* [meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980
@ 2021-09-29 3:36 Xu, Yanfei
2021-10-01 2:50 ` Bruce Ashfield
0 siblings, 1 reply; 3+ messages in thread
From: Xu, Yanfei @ 2021-09-29 3:36 UTC (permalink / raw)
To: meta-virtualization
Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has
a use-after-free in decode_NXAST_RAW_ENCAP (called from
ofpact_decode and ofpacts_decode) during the decoding of
a RAW_ENCAP action.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2021-36980
Patches from:
format-patch from ovs v2.15.1
Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
---
...use-after-free-while-decoding-RAW_EN.patch | 101 ++++++++++++++++++
.../openvswitch/openvswitch_git.bb | 1 +
2 files changed, 102 insertions(+)
create mode 100644 recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
diff --git a/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
new file mode 100644
index 00000000..c88c097d
--- /dev/null
+++ b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
@@ -0,0 +1,101 @@
+From 802a31a7070cea910b95d7e926c9da30a1f9e54f Mon Sep 17 00:00:00 2001
+From: Ilya Maximets <i.maximets@ovn.org>
+Date: Tue, 16 Feb 2021 23:27:30 +0100
+Subject: [PATCH] ofp-actions: Fix use-after-free while decoding RAW_ENCAP.
+
+While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate
+ofpbuf if there is no enough space left. However, function
+'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'
+structure leading to write-after-free and incorrect decoding.
+
+ ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address
+ 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408
+ WRITE of size 2 at 0x60600000011a thread T0
+ #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20
+ #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16
+ #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21
+ #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13
+ #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12
+ #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17
+ #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13
+ #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16
+ #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21
+ #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28
+ #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9
+ #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17
+ #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5
+ #13 0x5391ae in main utilities/ovs-ofctl.c:179:9
+ #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)
+ #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)
+
+Fix that by getting a new pointer before using.
+
+Credit to OSS-Fuzz.
+
+Fuzzer regression test will fail only with AddressSanitizer enabled.
+
+Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851
+Fixes: f839892a206a ("OF support and translation of generic encap and decap")
+Acked-by: William Tu <u9012063@gmail.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-36980
+Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
+---
+ lib/ofp-actions.c | 2 ++
+ tests/automake.mk | 3 ++-
+ tests/fuzz-regression-list.at | 1 +
+ tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | 0
+ 4 files changed, 5 insertions(+), 1 deletion(-)
+ create mode 100644 tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
+
+diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
+index e2e829772..0342a228b 100644
+--- a/lib/ofp-actions.c
++++ b/lib/ofp-actions.c
+@@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
+ {
+ struct ofpact_encap *encap;
+ const struct ofp_ed_prop_header *ofp_prop;
++ const size_t encap_ofs = out->size;
+ size_t props_len;
+ uint16_t n_props = 0;
+ int err;
+@@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
+ }
+ n_props++;
+ }
++ encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap);
+ encap->n_props = n_props;
+ out->header = &encap->ofpact;
+ ofpact_finish_ENCAP(out, &encap);
+diff --git a/tests/automake.mk b/tests/automake.mk
+index 677b99a6b..fc80e027d 100644
+--- a/tests/automake.mk
++++ b/tests/automake.mk
+@@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \
+ tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \
+ tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \
+ tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \
+- tests/fuzz-regression/ofp_print_fuzzer-6502620041576448
++ tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \
++ tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
+ $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk
+ $(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \
+ basename=`echo $$name | sed 's,^.*/,,'`; \
+diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at
+index e3173fb88..2347c690e 100644
+--- a/tests/fuzz-regression-list.at
++++ b/tests/fuzz-regression-list.at
+@@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296])
+ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128])
+ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312])
+ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448])
++TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832])
+diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
+new file mode 100644
+index 000000000..e69de29bb
+--
+2.27.0
+
diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
index 16ec4c72..56f1297c 100644
--- a/recipes-networking/openvswitch/openvswitch_git.bb
+++ b/recipes-networking/openvswitch/openvswitch_git.bb
@@ -30,6 +30,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15
file://0001-ovs-use-run-instead-of-var-run-for-in-systemd-units.patch \
file://0001-openvswitch-fix-do_configure-with-DPDK-19.11-error.patch \
file://0001-openvswitch-fix-netdev-dpdk-compile-error.patch \
+ file://0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch \
"
LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"
--
2.27.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980
2021-09-29 3:36 [meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980 Xu, Yanfei
@ 2021-10-01 2:50 ` Bruce Ashfield
2021-10-08 2:39 ` Xu, Yanfei
0 siblings, 1 reply; 3+ messages in thread
From: Bruce Ashfield @ 2021-10-01 2:50 UTC (permalink / raw)
To: Xu, Yanfei; +Cc: meta-virtualization
In message: [meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980
on 29/09/2021 Xu, Yanfei wrote:
> Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has
> a use-after-free in decode_NXAST_RAW_ENCAP (called from
> ofpact_decode and ofpacts_decode) during the decoding of
> a RAW_ENCAP action.
