From b0aa1a9d9500b6b3070c6ea1827cd42f06ce8369 Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Mon, 1 Mar 2021 14:35:10 +0800 Subject: [PATCH] fix CVE-2020-35498 --- CVE-2020-35498-pre.patch | 53 +++++++++++++++++++++ CVE-2020-35498.patch | 100 +++++++++++++++++++++++++++++++++++++++ openvswitch.spec | 10 +++- 3 files changed, 161 insertions(+), 2 deletions(-) create mode 100644 CVE-2020-35498-pre.patch create mode 100644 CVE-2020-35498.patch diff --git a/CVE-2020-35498-pre.patch b/CVE-2020-35498-pre.patch new file mode 100644 index 0000000..b33981a --- /dev/null +++ b/CVE-2020-35498-pre.patch @@ -0,0 +1,53 @@ +From b7d0c1a5842d59d7413cb9c079fe25b1ad2b6602 Mon Sep 17 00:00:00 2001 +From: wang_yue111 <648774160@qq.com> +Date: Fri, 26 Feb 2021 17:59:44 +0800 +Subject: [PATCH] conntrack: Fix 'reverse_nat_packet()' variable +datatype. + +The datatype 'pad' in the function 'reverse_nat_packet()' was incorrectly +declared as 'char' instead of 'uint8_t'. This can affect reverse natting +of icmpX packets with padding > 127 bytes. At the same time, add some +comments regarding 'extract_l3_ipvX' usage in this function. Found by +inspection. + +Fixes: edd1bef468c0 ("dpdk: Add more ICMP Related NAT support.") +Signed-off-by: Darrell Ball +Signed-off-by: Ben Pfaff +--- + lib/conntrack.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/conntrack.c b/lib/conntrack.c +index e5266e5..59df332 100644 +--- a/lib/conntrack.c ++++ b/lib/conntrack.c +@@ -688,7 +688,7 @@ static void + reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn) + { + char *tail = dp_packet_tail(pkt); +- char pad = dp_packet_l2_pad_size(pkt); ++ uint8_t pad = dp_packet_l2_pad_size(pkt); + struct conn_key inner_key; + const char *inner_l4 = NULL; + uint16_t orig_l3_ofs = pkt->l3_ofs; +@@ -698,6 +698,8 @@ reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn) + struct ip_header *nh = dp_packet_l3(pkt); + struct icmp_header *icmp = dp_packet_l4(pkt); + struct ip_header *inner_l3 = (struct ip_header *) (icmp + 1); ++ /* This call is already verified to succeed during the code path from ++ * 'conn_key_extract()' which calls 'extract_l4_icmp()'. */ + extract_l3_ipv4(&inner_key, inner_l3, tail - ((char *)inner_l3) - pad, + &inner_l4, false); + pkt->l3_ofs += (char *) inner_l3 - (char *) nh; +@@ -719,6 +721,8 @@ reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn) + struct icmp6_error_header *icmp6 = dp_packet_l4(pkt); + struct ovs_16aligned_ip6_hdr *inner_l3_6 = + (struct ovs_16aligned_ip6_hdr *) (icmp6 + 1); ++ /* This call is already verified to succeed during the code path from ++ * 'conn_key_extract()' which calls 'extract_l4_icmp6()'. */ + extract_l3_ipv6(&inner_key, inner_l3_6, + tail - ((char *)inner_l3_6) - pad, + &inner_l4); +-- +2.23.0 + diff --git a/CVE-2020-35498.patch b/CVE-2020-35498.patch new file mode 100644 index 0000000..8ab2dd5 --- /dev/null +++ b/CVE-2020-35498.patch @@ -0,0 +1,100 @@ +From 45e941a17b605cc61e7c3ed8cffed5b3a5b608a6 Mon Sep 17 00:00:00 2001 +From: wang_yue111 <648774160@qq.com> +Date: Fri, 26 Feb 2021 18:20:58 +0800 +Subject: [PATCH] flow: Support extra padding length. + +Although not required, padding can be optionally added until +the packet length is MTU bytes. A packet with extra padding +currently fails sanity checks. + +Vulnerability: CVE-2020-35498 +Fixes: fa8d9001a624 ("miniflow_extract: Properly handle small IP packets.") +Reported-by: Joakim Hindersson +Acked-by: Ilya Maximets +Signed-off-by: Flavio Leitner +Signed-off-by: Ilya Maximets + +--- + lib/conntrack.c | 2 +- + lib/dp-packet.h | 10 +++++----- + lib/flow.c | 6 +++--- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/lib/conntrack.c b/lib/conntrack.c +index 47ebc8e..9a59ef6 100644 +--- a/lib/conntrack.c ++++ b/lib/conntrack.c +@@ -688,7 +688,7 @@ static void + reverse_nat_packet(struct dp_packet *pkt, const