microsoft · kevin-b-lockwood · Jan 31, 2025 · Feb 4, 2025
@@ -0,0 +1,105 @@
+Edited filepath to reflect the file tree within ceph
+
+Link: https://620468.bugs.gentoo.org/attachment.cgi?id=475060&action=diff&format=raw&headers=1
+--- a/src/boost/boost/pool/pool.hpp	
++++ a/src/boost/boost/pool/pool.hpp	
+@@ -26,6 +26,8 @@ 
+
+ #include <boost/pool/poolfwd.hpp>
+
++// std::numeric_limits
++#include <boost/limits.hpp>
+ // boost::integer::static_lcm
+ #include <boost/integer/common_factor_ct.hpp>
+ // boost::simple_segregated_storage
+@@ -355,6 +357,15 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t
+       return s;
+     }
+
++    size_type max_chunks() const
++    { //! Calculated maximum number of memory chunks that can be allocated in a single call by this Pool.
++      size_type partition_size = alloc_size();
++      size_type POD_size = integer::static_lcm<sizeof(size_type), sizeof(void *)>::value + sizeof(size_type);
++      size_type max_chunks = (std::numeric_limits<size_type>::max() - POD_size) / alloc_size();
++
++      return max_chunks;
++    }
++
+     static void * & nextof(void * const ptr)
+     { //! \returns Pointer dereferenced.
+       //! (Provided and used for the sake of code readability :)
+@@ -375,6 +386,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t
+       //!   the first time that object needs to allocate system memory.
+       //!   The default is 32. This parameter may not be 0.
+       //! \param nmax_size is the maximum number of chunks to allocate in one block.
++      set_next_size(nnext_size);
++      set_max_size(nmax_size);
+     }
+
+     ~pool()
+@@ -398,8 +411,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t
+     }
+     void set_next_size(const size_type nnext_size)
+     { //! Set number of chunks to request from the system the next time that object needs to allocate system memory. This value should never be set to 0.
+-      //! \returns nnext_size.
+-      next_size = start_size = nnext_size;
++      BOOST_USING_STD_MIN();
++      next_size = start_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nnext_size, max_chunks());
+     }
+     size_type get_max_size() const
+     { //! \returns max_size.
+@@ -407,7 +420,8 @@ class pool: protected simple_segregated_storage < typename UserAllocator::size_t
+     }
+     void set_max_size(const size_type nmax_size)
+     { //! Set max_size.
+-      max_size = nmax_size;
++      BOOST_USING_STD_MIN();
++      max_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(nmax_size, max_chunks());
+     }
+     size_type get_requested_size() const
+     { //!   \returns the requested size passed into the constructor.
+@@ -708,9 +722,9 @@ void * pool<UserAllocator>::malloc_need_resize()
+
+   BOOST_USING_STD_MIN();
+   if(!max_size)
+-    next_size <<= 1;
++    set_next_size(next_size << 1);
+   else if( next_size*partition_size/requested_size < max_size)
+-    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
++    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
+
+   //  initialize it,
+   store().add_block(node.begin(), node.element_size(), partition_size);
+@@ -748,9 +762,9 @@ void * pool<UserAllocator>::ordered_malloc_need_resize()
+
+   BOOST_USING_STD_MIN();
+   if(!max_size)
+-    next_size <<= 1;
++    set_next_size(next_size << 1);
+   else if( next_size*partition_size/requested_size < max_size)
+-    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
++    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
+
+   //  initialize it,
+   //  (we can use "add_block" here because we know that
+@@ -792,6 +806,8 @@ void * pool<UserAllocator>::ordered_malloc(const size_type n)
+ { //! Gets address of a chunk n, allocating new memory if not already available.
+   //! \returns Address of chunk n if allocated ok.
+   //! \returns 0 if not enough memory for n chunks.
++  if (n > max_chunks())
++    return 0;
+
+   const size_type partition_size = alloc_size();
+   const size_type total_req_size = n * requested_size;
+@@ -840,9 +856,9 @@ void * pool<UserAllocator>::ordered_malloc(const size_type n)
+
+   BOOST_USING_STD_MIN();
+   if(!max_size)
+-    next_size <<= 1;
++    set_next_size(next_size << 1);
+   else if( next_size*partition_size/requested_size < max_size)
+-    next_size = min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size*requested_size/ partition_size);
++    set_next_size(min BOOST_PREVENT_MACRO_SUBSTITUTION(next_size << 1, max_size * requested_size / partition_size));
+
+   //  insert it into the list,
+   //   handle border case.
@@ -0,0 +1,26 @@
+From 8558fe7d316167be9c0e1b25aabd4f96a5079250 Mon Sep 17 00:00:00 2001
+From: Kevin Lockwood <[email protected]>
+Date: Mon, 3 Feb 2025 16:23:59 -0800
+Subject: [PATCH] [Medium] Patch ceph for CVE-2020-10723
+
+Link: https://git.dpdk.org/dpdk/patch/?id=c78d94189dced04def987a17f16097fcb197a186
+---
+ src/seastar/dpdk/lib/librte_vhost/vhost_user.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/seastar/dpdk/lib/librte_vhost/vhost_user.c b/src/seastar/dpdk/lib/librte_vhost/vhost_user.c
+index c9e29ece8..1f84fc212 100644
+--- a/src/seastar/dpdk/lib/librte_vhost/vhost_user.c
++++ b/src/seastar/dpdk/lib/librte_vhost/vhost_user.c
+@@ -1841,7 +1841,7 @@ static int
+ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev,
+ 			struct VhostUserMsg *msg)
+ {
+-	uint16_t vring_idx;
++	uint32_t vring_idx;
+
+ 	switch (msg->request.master) {
+ 	case VHOST_USER_SET_VRING_KICK:
+-- 
+2.34.1
+
@@ -1,11 +1,11 @@
 #disable debuginfo because ceph-debuginfo rpm is too large
 %define debug_package %{nil}
-%define _unpackaged_files_terminate_build 0 
+%define _unpackaged_files_terminate_build 0
 