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2021-36980
>
> Patches from:
> format-patch from ovs v2.15.1
>
> Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
> ---
> ...use-after-free-while-decoding-RAW_EN.patch | 101 ++++++++++++++++++
> .../openvswitch/openvswitch_git.bb | 1 +
> 2 files changed, 102 insertions(+)
> create mode 100644 recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
>
> diff --git a/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
> new file mode 100644
> index 00000000..c88c097d
> --- /dev/null
> +++ b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
> @@ -0,0 +1,101 @@
> +From 802a31a7070cea910b95d7e926c9da30a1f9e54f Mon Sep 17 00:00:00 2001
> +From: Ilya Maximets <i.maximets@ovn.org>
> +Date: Tue, 16 Feb 2021 23:27:30 +0100
> +Subject: [PATCH] ofp-actions: Fix use-after-free while decoding RAW_ENCAP.
> +
> +While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate
> +ofpbuf if there is no enough space left. However, function
> +'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'
> +structure leading to write-after-free and incorrect decoding.
> +
> + ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address
> + 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408
> + WRITE of size 2 at 0x60600000011a thread T0
> + #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20
> + #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16
> + #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21
> + #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13
> + #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12
> + #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17
> + #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13
> + #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16
> + #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21
> + #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28
> + #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9
> + #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17
> + #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5
> + #13 0x5391ae in main utilities/ovs-ofctl.c:179:9
> + #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)
> + #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)
> +
> +Fix that by getting a new pointer before using.
> +
> +Credit to OSS-Fuzz.
> +
> +Fuzzer regression test will fail only with AddressSanitizer enabled.
> +
> +Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851
> +Fixes: f839892a206a ("OF support and translation of generic encap and decap")
> +Acked-by: William Tu <u9012063@gmail.com>
> +Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
> +
> +Upstream-Status: Backport
> +CVE: CVE-2021-36980
> +Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
> +---
> + lib/ofp-actions.c | 2 ++
> + tests/automake.mk | 3 ++-
> + tests/fuzz-regression-list.at | 1 +
> + tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | 0
> + 4 files changed, 5 insertions(+), 1 deletion(-)
> + create mode 100644 tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
> +
> +diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
> +index e2e829772..0342a228b 100644
> +--- a/lib/ofp-actions.c
> ++++ b/lib/ofp-actions.c
> +@@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
> + {
> + struct ofpact_encap *encap;
> + const struct ofp_ed_prop_header *ofp_prop;
> ++ const size_t encap_ofs = out->size;
> + size_t props_len;
> + uint16_t n_props = 0;
> + int err;
> +@@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
> + }
> + n_props++;
> + }
> ++ encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap);
> + encap->n_props = n_props;
> + out->header = &encap->ofpact;
> + ofpact_finish_ENCAP(out, &encap);
> +diff --git a/tests/automake.mk b/tests/automake.mk
> +index 677b99a6b..fc80e027d 100644
> +--- a/tests/automake.mk
> ++++ b/tests/automake.mk
> +@@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \
> + tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \
> + tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \
> + tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \
> +- tests/fuzz-regression/ofp_print_fuzzer-6502620041576448
> ++ tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \
> ++ tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
> + $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk
> + $(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \
> + basename=`echo $$name | sed 's,^.*/,,'`; \
> +diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at
> +index e3173fb88..2347c690e 100644
> +--- a/tests/fuzz-regression-list.at
> ++++ b/tests/fuzz-regression-list.at
> +@@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296])
> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128])
> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312])
> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448])
> ++TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832])
> +diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
> +new file mode 100644
> +index 000000000..e69de29bb
> +--
> +2.27.0
> +
> diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
> index 16ec4c72..56f1297c 100644
> --- a/recipes-networking/openvswitch/openvswitch_git.bb
> +++ b/recipes-networking/openvswitch/openvswitch_git.bb
> @@ -30,6 +30,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15
> file://0001-ovs-use-run-instead-of-var-run-for-in-systemd-units.patch \
> file://0001-openvswitch-fix-do_configure-with-DPDK-19.11-error.patch \
> file://0001-openvswitch-fix-netdev-dpdk-compile-error.patch \
> + file://0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch \
You are carrying local patches to your ovs recipe that don't match meta-virt.
