2 files changed, 87 insertions, 0 deletions
diff --git a/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch
new file mode 100644
index 00000000..ec401060
--- /dev/null
+++ b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch
@@ -0,0 +1,86 @@
+From 7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Mon Sep 17 00:00:00 2001
+From: Qian Chen <cq674350529@163.com>
+Date: Tue, 20 Dec 2022 09:36:08 -0500
+Subject: [PATCH] lldp: Fix bugs when parsing malformed AutoAttach.
+The OVS LLDP implementation includes support for AutoAttach standard, which
+the 'upstream' lldpd project does not include.  As part of adding this
+support, the message parsing for these TLVs did not include proper length
+checks for the LLDP_TLV_AA_ELEMENT_SUBTYPE and the
+LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE elements.  The result is that a message
+without a proper boundary will cause an overread of memory, and lead to
+undefined results, including crashes or other unidentified behavior.
+The fix is to introduce proper bounds checking for these elements.  Introduce
+a unit test to ensure that we have some proper rejection in this code
+base in the future.
+Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
+Upstream-Status: Backport from upstream [https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4]
+CVE: CVE-2022-4337 - openvswitch: Out-of-Bounds Read in Organization Specific TLV
+CVE: CVE-2022-4338 - openvswitch: Integer Underflow in Organization Specific TLV
+Signed-off-by: Qian Chen <cq674350529@163.com>
+Co-authored-by: Aaron Conole <aconole@redhat.com>
+Signed-off-by: Aaron Conole <aconole@redhat.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
+---
+ lib/lldp/lldp.c       |  2 ++
+ tests/ofproto-dpif.at | 19 +++++++++++++++++++
+ 2 files changed, 21 insertions(+)
+diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
+index dfeb2a800..6fdcfef56 100644
+--- a/lib/lldp/lldp.c
+++ b/lib/lldp/lldp.c
+@@ -583,6 +583,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
+ 
+                 switch(tlv_subtype) {
+                 case LLDP_TLV_AA_ELEMENT_SUBTYPE:
+                    CHECK_TLV_SIZE(50, "ELEMENT");
+                     PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest);
+ 
+                     aa_element_dword = PEEK_UINT32;
+@@ -629,6 +630,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s,
+                     break;
+ 
+                 case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE:
+                    CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS");
+                     PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest);
+ 
+                     /* Subtract off tlv type and length (2Bytes) + OUI (3B) +
+diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
+index eb4cd1896..fa6111c1e 100644
+--- a/tests/ofproto-dpif.at
+++ b/tests/ofproto-dpif.at
+@@ -62,6 +62,25 @@ AT_CHECK([ovs-appctl coverage/read-counter rev_reconfigure], [0], [dnl
+ OVS_VSWITCHD_STOP
+ AT_CLEANUP
+ 
+AT_SETUP([ofproto-dpif - malformed lldp autoattach tlv])
+OVS_VSWITCHD_START()
+add_of_ports br0 1
+
+dnl Enable lldp
+AT_CHECK([ovs-vsctl set interface p1 lldp:enable=true])
+
+dnl Send a malformed lldp packet
+packet="0180c200000ef6b426aa5f0088cc020704f6b426aa5f000403057632060200780c"dnl
+"5044454144424545464445414442454546444541444245454644454144424545464445414"dnl
+"4424545464445414442454546444541444245454644454144424545464445414442454546"dnl
+"4445414442454546fe0500040d0c010000"
+AT_CHECK([ovs-appctl netdev-dummy/receive p1 "$packet"], [0], [stdout])
+
+OVS_WAIT_UNTIL([grep -q "ISID_VLAN_ASGNS TLV too short" ovs-vswitchd.log])
+
+OVS_VSWITCHD_STOP(["/|WARN|ISID_VLAN_ASGNS TLV too short received on/d"])
+AT_CLEANUP
+
+ AT_SETUP([ofproto-dpif - active-backup bonding (with primary)])
+ 
+ dnl Create br0 with members p1, p2 and p7, creating bond0 with p1 and
+-- 
+2.34.1
diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
index f5d85f3f..4f4efe75 100644
--- a/recipes-networking/openvswitch/openvswitch_git.bb
+++ b/recipes-networking/openvswitch/openvswitch_git.bb
@@ -27,6 +27,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=https;branch=branch-2.
            file://kernel_module.patch \
            file://systemd-update-tool-paths.patch \
            file://systemd-create-runtime-dirs.patch \
+            file://0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch \
           "
 LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"

diff --git a/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch new file mode 100644 index 00000000..ec401060 --- /dev/null +++ b/recipes-networking/openvswitch/files/0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch
@@ -0,0 +1,86 @@
		1	From 7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Mon Sep 17 00:00:00 2001
		2	From: Qian Chen <cq674350529@163.com>
		3	Date: Tue, 20 Dec 2022 09:36:08 -0500
		4	Subject: [PATCH] lldp: Fix bugs when parsing malformed AutoAttach.
		5
		6	The OVS LLDP implementation includes support for AutoAttach standard, which
		7	the 'upstream' lldpd project does not include. As part of adding this
		8	support, the message parsing for these TLVs did not include proper length
		9	checks for the LLDP_TLV_AA_ELEMENT_SUBTYPE and the
		10	LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE elements. The result is that a message
		11	without a proper boundary will cause an overread of memory, and lead to
		12	undefined results, including crashes or other unidentified behavior.
