct_v = 3;  /* nautilus+ */
 		auth->key = 0;
 		for (u = (u64 *)enc_buf; u + 1 <= (u64 *)(enc_buf + ret); u++)
 			auth->key ^= *(__le64 *)u;


Patches currently in stable-queue which might be from idryomov@xxxxxxxxx are

queue-5.12/libceph-allow-addrvecs-with-a-single-none-blank-address.patch
queue-5.12/libceph-don-t-set-global_id-until-we-get-an-auth-ticket.patch
queue-5.12/libceph-bump-cephxauthenticate-encoding-version.patch






