diff options
| -rw-r--r-- | recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch | 99 | ||||
| -rw-r--r-- | recipes-networking/openvswitch/openvswitch_git.bb | 5 |
2 files changed, 2 insertions, 102 deletions
diff --git a/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch deleted file mode 100644 index 0e344ac8..00000000 --- a/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch +++ /dev/null | |||
| @@ -1,99 +0,0 @@ | |||
| 1 | From 77cccc74deede443e8b9102299efc869a52b65b2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Ilya Maximets <i.maximets@ovn.org> | ||
| 3 | Date: Tue, 16 Feb 2021 23:27:30 +0100 | ||
| 4 | Subject: [PATCH] ofp-actions: Fix use-after-free while decoding RAW_ENCAP. | ||
| 5 | |||
| 6 | While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate | ||
| 7 | ofpbuf if there is no enough space left. However, function | ||
| 8 | 'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap' | ||
| 9 | structure leading to write-after-free and incorrect decoding. | ||
| 10 | |||
| 11 | ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address | ||
| 12 | 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408 | ||
| 13 | WRITE of size 2 at 0x60600000011a thread T0 | ||
| 14 | #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20 | ||
| 15 | #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16 | ||
| 16 | #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21 | ||
| 17 | #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13 | ||
| 18 | #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12 | ||
| 19 | #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17 | ||
| 20 | #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13 | ||
| 21 | #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16 | ||
| 22 | #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21 | ||
| 23 | #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28 | ||
| 24 | #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9 | ||
| 25 | #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17 | ||
| 26 | #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5 | ||
| 27 | #13 0x5391ae in main utilities/ovs-ofctl.c:179:9 | ||
| 28 | #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081) | ||
| 29 | #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed) | ||
| 30 | |||
| 31 | Fix that by getting a new pointer before using. | ||
| 32 | |||
| 33 | Credit to OSS-Fuzz. | ||
| 34 | |||
| 35 | Fuzzer regression test will fail only with AddressSanitizer enabled. | ||
| 36 | |||
| 37 | Upstream-status: Backport | ||
| 38 | |||
| 39 | Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851 | ||
| 40 | Fixes: f839892a206a ("OF support and translation of generic encap and decap") | ||
| 41 | Acked-by: William Tu <u9012063@gmail.com> | ||
| 42 | Signed-off-by: Ilya Maximets <i.maximets@ovn.org> | ||
| 43 | --- | ||
| 44 | lib/ofp-actions.c | 2 ++ | ||
| 45 | tests/automake.mk | 3 ++- | ||
| 46 | tests/fuzz-regression-list.at | 1 + | ||
| 47 | tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | 0 | ||
| 48 | 4 files changed, 5 insertions(+), 1 deletion(-) | ||
| 49 | create mode 100644 tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | ||
| 50 | |||
| 51 | diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c | ||
| 52 | index e2e829772..0342a228b 100644 | ||
| 53 | --- a/lib/ofp-actions.c | ||
| 54 | +++ b/lib/ofp-actions.c | ||
| 55 | @@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae, | ||
| 56 | { | ||
| 57 | struct ofpact_encap *encap; | ||
| 58 | const struct ofp_ed_prop_header *ofp_prop; | ||
| 59 | + const size_t encap_ofs = out->size; | ||
| 60 | size_t props_len; | ||
| 61 | uint16_t n_props = 0; | ||
| 62 | int err; | ||
| 63 | @@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae, | ||
| 64 | } | ||
| 65 | n_props++; | ||
| 66 | } | ||
| 67 | + encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap); | ||
| 68 | encap->n_props = n_props; | ||
| 69 | out->header = &encap->ofpact; | ||
| 70 | ofpact_finish_ENCAP(out, &encap); | ||
| 71 | diff --git a/tests/automake.mk b/tests/automake.mk | ||
| 72 | index 677b99a6b..fc80e027d 100644 | ||
| 73 | --- a/tests/automake.mk | ||
| 74 | +++ b/tests/automake.mk | ||
| 75 | @@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \ | ||
| 76 | tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \ | ||
| 77 | tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \ | ||
| 78 | tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \ | ||
| 79 | - tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 | ||
| 80 | + tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \ | ||
| 81 | + tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | ||
| 82 | $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk | ||
| 83 | $(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \ | ||
| 84 | basename=`echo $$name | sed 's,^.*/,,'`; \ | ||
| 85 | diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at | ||
| 86 | index e3173fb88..2347c690e 100644 | ||
| 87 | --- a/tests/fuzz-regression-list.at | ||
| 88 | +++ b/tests/fuzz-regression-list.at | ||
| 89 | @@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296]) | ||
| 90 | TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128]) | ||
| 91 | TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312]) | ||
| 92 | TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448]) | ||
| 93 | +TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832]) | ||
| 94 | diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | ||
| 95 | new file mode 100644 | ||
| 96 | index 000000000..e69de29bb | ||
| 97 | -- | ||
| 98 | 2.17.1 | ||
| 99 | |||
diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb index 303f200b..0f9d2a85 100644 --- a/recipes-networking/openvswitch/openvswitch_git.bb +++ b/recipes-networking/openvswitch/openvswitch_git.bb | |||
| @@ -14,12 +14,12 @@ RDEPENDS:${PN}-ptest += "\ | |||
| 14 | " | 14 | " |
| 15 | 15 | ||
| 16 | S = "${WORKDIR}/git" | 16 | S = "${WORKDIR}/git" |
| 17 | PV = "2.15+${SRCPV}" | 17 | PV = "2.15.1+${SRCPV}" |
| 18 | CVE_VERSION = "2.13.0" | 18 | CVE_VERSION = "2.13.0" |
| 19 | 19 | ||
| 20 | FILESEXTRAPATHS:append := "${THISDIR}/${PN}-git:" | 20 | FILESEXTRAPATHS:append := "${THISDIR}/${PN}-git:" |
| 21 | 21 | ||
| 22 | SRCREV = "8dc1733eaea866dce033b3c44853e1b09bf59fc7" | 22 | SRCREV = "f8274b78c3403591e84f3c2bbacf8c86920d68ba" |
| 23 | SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15 \ | 23 | SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15 \ |
| 24 | file://openvswitch-add-ptest-71d553b995d0bd527d3ab1e9fbaf5a2ae34de2f3.patch \ | 24 | file://openvswitch-add-ptest-71d553b995d0bd527d3ab1e9fbaf5a2ae34de2f3.patch \ |
| 25 | file://run-ptest \ | 25 | file://run-ptest \ |
| @@ -28,7 +28,6 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15 | |||
| 28 | file://systemd-update-tool-paths.patch \ | 28 | file://systemd-update-tool-paths.patch \ |
| 29 | file://systemd-create-runtime-dirs.patch \ | 29 | file://systemd-create-runtime-dirs.patch \ |
| 30 | file://0001-ovs-use-run-instead-of-var-run-for-in-systemd-units.patch \ | 30 | file://0001-ovs-use-run-instead-of-var-run-for-in-systemd-units.patch \ |
| 31 | file://0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch \ | ||
| 32 | " | 31 | " |
| 33 | 32 | ||
| 34 | LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab" | 33 | LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab" |