 Summary:        User space components of the Ceph file system
 Name:           ceph
 Version:        18.2.2
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        LGPLv2 and LGPLv3 and CC-BY-SA and GPLv2 and Boost and BSD and MIT and Public Domain and GPLv3 and ASL-2.0
 URL:            https://ceph.io/
 Vendor:         Microsoft Corporation
@@ -18,6 +18,8 @@ Patch3:         CVE-2014-5461.patch
 Patch4:         CVE-2020-22217.patch
 Patch5:         CVE-2015-9251.patch
 Patch6:         CVE-2012-6708.patch
+Patch7:         CVE-2012-2677.patch
+Patch8:         CVE-2020-10723.patch
 #
 # Copyright (C) 2004-2019 The Ceph Project Developers. See COPYING file
 # at the top-level directory of this distribution and at
@@ -2005,16 +2007,18 @@ exit 0
 %attr(0755,root,root) %dir %{_sysconfdir}/prometheus/ceph
 %config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml
 
-
-
 %changelog
+* Mon Feb 03 2025 Kevin Lockwood <[email protected]> - 18.2.2-5
+- Fix for CVE-2012-2677
+- Fix for CVE-2020-10723
+
 * Tue Jan 28 2025 Kevin Lockwood <[email protected]> - 18.2.2-4
 - Fix for CVE-2014-5461
 - Fix for CVE-2020-22217
 - Fix for CVE-2015-9251
 - Fix for CVE-2012-6708
 
-* Tue Jan 01 2025 Sandeep Karambelkar <[email protected]> - 18.2.2-3
+* Wed Jan 01 2025 Sandeep Karambelkar <[email protected]> - 18.2.2-3
 - Based on the package build logs, opentelemetry-cpp submodule is not being built
 - Removing opentelemetry-cpp to address below CVEs as this submodule is not relevant
 - CVE-2022-24735