		13
		14	The fix is to introduce proper bounds checking for these elements. Introduce
		15	a unit test to ensure that we have some proper rejection in this code
		16	base in the future.
		17
		18	Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
		19
		20	Upstream-Status: Backport from upstream [https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4]
		21	CVE: CVE-2022-4337 - openvswitch: Out-of-Bounds Read in Organization Specific TLV
		22	CVE: CVE-2022-4338 - openvswitch: Integer Underflow in Organization Specific TLV
		23
		24	Signed-off-by: Qian Chen <cq674350529@163.com>
		25	Co-authored-by: Aaron Conole <aconole@redhat.com>
		26	Signed-off-by: Aaron Conole <aconole@redhat.com>
		27	Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
		28	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
		29	---
		30	lib/lldp/lldp.c \| 2 ++
		31	tests/ofproto-dpif.at \| 19 +++++++++++++++++++
		32	2 files changed, 21 insertions(+)
		33
		34	diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
		35	index dfeb2a800..6fdcfef56 100644
		36	--- a/lib/lldp/lldp.c
		37	+++ b/lib/lldp/lldp.c
		38	@@ -583,6 +583,7 @@ lldp_decode(struct lldpd cfg OVS_UNUSED, char frame, int s,
		39
		40	switch(tlv_subtype) {
		41	case LLDP_TLV_AA_ELEMENT_SUBTYPE:
		42	+ CHECK_TLV_SIZE(50, "ELEMENT");
		43	PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest);
		44
		45	aa_element_dword = PEEK_UINT32;
		46	@@ -629,6 +630,7 @@ lldp_decode(struct lldpd cfg OVS_UNUSED, char frame, int s,
		47	break;
		48
		49	case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE:
		50	+ CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS");
		51	PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest);
		52
		53	/* Subtract off tlv type and length (2Bytes) + OUI (3B) +
		54	diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
		55	index eb4cd1896..fa6111c1e 100644
		56	--- a/tests/ofproto-dpif.at
		57	+++ b/tests/ofproto-dpif.at
		58	@@ -62,6 +62,25 @@ AT_CHECK([ovs-appctl coverage/read-counter rev_reconfigure], [0], [dnl
		59	OVS_VSWITCHD_STOP
		60	AT_CLEANUP
		61
		62	+AT_SETUP([ofproto-dpif - malformed lldp autoattach tlv])
		63	+OVS_VSWITCHD_START()
		64	+add_of_ports br0 1
		65	+
		66	+dnl Enable lldp
		67	+AT_CHECK([ovs-vsctl set interface p1 lldp:enable=true])
		68	+
		69	+dnl Send a malformed lldp packet
		70	+packet="0180c200000ef6b426aa5f0088cc020704f6b426aa5f000403057632060200780c"dnl
		71	+"5044454144424545464445414442454546444541444245454644454144424545464445414"dnl
		72	+"4424545464445414442454546444541444245454644454144424545464445414442454546"dnl
		73	+"4445414442454546fe0500040d0c010000"
		74	+AT_CHECK([ovs-appctl netdev-dummy/receive p1 "$packet"], [0], [stdout])
		75	+
		76	+OVS_WAIT_UNTIL([grep -q "ISID_VLAN_ASGNS TLV too short" ovs-vswitchd.log])
		77	+
		78	+OVS_VSWITCHD_STOP(["/\|WARN\|ISID_VLAN_ASGNS TLV too short received on/d"])
		79	+AT_CLEANUP
		80	+
		81	AT_SETUP([ofproto-dpif - active-backup bonding (with primary)])
		82
		83	dnl Create br0 with members p1, p2 and p7, creating bond0 with p1 and
		84	--
		85	2.34.1
		86


diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb index f5d85f3f..4f4efe75 100644 --- a/recipes-networking/openvswitch/openvswitch_git.bb +++ b/recipes-networking/openvswitch/openvswitch_git.bb
@@ -27,6 +27,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=https;branch=branch-2.
27	file://kernel_module.patch \	27	file://kernel_module.patch \
28	file://systemd-update-tool-paths.patch \	28	file://systemd-update-tool-paths.patch \
29	file://systemd-create-runtime-dirs.patch \	29	file://systemd-create-runtime-dirs.patch \
		30	file://0001-lldp-Fix-bugs-when-parsing-malformed-AutoAttach.patch \
30	"	31	"
31		32
32	LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"	33	LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"