frr: fix CVE-2024-31948

CVE-2024-31948: In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix SID attribute in a BGP UPDATE packet can cause the bgpd daemon to crash. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-31948] Upstream patches: [https://github.com/FRRouting/frr/commit/ba6a8f1a31e1a88df2de69ea46068e8bd9b97138] [https://github.com/FRRouting/frr/commit/babb23b74855e23c987a63f8256d24e28c044d07] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Zhang Peng <peng.zhang1.cn@windriver.com> 2024-11-26 16:11:15 +0800
committer: Armin Kuster <akuster808@gmail.com> 2024-12-15 13:57:37 -0500
commit: 2d7769f90b09703f516a8c499972525726db6f95 (patch)
tree: 6edbd469f7f11dd46ab3a22720440bd6f869760a
parent: 483946a97bf49752538675ed56a8acd864c6a12b (diff)
download: meta-openembedded-2d7769f90b09703f516a8c499972525726db6f95.tar.gz
2 files changed, 131 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch
new file mode 100644
index 0000000000..bc1f2edc7d
--- /dev/null
+++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch
@@ -0,0 +1,130 @@
+From a11446687169c679b5e51b57f151a6f6c119656c Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Wed, 27 Mar 2024 18:42:56 +0200
+Subject: [PATCH 1/2] bgpd: Fix error handling when receiving BGP Prefix SID
+ attribute
+Without this patch, we always set the BGP Prefix SID attribute flag without
+checking if it's malformed or not. RFC8669 says that this attribute MUST be discarded.
+Also, this fixes the bgpd crash when a malformed Prefix SID attribute is received,
+with malformed transitive flags and/or TLVs.
+Reported-by: Iggy Frankovic <iggyfran@amazon.com>
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+CVE: CVE-2024-31948
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/ba6a8f1a31e1a88df2de69ea46068e8bd9b97138]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ bgpd/bgp_attr.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 56e77eb3a..2639ff864 100644
+--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
+@@ -1390,6 +1390,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+        case BGP_ATTR_AS4_AGGREGATOR:
+        case BGP_ATTR_AGGREGATOR:
+        case BGP_ATTR_ATOMIC_AGGREGATE:
+       case BGP_ATTR_PREFIX_SID:
+                return BGP_ATTR_PARSE_PROCEED;
+ 
+        /* Core attributes, particularly ones which may influence route
+@@ -3144,8 +3145,6 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
+        struct attr *const attr = args->attr;
+        enum bgp_attr_parse_ret ret;
+ 
+-       attr->flag |= ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID);
+-
+        uint8_t type;
+        uint16_t length;
+        size_t headersz = sizeof(type) + sizeof(length);
+@@ -3195,6 +3194,8 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
+                }
+        }
+ 
+       SET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID));
+
+        return BGP_ATTR_PARSE_PROCEED;
+ }
+ 
+-- 
+2.34.1
+From 70555e1c0927b84f3aae9406379b00c976b2fa0c Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Wed, 27 Mar 2024 19:08:38 +0200
+Subject: [PATCH 2/2] bgpd: Prevent from one more CVE triggering this place
+If we receive an attribute that is handled by bgp_attr_malformed(), use
+treat-as-withdraw behavior for unknown (or missing to add - if new) attributes.
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+CVE: CVE-2024-31948
+Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/babb23b74855e23c987a63f8256d24e28c044d07]
+Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
+---
+ bgpd/bgp_attr.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
+index 2639ff864..797f05d60 100644
+--- a/bgpd/bgp_attr.c
+++ b/bgpd/bgp_attr.c
+@@ -1381,6 +1381,15 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+                        (args->startp - STREAM_DATA(BGP_INPUT(peer)))
+                                + args->total);
+ 
+       /* Partial optional attributes that are malformed should not cause
+        * the whole session to be reset. Instead treat it as a withdrawal
+        * of the routes, if possible.
+        */
+       if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) &&
+           CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) &&
+           CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
+               return BGP_ATTR_PARSE_WITHDRAW;
+
+        switch (args->type) {
+        /* where an attribute is relatively inconsequential, e.g. it does not
+         * affect route selection, and can be safely ignored, then any such
+@@ -1418,19 +1427,21 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
+                                          BGP_NOTIFY_UPDATE_ERR, subcode,
+                                          notify_datap, length);
+                return BGP_ATTR_PARSE_ERROR;
+       default:
+               /* Unknown attributes, that are handled by this function
+                * should be treated as withdraw, to prevent one more CVE
+                * from being introduced.
