On Thu, Jan 5, 2023 at 11:09 PM Xiangyu Chen <[email protected]> wrote: > > > On 12/28/22 11:56, Xiangyu Chen wrote: > > From: Xiangyu Chen <[email protected]> > > > > CVE-2022-4337: openvswitch: Out-of-Bounds Read in Organization Specific TLV > > CVE-2022-4338: openvswitch: Integer Underflow in Organization Specific TLV > > > > Reference: > > https://github.com/openvswitch/ovs/pull/405 > > https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4 > > > > Signed-off-by: Xiangyu Chen <[email protected]> > > Friendly ping, thanks ;)
I've been on holidays, and won't be doing any merges until the start of next week. I only did a few very critical merges to keep the layer compatible with OE core master. So this has been noted and is in the queue. Bruce > > Br, > > Xiangyu > > > > --- > > ...gs-when-parsing-malformed-AutoAttach.patch | 86 +++++++++++++++++++ > > .../openvswitch/openvswitch_git.bb | 1 + > > 2 files changed, 87 insertions(+) > > create mode 100644 > > recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch > > > > diff --git > > a/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch > > > > b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch > > new file mode 100644 > > index 0000000..ec40106 > > --- /dev/null > > +++ > > b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch > > @@ -0,0 +1,86 @@ > > +From 7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Mon Sep 17 00:00:00 2001 > > +From: Qian Chen <[email protected]> > > +Date: Tue, 20 Dec 2022 09:36:08 -0500 > > +Subject: [PATCH] lldp: Fix bugs when parsing malformed AutoAttach. > > + > > +The OVS LLDP implementation includes support for AutoAttach standard, which > > +the 'upstream' lldpd project does not include. As part of adding this > > +support, the message parsing for these TLVs did not include proper length > > +checks for the LLDP_TLV_AA_ELEMENT_SUBTYPE and the > > +LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE elements. The result is that a message > > +without a proper boundary will cause an overread of memory, and lead to > > +undefined results, including crashes or other unidentified behavior. > > + > > +The fix is to introduce proper bounds checking for these elements. > > Introduce > > +a unit test to ensure that we have some proper rejection in this code > > +base in the future. > > + > > +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach > > standard") > > + > > +Upstream-Status: Backport from upstream > > [https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4] > > +CVE: CVE-2022-4337 - openvswitch: Out-of-Bounds Read in Organization > > Specific TLV > > +CVE: CVE-2022-4338 - openvswitch: Integer Underflow in Organization > > Specific TLV > > + > > +Signed-off-by: Qian Chen <[email protected]> > > +Co-authored-by: Aaron Conole <[email protected]> > > +Signed-off-by: Aaron Conole <[email protected]> > > +Signed-off-by: Ilya Maximets <[email protected]> > > +Signed-off-by: Xiangyu Chen <[email protected]> > > +--- > > + lib/lldp/lldp.c | 2 ++ > > + tests/ofproto-dpif.at | 19 +++++++++++++++++++ > > + 2 files changed, 21 insertions(+) > > + > > +diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c > > +index dfeb2a800..6fdcfef56 100644 > > +--- a/lib/lldp/lldp.c > > ++++ b/lib/lldp/lldp.c > > +@@ -583,6 +583,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, > > int s, > > + > > + switch(tlv_subtype) { > > + case LLDP_TLV_AA_ELEMENT_SUBTYPE: > > ++ CHECK_TLV_SIZE(50, "ELEMENT"); > > + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); > > + > > + aa_element_dword = PEEK_UINT32; > > +@@ -629,6 +630,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, > > int s, > > + break; > > + > > + case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE: > > ++ CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS"); > > + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); > > + > > + /* Subtract off tlv type and length (2Bytes) + OUI > > (3B) + > > +diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at > > +index eb4cd1896..fa6111c1e 100644 > > +--- a/tests/ofproto-dpif.at > > ++++ b/tests/ofproto-dpif.at > > +@@ -62,6 +62,25 @@ AT_CHECK([ovs-appctl coverage/read-counter > > rev_reconfigure], [0], [dnl > > + OVS_VSWITCHD_STOP > > + AT_CLEANUP > > + > > ++AT_SETUP([ofproto-dpif - malformed lldp autoattach tlv]) > > ++OVS_VSWITCHD_START() > > ++add_of_ports br0 1 > > ++ > > ++dnl Enable lldp > > ++AT_CHECK([ovs-vsctl set interface p1 lldp:enable=true]) > > ++ > > ++dnl Send a malformed lldp packet > > ++packet="0180c200000ef6b426aa5f0088cc020704f6b426aa5f000403057632060200780c"dnl > > ++"5044454144424545464445414442454546444541444245454644454144424545464445414"dnl > > ++"4424545464445414442454546444541444245454644454144424545464445414442454546"dnl > > ++"4445414442454546fe0500040d0c010000" > > ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 "$packet"], [0], [stdout]) > > ++ > > ++OVS_WAIT_UNTIL([grep -q "ISID_VLAN_ASGNS TLV too short" ovs-vswitchd.log]) > > ++ > > ++OVS_VSWITCHD_STOP(["/|WARN|ISID_VLAN_ASGNS TLV too short received on/d"]) > > ++AT_CLEANUP > > ++ > > + AT_SETUP([ofproto-dpif - active-backup bonding (with primary)]) > > + > > + dnl Create br0 with members p1, p2 and p7, creating bond0 with p1 and > > +-- > > +2.34.1 > > + > > diff --git a/recipes-networking/openvswitch/openvswitch_git.bb > > b/recipes-networking/openvswitch/openvswitch_git.bb > > index f5d85f3..4f4efe7 100644 > > --- a/recipes-networking/openvswitch/openvswitch_git.bb > > +++ b/recipes-networking/openvswitch/openvswitch_git.bb > > @@ -27,6 +27,7 @@ SRC_URI += > > "git://github.com/openvswitch/ovs.git;protocol=https;branch=branch-2. > > file://kernel_module.patch \ > > file://systemd-update-tool-paths.patch \ > > file://systemd-create-runtime-dirs.patch \ > > + > > file://0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch \ > > " > > > > LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab" > > > > > > > > > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#7802): https://lists.yoctoproject.org/g/meta-virtualization/message/7802 Mute This Topic: https://lists.yoctoproject.org/mt/95915106/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
