From: Xiangyu Chen <[email protected]> CVE-2022-4337: openvswitch: Out-of-Bounds Read in Organization Specific TLV CVE-2022-4338: openvswitch: Integer Underflow in Organization Specific TLV
Reference: https://github.com/openvswitch/ovs/pull/405 https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Signed-off-by: Xiangyu Chen <[email protected]> --- ...gs-when-parsing-malformed-AutoAttach.patch | 86 +++++++++++++++++++ .../openvswitch/openvswitch_git.bb | 1 + 2 files changed, 87 insertions(+) create mode 100644 recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch diff --git a/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch new file mode 100644 index 0000000..ec40106 --- /dev/null +++ b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch @@ -0,0 +1,86 @@ +From 7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Mon Sep 17 00:00:00 2001 +From: Qian Chen <[email protected]> +Date: Tue, 20 Dec 2022 09:36:08 -0500 +Subject: [PATCH] lldp: Fix bugs when parsing malformed AutoAttach. + +The OVS LLDP implementation includes support for AutoAttach standard, which +the 'upstream' lldpd project does not include. As part of adding this +support, the message parsing for these TLVs did not include proper length +checks for the LLDP_TLV_AA_ELEMENT_SUBTYPE and the +LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE elements. The result is that a message +without a proper boundary will cause an overread of memory, and lead to +undefined results, including crashes or other unidentified behavior. + +The fix is to introduce proper bounds checking for these elements. Introduce +a unit test to ensure that we have some proper rejection in this code +base in the future. + +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") + +Upstream-Status: Backport from upstream [https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4] +CVE: CVE-2022-4337 - openvswitch: Out-of-Bounds Read in Organization Specific TLV +CVE: CVE-2022-4338 - openvswitch: Integer Underflow in Organization Specific TLV + +Signed-off-by: Qian Chen <[email protected]> +Co-authored-by: Aaron Conole <[email protected]> +Signed-off-by: Aaron Conole <[email protected]> +Signed-off-by: Ilya Maximets <[email protected]> +Signed-off-by: Xiangyu Chen <[email protected]> +--- + lib/lldp/lldp.c | 2 ++ + tests/ofproto-dpif.at | 19 +++++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c +index dfeb2a800..6fdcfef56 100644 +--- a/lib/lldp/lldp.c ++++ b/lib/lldp/lldp.c +@@ -583,6 +583,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + + switch(tlv_subtype) { + case LLDP_TLV_AA_ELEMENT_SUBTYPE: ++ CHECK_TLV_SIZE(50, "ELEMENT"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + aa_element_dword = PEEK_UINT32; +@@ -629,6 +630,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + break; + + case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE: ++ CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + /* Subtract off tlv type and length (2Bytes) + OUI (3B) + +diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at +index eb4cd1896..fa6111c1e 100644 +--- a/tests/ofproto-dpif.at ++++ b/tests/ofproto-dpif.at +@@ -62,6 +62,25 @@ AT_CHECK([ovs-appctl coverage/read-counter rev_reconfigure], [0], [dnl + OVS_VSWITCHD_STOP + AT_CLEANUP + ++AT_SETUP([ofproto-dpif - malformed lldp autoattach tlv]) ++OVS_VSWITCHD_START() ++add_of_ports br0 1 ++ ++dnl Enable lldp ++AT_CHECK([ovs-vsctl set interface p1 lldp:enable=true]) ++ ++dnl Send a malformed lldp packet ++packet="0180c200000ef6b426aa5f0088cc020704f6b426aa5f000403057632060200780c"dnl ++"5044454144424545464445414442454546444541444245454644454144424545464445414"dnl ++"4424545464445414442454546444541444245454644454144424545464445414442454546"dnl ++"4445414442454546fe0500040d0c010000" ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 "$packet"], [0], [stdout]) ++ ++OVS_WAIT_UNTIL([grep -q "ISID_VLAN_ASGNS TLV too short" ovs-vswitchd.log]) ++ ++OVS_VSWITCHD_STOP(["/|WARN|ISID_VLAN_ASGNS TLV too short received on/d"]) ++AT_CLEANUP ++ + AT_SETUP([ofproto-dpif - active-backup bonding (with primary)]) + + dnl Create br0 with members p1, p2 and p7, creating bond0 with p1 and +-- +2.34.1 + diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb index f5d85f3..4f4efe7 100644 --- a/recipes-networking/openvswitch/openvswitch_git.bb +++ b/recipes-networking/openvswitch/openvswitch_git.bb @@ -27,6 +27,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=https;branch=branch-2. file://kernel_module.patch \ file://systemd-update-tool-paths.patch \ file://systemd-create-runtime-dirs.patch \ + file://0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch \ " LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7781): https://lists.yoctoproject.org/g/meta-virtualization/message/7781 Mute This Topic: https://lists.yoctoproject.org/mt/95915106/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