+                * RFC 7606 says:
+                * The "treat-as-withdraw" approach is generally preferred
+                * and the "session reset" approach is discouraged.
+                */
+               flog_err(EC_BGP_ATTR_FLAG,
+                        "%s(%u) attribute received, while it is not known how to handle it, treating as withdraw",
+                        lookup_msg(attr_str, args->type, NULL), args->type);
+               break;
+        }
+ 
+-       /* Partial optional attributes that are malformed should not cause
+-        * the whole session to be reset. Instead treat it as a withdrawal
+-        * of the routes, if possible.
+-        */
+-       if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS)
+-           && CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL)
+-           && CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
+-               return BGP_ATTR_PARSE_WITHDRAW;
+-
+-       /* default to reset */
+-       return BGP_ATTR_PARSE_ERROR_NOTIFYPLS;
+       return BGP_ATTR_PARSE_WITHDRAW;
+ }
+ 
+ /* Find out what is wrong with the path attribute flag bits and log the error.
+-- 
+2.34.1
diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb
index 807e4ef8ef..7043cad0f6 100644
--- a/meta-networking/recipes-protocols/frr/frr_9.1.bb
+++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
           file://CVE-2024-34088.patch \
           file://CVE-2024-31950.patch \
           file://CVE-2024-31951.patch \
+           file://CVE-2024-31948.patch \
           "
 SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"
author	Zhang Peng <peng.zhang1.cn@windriver.com>	2024-11-26 16:11:15 +0800
committer	Armin Kuster <akuster808@gmail.com>	2024-12-15 13:57:37 -0500
commit	2d7769f90b09703f516a8c499972525726db6f95 (patch)
tree	6edbd469f7f11dd46ab3a22720440bd6f869760a
parent	483946a97bf49752538675ed56a8acd864c6a12b (diff)
download	meta-openembedded-2d7769f90b09703f516a8c499972525726db6f95.tar.gz

diff --git a/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch new file mode 100644 index 0000000000..bc1f2edc7d --- /dev/null +++ b/meta-networking/recipes-protocols/frr/frr/CVE-2024-31948.patch
@@ -0,0 +1,130 @@
		1	From a11446687169c679b5e51b57f151a6f6c119656c Mon Sep 17 00:00:00 2001
		2	From: Donatas Abraitis <donatas@opensourcerouting.org>
		3	Date: Wed, 27 Mar 2024 18:42:56 +0200
		4	Subject: [PATCH 1/2] bgpd: Fix error handling when receiving BGP Prefix SID
		5	attribute
		6
		7	Without this patch, we always set the BGP Prefix SID attribute flag without
		8	checking if it's malformed or not. RFC8669 says that this attribute MUST be discarded.
		9
		10	Also, this fixes the bgpd crash when a malformed Prefix SID attribute is received,
		11	with malformed transitive flags and/or TLVs.
		12
		13	Reported-by: Iggy Frankovic <iggyfran@amazon.com>
		14	Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
		15
		16	CVE: CVE-2024-31948
		17	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/ba6a8f1a31e1a88df2de69ea46068e8bd9b97138]
		18
		19	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		20	---
		21	bgpd/bgp_attr.c \| 5 +++--
		22	1 file changed, 3 insertions(+), 2 deletions(-)
		23
		24	diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
		25	index 56e77eb3a..2639ff864 100644
		26	--- a/bgpd/bgp_attr.c
		27	+++ b/bgpd/bgp_attr.c
		28	@@ -1390,6 +1390,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
		29	case BGP_ATTR_AS4_AGGREGATOR:
		30	case BGP_ATTR_AGGREGATOR:
		31	case BGP_ATTR_ATOMIC_AGGREGATE:
		32	+ case BGP_ATTR_PREFIX_SID:
		33	return BGP_ATTR_PARSE_PROCEED;
		34
		35	/* Core attributes, particularly ones which may influence route
		36	@@ -3144,8 +3145,6 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
		37	struct attr *const attr = args->attr;
		38	enum bgp_attr_parse_ret ret;
		39
		40	- attr->flag \|= ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID);
		41	-
		42	uint8_t type;
		43	uint16_t length;
		44	size_t headersz = sizeof(type) + sizeof(length);
		45	@@ -3195,6 +3194,8 @@ enum bgp_attr_parse_ret bgp_attr_prefix_sid(struct bgp_attr_parser_args *args)
		46	}
		47	}
		48
		49	+ SET_FLAG(attr->flag, ATTR_FLAG_BIT(BGP_ATTR_PREFIX_SID));
		50	+
		51	return BGP_ATTR_PARSE_PROCEED;
		52	}
		53
		54	--
		55	2.34.1
		56
		57	From 70555e1c0927b84f3aae9406379b00c976b2fa0c Mon Sep 17 00:00:00 2001
		58	From: Donatas Abraitis <donatas@opensourcerouting.org>
		59	Date: Wed, 27 Mar 2024 19:08:38 +0200
		60	Subject: [PATCH 2/2] bgpd: Prevent from one more CVE triggering this place
		61
		62	If we receive an attribute that is handled by bgp_attr_malformed(), use
		63	treat-as-withdraw behavior for unknown (or missing to add - if new) attributes.