struct conn *conn) + { + char *tail = dp_packet_tail(pkt); +- uint8_t pad = dp_packet_l2_pad_size(pkt); ++ uint16_t pad = dp_packet_l2_pad_size(pkt); + struct conn_key inner_key; + const char *inner_l4 = NULL; + uint16_t orig_l3_ofs = pkt->l3_ofs; +diff --git a/lib/dp-packet.h b/lib/dp-packet.h +index 14f0897..c607247 100644 +--- a/lib/dp-packet.h ++++ b/lib/dp-packet.h +@@ -76,7 +76,7 @@ struct dp_packet { + + /* All the following elements of this struct are copied in a single call + * of memcpy in dp_packet_clone_with_headroom. */ +- uint8_t l2_pad_size; /* Detected l2 padding size. ++ uint16_t l2_pad_size; /* Detected l2 padding size. + * Padding is non-pullable. */ + uint16_t l2_5_ofs; /* MPLS label stack offset, or UINT16_MAX */ + uint16_t l3_ofs; /* Network-level header offset, +@@ -113,8 +113,8 @@ void *dp_packet_resize_l2(struct dp_packet *, int increment); + void *dp_packet_resize_l2_5(struct dp_packet *, int increment); + static inline void *dp_packet_eth(const struct dp_packet *); + static inline void dp_packet_reset_offsets(struct dp_packet *); +-static inline uint8_t dp_packet_l2_pad_size(const struct dp_packet *); +-static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint8_t); ++static inline uint16_t dp_packet_l2_pad_size(const struct dp_packet *); ++static inline void dp_packet_set_l2_pad_size(struct dp_packet *, uint16_t); + static inline void *dp_packet_l2_5(const struct dp_packet *); + static inline void dp_packet_set_l2_5(struct dp_packet *, void *); + static inline void *dp_packet_l3(const struct dp_packet *); +@@ -320,14 +320,14 @@ dp_packet_reset_offsets(struct dp_packet *b) + b->l4_ofs = UINT16_MAX; + } + +-static inline uint8_t ++static inline uint16_t + dp_packet_l2_pad_size(const struct dp_packet *b) + { + return b->l2_pad_size; + } + + static inline void +-dp_packet_set_l2_pad_size(struct dp_packet *b, uint8_t pad_size) ++dp_packet_set_l2_pad_size(struct dp_packet *b, uint16_t pad_size) + { + ovs_assert(pad_size <= dp_packet_size(b)); + b->l2_pad_size = pad_size; +diff --git a/lib/flow.c b/lib/flow.c +index e54fd2e..354b441 100644 +--- a/lib/flow.c ++++ b/lib/flow.c +@@ -660,7 +660,7 @@ ipv4_sanity_check(const struct ip_header *nh, size_t size, + + tot_len = ntohs(nh->ip_tot_len); + if (OVS_UNLIKELY(tot_len > size || ip_len > tot_len || +- size - tot_len > UINT8_MAX)) { ++ size - tot_len > UINT16_MAX)) { + return false; + } + +@@ -698,8 +698,8 @@ ipv6_sanity_check(const struct ovs_16aligned_ip6_hdr *nh, size_t size) + if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) { + return false; + } +- /* Jumbo Payload option not supported yet. */ +- if (OVS_UNLIKELY(size - plen > UINT8_MAX)) { ++ ++ if (OVS_UNLIKELY(size - (plen + IPV6_HEADER_LEN) > UINT16_MAX)) { + return false; + } + diff --git a/openvswitch.spec b/openvswitch.spec index 555615e..cd8f481 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -2,12 +2,15 @@ Name: openvswitch Summary: Production Quality, Multilayer Open Virtual Switch URL: http://www.openvswitch.org/ Version: 2.12.0 -License: ASL 2.0 -Release: 8 +License: ASL 2.0 and ISC +Release: 9 Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz Buildroot: /tmp/openvswitch-rpm Patch0000: 0000-openvswitch-add-stack-protector-strong.patch Patch0001: 0001-Remove-unsupported-permission-names.patch +Patch0002: CVE-2020-35498-pre.patch +Patch0003: CVE-2020-35498.patch + Requires: %{name}-help Requires: logrotate hostname python >= 2.7 python2-six selinux-policy-targeted BuildRequires: python2-six, openssl-devel checkpolicy selinux-policy-devel autoconf automake libtool python-sphinx unbound-devel @@ -204,6 +207,9 @@ exit 0 %doc README.rst NEWS rhel/README.RHEL.rst %changelog +* Mon Mar 01 2021 wangyue - 2.12.0-9 +- fix CVE-2020-35498 + * Wed Nov 18 2020 maminjie - 2.12.0-8 - Remove unsupported permission names -- Gitee