From 0381a69636328ba8f3f1c1bef2a482f82b2d6cd4 Mon Sep 17 00:00:00 2001 From: yangl777 Date: Fri, 29 Mar 2024 06:22:32 +0000 Subject: [PATCH] fix CVE-2022-2639 --- backport-CVE-2022-2639.patch | 36 ++++++++++++++++++++++++++++++++++++ openvswitch.spec | 9 ++++++++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-2639.patch diff --git a/backport-CVE-2022-2639.patch b/backport-CVE-2022-2639.patch new file mode 100644 index 0000000..bc43581 --- /dev/null +++ b/backport-CVE-2022-2639.patch @@ -0,0 +1,36 @@ +From cefa91b2332d7009bc0be5d951d6cbbf349f90f8 Mon Sep 17 00:00:00 2001 +From: Paolo Valerio +Date: Fri, 15 Apr 2022 10:08:41 +0200 +Subject: [PATCH] openvswitch: fix OOB access in reserve_sfa_size() + +Given a sufficiently large number of actions, while copying and +reserving memory for a new action of a new flow, if next_offset is +greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does +not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE +bytes increasing actions_len by req_size. This can then lead to an OOB +write access, especially when further actions need to be copied. + +Fix it by rearranging the flow action size check. + +Conflict:NA +Reference:https://github.com/torvalds/linux/commit/cefa91b2332d7009bc0be5d951d6cbbf349f90f8 +--- + datapath/flow_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/datapath/flow_netlink.c b/datapath/flow_netlink.c +index 0f7ab53..1f04072 100644 +--- a/datapath/flow_netlink.c ++++ b/datapath/flow_netlink.c +@@ -2322,7 +2322,7 @@ static struct nlattr *reserve_sfa_size(struct sw_flow_actions **sfa, + new_acts_size = max(next_offset + req_size, ksize(*sfa) * 2); + + if (new_acts_size > MAX_ACTIONS_BUFSIZE) { +- if ((MAX_ACTIONS_BUFSIZE - next_offset) < req_size) { ++ if ((next_offset + req_size) > MAX_ACTIONS_BUFSIZE) { + OVS_NLERR(log, "Flow action size exceeds max %u", + MAX_ACTIONS_BUFSIZE); + return ERR_PTR(-EMSGSIZE); +-- +2.33.0 + diff --git a/openvswitch.spec b/openvswitch.spec index 8ab8106..b3504da 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -6,7 +6,7 @@ Summary: Production Quality, Multilayer Open Virtual Switch URL: http://www.openvswitch.org/ Version: 2.12.4 License: ASL 2.0 and ISC -Release: 7 +Release: 8 Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz Buildroot: /tmp/openvswitch-rpm Patch0000: 0000-openvswitch-add-stack-protector-strong.patch @@ -19,6 +19,7 @@ Patch6002: backport-CVE-2023-5366.patch Patch6003: backport-0001-CVE-2023-3966.patch Patch6004: backport-0002-CVE-2023-3966.patch Patch6005: backport-0003-CVE-2023-3966.patch +Patch6006: backport-CVE-2022-2639.patch Patch9000: fix-selinux-err.patch @@ -295,6 +296,12 @@ exit 0 %doc README.rst NEWS rhel/README.RHEL.rst %changelog +* Fri Mar 29 2024 yanglu - 2.12.4-8 +- Type:CVE +- Id:CVE-2022-2639 +- SUG:NA +- DESC:fix CVE-2022-2639 + * Tue Feb 20 2024 zhangpan - 2.12.4-7 - fix CVE-2023-3966 -- Gitee