From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qt1-f180.google.com (mail-qt1-f180.google.com [209.85.160.180]) by mx.groups.io with SMTP id smtpd.web12.2827.1633056661592504434 for ; Thu, 30 Sep 2021 19:51:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=CwHbugIo; spf=pass (domain: gmail.com, ip: 209.85.160.180, mailfrom: bruce.ashfield@gmail.com) Received: by mail-qt1-f180.google.com with SMTP id d8so7714480qtd.5 for ; Thu, 30 Sep 2021 19:51:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=XgT7oxfb/ZWZd3sV8w08mFK2sf2sCENsHl7kPw0YwIE=; b=CwHbugIoUx57J+FzKYpzoQtn2t59AoxmMls/oibX9GhlCjrILklLjz9qeqMqjVE3JN 97QkzkLXlzYGbxW/RRUZ8tg0UcqwtOWCsoL+tg15p36Pao0ZuX4cKaoKp7f7OOnZPSqL ptBDEQOAGPPudW73tyGwaSV9/bwcclj5KrMZD0PZsT/Qnuih2J1KKcSCzN8DM5M87OQ/ WtrmTglSzC++hs1zRU497GNVNtV24Ku6Z/HUQ5tgUrxRNyd7u1BUisM6Gu4ziHRsx2Zz 7+oa/+qLXX9aTVz6qw/a8b+EnIdLTd921Puq3AIhLwzTVhK8bjx1RL99DJijoBrxc2OL 1hXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=XgT7oxfb/ZWZd3sV8w08mFK2sf2sCENsHl7kPw0YwIE=; b=Vudl3JK02o2CW2CiMFyz71Z8yagLKJMeEHma8nnPndJ3HVEHxLEtAVXVmtqjo5srqG ufCZbkkPkKkYPphk4X4VnDZwzbhq+N0LCkyCXx9RdA6pTE5x2jPTJwsw/vhKgy8O4Iul ReJWgpr1LAxVG/r4TmJggc9f3WkVq1bicsT/lJAkLf2qCwn3eR8v92f3ZJvYjZ7IQ47C gIcWxvod90Y6o5DhKkLcgIEsczhJ3I7nCL5YsmRn3+3zzI9mibDeXVubqtErdAU4ZGGc 1Uf379zWBIvMJ0axM4V6GNGWzBAWaFks2EV4vGUwLJMJ6tre3OuG3dthUdpagVykuARA srgQ== X-Gm-Message-State: AOAM531/5MUK4oFhJsLtPS7ajEupEMjGjyGW086lvIOxcWQinCiKedPc cKqHTZCoT0Rlhwr1HJJaJ8LBiR+4QYowCQ== X-Google-Smtp-Source: ABdhPJxvBJR1bf1SIqisQcZ9gPgdKcpXHBrUP2wFuLTVs3bxtM/teWTdJOmG7EIVi7Iscs38LldUFw== X-Received: by 2002:ac8:4744:: with SMTP id k4mr10135295qtp.247.1633056660631; Thu, 30 Sep 2021 19:51:00 -0700 (PDT) Return-Path: Received: from gmail.com (cpe04d4c4975b80-cmf4c11490699b.cpe.net.cable.rogers.com. [174.112.63.222]) by smtp.gmail.com with ESMTPSA id v11sm2318940qkg.92.2021.09.30.19.51.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Sep 2021 19:51:00 -0700 (PDT) Date: Thu, 30 Sep 2021 22:50:58 -0400 From: "Bruce Ashfield" To: "Xu, Yanfei" Cc: meta-virtualization@lists.yoctoproject.org Subject: Re: [meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980 Message-ID: <20211001025058.GC11771@gmail.com> References: <20210929033648.2372012-1-yanfei.xu@windriver.com> MIME-Version: 1.0 In-Reply-To: <20210929033648.2372012-1-yanfei.xu@windriver.com> User-Agent: Mutt/1.10.1 (2018-07-13) Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In message: [meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980 on 29/09/2021 Xu, Yanfei wrote: > Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has > a use-after-free in decode_NXAST_RAW_ENCAP (called from > ofpact_decode and ofpacts_decode) during the decoding of > a RAW_ENCAP action. > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2021-36980 > > Patches from: > format-patch from ovs v2.15.1 > > Signed-off-by: Yanfei Xu > --- > ...use-after-free-while-decoding-RAW_EN.patch | 101 ++++++++++++++++++ > .../openvswitch/openvswitch_git.bb | 1 + > 2 files changed, 102 insertions(+) > create mode 100644 recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch > > diff --git a/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch > new file mode 100644 > index 00000000..c88c097d > --- /dev/null > +++ b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch > @@ -0,0 +1,101 @@ > +From 802a31a7070cea910b95d7e926c9da30a1f9e54f Mon Sep 17 00:00:00 2001 > +From: Ilya Maximets > +Date: Tue, 16 Feb 2021 23:27:30 +0100 > +Subject: [PATCH] ofp-actions: Fix use-after-free while decoding RAW_ENCAP. > + > +While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate > +ofpbuf if there is no enough space left. However, function > +'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap' > +structure leading to write-after-free and incorrect decoding. > + > + ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address > + 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408 > + WRITE of size 2 at 0x60600000011a thread T0 > + #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20 > + #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16 > + #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21 > + #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13 > + #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12 > + #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17 > + #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13 > + #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16 > + #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21 > + #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28 > + #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9 > + #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17 > + #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5 > + #13 0x5391ae in main utilities/ovs-ofctl.c:179:9 > + #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081) > + #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed) > + > +Fix that by getting a new pointer before using. > + > +Credit to OSS-Fuzz. > + > +Fuzzer regression test will fail only with AddressSanitizer enabled. > + > +Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851 > +Fixes: f839892a206a ("OF support and translation of generic encap and decap") > +Acked-by: William Tu > +Signed-off-by: Ilya Maximets > + > +Upstream-Status: Backport > +CVE: CVE-2021-36980 > +Signed-off-by: Yanfei Xu > +--- > + lib/ofp-actions.c | 2 ++ > + tests/automake.mk | 3 ++- > + tests/fuzz-regression-list.at | 1 + > + tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | 0 > + 4 files changed, 5 insertions(+), 1 deletion(-) > + create mode 100644 tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 > + > +diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c > +index e2e829772..0342a228b 100644 > +--- a/lib/ofp-actions.c > ++++ b/lib/ofp-actions.c > +@@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae, > + { > + struct ofpact_encap *encap; > + const struct ofp_ed_prop_header *ofp_prop; > ++ const size_t encap_ofs = out->size; > + size_t props_len; > + uint16_t n_props = 0; > + int err; > +@@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae, > + } > + n_props++; > + } > ++ encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap); > + encap->n_props = n_props; > + out->header = &encap->ofpact; > + ofpact_finish_ENCAP(out, &encap); > +diff --git a/tests/automake.mk b/tests/automake.mk > +index 677b99a6b..fc80e027d 100644 > +--- a/tests/automake.mk > ++++ b/tests/automake.mk > +@@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \ > + tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \ > + tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \ > + tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \ > +- tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 > ++ tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \ > ++ tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 > + $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk > + $(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \ > + basename=`echo $$name | sed 's,^.*/,,'`; \ > +diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at > +index e3173fb88..2347c690e 100644 > +--- a/tests/fuzz-regression-list.at > ++++ b/tests/fuzz-regression-list.at > +@@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296]) > + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128]) > + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312]) > + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448]) > ++TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832]) > +diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 > +new file mode 100644 > +index 000000000..e69de29bb > +-- > +2.27.0 > + > diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb > index 16ec4c72..56f1297c 100644 > --- a/recipes-networking/openvswitch/openvswitch_git.bb > +++ b/recipes-networking/openvswitch/openvswitch_git.bb > @@ -30,6 +30,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15 > file://0001-ovs-use-run-instead-of-var-run-for-in-systemd-units.patch \ > file://0001-openvswitch-fix-do_configure-with-DPDK-19.11-error.patch \ > file://0001-openvswitch-fix-netdev-dpdk-compile-error.patch \ > + file://0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch \ You are carrying local patches to your ovs recipe that don't match meta-virt. As such, this didn't directly apply. I fixed it up and merged it. But you should consider carrying those patches in a bbappend, so that upstream sends like this have proper context, and I can be more sure of the testing that is done on submissions. I also took this as an opportunity to bump OVS in master, since I wanted to be sure that we have the same CVE addressed there. Bruce > " > > LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab" > -- > 2.27.0 > > > >