		64
		65	Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
		66
		67	CVE: CVE-2024-31948
		68	Upstream-Status: Backport [https://github.com/FRRouting/frr/commit/babb23b74855e23c987a63f8256d24e28c044d07]
		69
		70	Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
		71	---
		72	bgpd/bgp_attr.c \| 33 ++++++++++++++++++++++-----------
		73	1 file changed, 22 insertions(+), 11 deletions(-)
		74
		75	diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
		76	index 2639ff864..797f05d60 100644
		77	--- a/bgpd/bgp_attr.c
		78	+++ b/bgpd/bgp_attr.c
		79	@@ -1381,6 +1381,15 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
		80	(args->startp - STREAM_DATA(BGP_INPUT(peer)))
		81	+ args->total);
		82
		83	+ /* Partial optional attributes that are malformed should not cause
		84	+ * the whole session to be reset. Instead treat it as a withdrawal
		85	+ * of the routes, if possible.
		86	+ */
		87	+ if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS) &&
		88	+ CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL) &&
		89	+ CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
		90	+ return BGP_ATTR_PARSE_WITHDRAW;
		91	+
		92	switch (args->type) {
		93	/* where an attribute is relatively inconsequential, e.g. it does not
		94	* affect route selection, and can be safely ignored, then any such
		95	@@ -1418,19 +1427,21 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
		96	BGP_NOTIFY_UPDATE_ERR, subcode,
		97	notify_datap, length);
		98	return BGP_ATTR_PARSE_ERROR;
		99	+ default:
		100	+ /* Unknown attributes, that are handled by this function
		101	+ * should be treated as withdraw, to prevent one more CVE
		102	+ * from being introduced.
		103	+ * RFC 7606 says:
		104	+ * The "treat-as-withdraw" approach is generally preferred
		105	+ * and the "session reset" approach is discouraged.
		106	+ */
		107	+ flog_err(EC_BGP_ATTR_FLAG,
		108	+ "%s(%u) attribute received, while it is not known how to handle it, treating as withdraw",
		109	+ lookup_msg(attr_str, args->type, NULL), args->type);
		110	+ break;
		111	}
		112
		113	- /* Partial optional attributes that are malformed should not cause
		114	- * the whole session to be reset. Instead treat it as a withdrawal
		115	- * of the routes, if possible.
		116	- */
		117	- if (CHECK_FLAG(flags, BGP_ATTR_FLAG_TRANS)
		118	- && CHECK_FLAG(flags, BGP_ATTR_FLAG_OPTIONAL)
		119	- && CHECK_FLAG(flags, BGP_ATTR_FLAG_PARTIAL))
		120	- return BGP_ATTR_PARSE_WITHDRAW;
		121	-
		122	- /* default to reset */
		123	- return BGP_ATTR_PARSE_ERROR_NOTIFYPLS;
		124	+ return BGP_ATTR_PARSE_WITHDRAW;
		125	}
		126
		127	/* Find out what is wrong with the path attribute flag bits and log the error.
		128	--
		129	2.34.1
		130


diff --git a/meta-networking/recipes-protocols/frr/frr_9.1.bb b/meta-networking/recipes-protocols/frr/frr_9.1.bb index 807e4ef8ef..7043cad0f6 100644 --- a/meta-networking/recipes-protocols/frr/frr_9.1.bb +++ b/meta-networking/recipes-protocols/frr/frr_9.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "git://github.com/FRRouting/frr.git;protocol=https;branch=stable/9.1 \
16	file://CVE-2024-34088.patch \	16	file://CVE-2024-34088.patch \
17	file://CVE-2024-31950.patch \	17	file://CVE-2024-31950.patch \
18	file://CVE-2024-31951.patch \	18	file://CVE-2024-31951.patch \
		19	file://CVE-2024-31948.patch \
19	"	20	"
20		21
21	SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"	22	SRCREV = "ca2d6f0f1e000951224a18973cc1827f7f5215b5"