From b4194c667328762011f6271e028b3209b511a159 Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Tue, 30 Mar 2021 16:49:18 +0800 Subject: [PATCH] fix CVE-2020-27827 and CVE-2015-8011 (cherry picked from commit 62f6452a5af0158f4fa34da4f25e741b31236a92) --- CVE-2015-8011.patch | 55 ++++++++++++++++++++++++++++++++++++++++++++ CVE-2020-27827.patch | 45 ++++++++++++++++++++++++++++++++++++ openvswitch.spec | 7 +++++- 3 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 CVE-2015-8011.patch create mode 100644 CVE-2020-27827.patch diff --git a/CVE-2015-8011.patch b/CVE-2015-8011.patch new file mode 100644 index 0000000..b79c9f1 --- /dev/null +++ b/CVE-2015-8011.patch @@ -0,0 +1,55 @@ +From bb5a9937fa8e04e71052fb50e23894448d19678f Mon Sep 17 00:00:00 2001 +From: Vincent Bernat +Date: Thu, 12 Nov 2020 19:54:52 -0500 +Subject: [PATCH] lldp: fix a buffer overflow when handling management address + TLV + +Upstream commit: + commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b + Author: Vincent Bernat + Date: Sun, 4 Oct 2015 01:50:38 +0200 + + lldp: fix a buffer overflow when handling management address TLV + + When a remote device was advertising a too large management address + while still respecting TLV boundaries, lldpd would crash due to a buffer + overflow. However, the buffer being a static one, this buffer overflow + is not exploitable if hardening was not disabled. This bug exists since + version 0.5.6. + +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") +Reported-by: Jonas Rudloff +Reported-at: https://github.com/openvswitch/ovs/pull/335 +Co-authored-by: Fabrizio D'Angelo +Signed-off-by: Fabrizio D'Angelo +Acked-by: Aaron Conole +Signed-off-by: Ilya Maximets +--- + lib/lldp/lldp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c +index 593c5e1c34..628d0f863d 100644 +--- a/lib/lldp/lldp.c ++++ b/lib/lldp/lldp.c +@@ -530,6 +530,11 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + case LLDP_TLV_MGMT_ADDR: + CHECK_TLV_SIZE(1, "Management address"); + addr_str_length = PEEK_UINT8; ++ if (addr_str_length > sizeof(addr_str_buffer)) { ++ VLOG_WARN("too large management address on %s", ++ hardware->h_ifname); ++ goto malformed; ++ } + CHECK_TLV_SIZE(1 + addr_str_length, "Management address"); + PEEK_BYTES(addr_str_buffer, addr_str_length); + addr_length = addr_str_length - 1; +@@ -554,7 +559,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + break; + + case LLDP_TLV_ORG: +- CHECK_TLV_SIZE(4, "Organisational"); ++ CHECK_TLV_SIZE(1 + sizeof orgid, "Organisational"); + PEEK_BYTES(orgid, sizeof orgid); + tlv_subtype = PEEK_UINT8; + if (memcmp(dot1, orgid, sizeof orgid) == 0) { diff --git a/CVE-2020-27827.patch b/CVE-2020-27827.patch new file mode 100644 index 0000000..1ac3685 --- /dev/null +++ b/CVE-2020-27827.patch @@ -0,0 +1,45 @@ +From 78e712c0b1dacc2f12d2a03d98f083d8672867f0 Mon Sep 17 00:00:00 2001 +From: Aaron Conole +Date: Wed, 13 Jan 2021 10:47:19 -0500 +Subject: [PATCH] lldp: do not leak memory on multiple instances of TLVs + +Upstream commit: + commit a8d3c90feca548fc0656d95b5d278713db86ff61 + Date: Tue, 17 Nov 2020 09:28:17 -0500 + + lldp: avoid memory leak from bad packets + + A packet that contains multiple instances of certain TLVs will cause + lldpd to continually allocate memory and leak the old memory. As an + example, multiple instances of system name TLV will cause old values + to be dropped by the decoding routine. + + Reported-at: https://github.com/openvswitch/ovs/pull/337 + Reported-by: Jonas Rudloff + Signed-off-by: Aaron Conole + +Vulnerability: CVE-2020-27827 +Signed-off-by: Aaron Conole +Signed-off-by: Ilya Maximets +--- + lib/lldp/lldp.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c +index e5755307fb..18afbab9a7 100644 +--- a/lib/lldp/lldp.c ++++ b/lib/lldp/lldp.c +@@ -513,10 +513,13 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + b = xzalloc(tlv_size + 1); + PEEK_BYTES(b, tlv_size); + if (tlv_type == LLDP_TLV_PORT_DESCR) { ++ free(port->p_descr); + port->p_descr = b; + } else if (tlv_type == LLDP_TLV_SYSTEM_NAME) { ++ free(chassis->c_name); + chassis->c_name = b; + } else { ++ free(chassis->c_descr); + chassis->c_descr = b; + } + break; diff --git a/openvswitch.spec b/openvswitch.spec index 56ec0a4..fc6cce2 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -6,7 +6,7 @@ Summary: Production Quality, Multilayer Open Virtual Switch URL: http://www.openvswitch.org/ Version: 2.12.0 License: ASL 2.0 and ISC -Release: 14 +Release: 15 Source: https://www.openvswitch.org/releases/openvswitch-%{version}.tar.gz Buildroot: /tmp/openvswitch-rpm Patch0000: 0000-openvswitch-add-stack-protector-strong.patch @@ -15,6 +15,8 @@ Patch0002: 0002-Remove-unsupported-permission-names.patch Patch0003: 0003-Fallback-to-read-proc-net-dev-on-linux.patch Patch0004: CVE-2020-35498-pre.patch Patch0005: CVE-2020-35498.patch +Patch0006: CVE-2020-27827.patch +Patch0007: CVE-2015-8011.patch Requires: logrotate hostname python >= 3.8 python3-six selinux-policy-targeted BuildRequires: python3-six, openssl-devel checkpolicy selinux-policy-devel autoconf automake libtool python-sphinx unbound-devel @@ -238,6 +240,9 @@ exit 0 %doc README.rst NEWS rhel/README.RHEL.rst %changelog +* Tue Mar 30 2021 wangyue - 2.12.0-15 +- fix CVE-2020-27827 and CVE-2015-8011 + * Mon Mar 01 2021 wangyue - 2.12.0-14 - fix CVE-2020-35498 -- Gitee