diff --git a/backport-CVE-2022-4338.patch b/backport-CVE-2022-4338.patch new file mode 100644 index 0000000000000000000000000000000000000000..b5b7ba5d8832cc47ac5e1ab2afbfcf94135f4961 --- /dev/null +++ b/backport-CVE-2022-4338.patch @@ -0,0 +1,80 @@ +From 7490f281f09a8455c48e19b0cf1b99ab758ee4f4 Mon Sep 17 00:00:00 2001 +From: Qian Chen +Date: Tue, 20 Dec 2022 09:36:08 -0500 +Subject: [PATCH] lldp: Fix bugs when parsing malformed AutoAttach. + +The OVS LLDP implementation includes support for AutoAttach standard, which +the 'upstream' lldpd project does not include. As part of adding this +support, the message parsing for these TLVs did not include proper length +checks for the LLDP_TLV_AA_ELEMENT_SUBTYPE and the +LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE elements. The result is that a message +without a proper boundary will cause an overread of memory, and lead to +undefined results, including crashes or other unidentified behavior. + +The fix is to introduce proper bounds checking for these elements. Introduce +a unit test to ensure that we have some proper rejection in this code +base in the future. + +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") +Signed-off-by: Qian Chen +Co-authored-by: Aaron Conole +Signed-off-by: Aaron Conole +Signed-off-by: Ilya Maximets +--- + lib/lldp/lldp.c | 2 ++ + tests/ofproto-dpif.at | 19 +++++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c +index 18afbab..f668dc7 100644 +--- a/lib/lldp/lldp.c ++++ b/lib/lldp/lldp.c +@@ -581,6 +581,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + + switch(tlv_subtype) { + case LLDP_TLV_AA_ELEMENT_SUBTYPE: ++ CHECK_TLV_SIZE(50, "ELEMENT"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + aa_element_dword = PEEK_UINT32; +@@ -627,6 +628,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + break; + + case LLDP_TLV_AA_ISID_VLAN_ASGNS_SUBTYPE: ++ CHECK_TLV_SIZE(36, "ISID_VLAN_ASGNS"); + PEEK_BYTES(&msg_auth_digest, sizeof msg_auth_digest); + + /* Subtract off tlv type and length (2Bytes) + OUI (3B) + +diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at +index f9ffc9f..d4f27ed 100644 +--- a/tests/ofproto-dpif.at ++++ b/tests/ofproto-dpif.at +@@ -29,6 +29,25 @@ AT_CHECK([ovs-appctl revalidator/wait]) + OVS_VSWITCHD_STOP + AT_CLEANUP + ++AT_SETUP([ofproto-dpif - malformed lldp autoattach tlv]) ++OVS_VSWITCHD_START() ++add_of_ports br0 1 ++ ++dnl Enable lldp ++AT_CHECK([ovs-vsctl set interface p1 lldp:enable=true]) ++ ++dnl Send a malformed lldp packet ++packet="0180c200000ef6b426aa5f0088cc020704f6b426aa5f000403057632060200780c"dnl ++"5044454144424545464445414442454546444541444245454644454144424545464445414"dnl ++"4424545464445414442454546444541444245454644454144424545464445414442454546"dnl ++"4445414442454546fe0500040d0c010000" ++AT_CHECK([ovs-appctl netdev-dummy/receive p1 "$packet"], [0], [stdout]) ++ ++OVS_WAIT_UNTIL([grep -q "ISID_VLAN_ASGNS TLV too short" ovs-vswitchd.log]) ++ ++OVS_VSWITCHD_STOP(["/|WARN|ISID_VLAN_ASGNS TLV too short received on/d"]) ++AT_CLEANUP ++ + AT_SETUP([ofproto-dpif - active-backup bonding]) + # Create br0 with interfaces p1, p2 and p7, creating bond0 with p1 and p2 + # and br1 with interfaces p3, p4 and p8. +-- +2.33.0 + diff --git a/openvswitch.spec b/openvswitch.spec index 5a0714e56c1ebcd1a80645cdec76566c69cb4614..77effa1c7dba3f35b14cda9fb39bc08df27a9895 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -6,12 +6,13 @@ Summary: Production Quality, Multilayer Open Virtual Switch URL: http://www.openvswitch.org/ Version: 2.12.4 License: ASL 2.0 and ISC -Release: 1 +Release: 2 Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz Buildroot: /tmp/openvswitch-rpm Patch0000: 0000-openvswitch-add-stack-protector-strong.patch Patch0002: 0002-Remove-unsupported-permission-names.patch Patch0003: 0003-Fallback-to-read-proc-net-dev-on-linux.patch +Patch0004: backport-CVE-2022-4338.patch Patch9000: fix-selinux-err.patch @@ -284,6 +285,9 @@ exit 0 %doc README.rst NEWS rhel/README.RHEL.rst %changelog +* Thu Dec 29 2022 zhouwenpei - 2.12.4-2 +- fix CVE-2022-4338 + * Wed Sep 28 2022 zhouwenpei - 2.12.4-1 - upgrade to 2.12.4