As such, this didn't directly apply. I fixed it up and merged it.
But you should consider carrying those patches in a bbappend, so that
upstream sends like this have proper context, and I can be more sure
of the testing that is done on submissions.
I also took this as an opportunity to bump OVS in master, since I wanted
to be sure that we have the same CVE addressed there.
Bruce
> "
>
> LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"
> --
> 2.27.0
>
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980
2021-10-01 2:50 ` Bruce Ashfield
@ 2021-10-08 2:39 ` Xu, Yanfei
0 siblings, 0 replies; 3+ messages in thread
From: Xu, Yanfei @ 2021-10-08 2:39 UTC (permalink / raw)
To: Bruce Ashfield; +Cc: meta-virtualization
On 10/1/21 10:50 AM, Bruce Ashfield wrote:
> [Please note: This e-mail is from an EXTERNAL e-mail address]
>
> In message: [meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980
> on 29/09/2021 Xu, Yanfei wrote:
>
>> Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has
>> a use-after-free in decode_NXAST_RAW_ENCAP (called from
>> ofpact_decode and ofpacts_decode) during the decoding of
>> a RAW_ENCAP action.
>>
>> Reference:
>> https://nvd.nist.gov/vuln/detail/CVE-2021-36980
>>
>> Patches from:
>> format-patch from ovs v2.15.1
>>
>> Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
>> ---
>> ...use-after-free-while-decoding-RAW_EN.patch | 101 ++++++++++++++++++
>> .../openvswitch/openvswitch_git.bb | 1 +
>> 2 files changed, 102 insertions(+)
>> create mode 100644 recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
>>
>> diff --git a/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
>> new file mode 100644
>> index 00000000..c88c097d
>> --- /dev/null
>> +++ b/recipes-networking/openvswitch/files/0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch
>> @@ -0,0 +1,101 @@
>> +From 802a31a7070cea910b95d7e926c9da30a1f9e54f Mon Sep 17 00:00:00 2001
>> +From: Ilya Maximets <i.maximets@ovn.org>
>> +Date: Tue, 16 Feb 2021 23:27:30 +0100
>> +Subject: [PATCH] ofp-actions: Fix use-after-free while decoding RAW_ENCAP.
>> +
>> +While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate
>> +ofpbuf if there is no enough space left. However, function
>> +'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'
>> +structure leading to write-after-free and incorrect decoding.
>> +
>> + ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address
>> + 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408
>> + WRITE of size 2 at 0x60600000011a thread T0
>> + #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20
>> + #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16
>> + #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21
>> + #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13
>> + #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12
>> + #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17
>> + #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13
>> + #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16
>> + #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21
>> + #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28
>> + #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9
>> + #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17
>> + #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5
>> + #13 0x5391ae in main utilities/ovs-ofctl.c:179:9
>> + #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)
>> + #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)
>> +
>> +Fix that by getting a new pointer before using.
>> +
>> +Credit to OSS-Fuzz.
>> +
>> +Fuzzer regression test will fail only with AddressSanitizer enabled.
>> +
>> +Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851
>> +Fixes: f839892a206a ("OF support and translation of generic encap and decap")
>> +Acked-by: William Tu <u9012063@gmail.com>
>> +Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
>> +
>> +Upstream-Status: Backport
>> +CVE: CVE-2021-36980
>> +Signed-off-by: Yanfei Xu <yanfei.xu@windriver.com>
>> +---
>> + lib/ofp-actions.c | 2 ++
>> + tests/automake.mk | 3 ++-
>> + tests/fuzz-regression-list.at | 1 +
>> + tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | 0
>> + 4 files changed, 5 insertions(+), 1 deletion(-)
>> + create mode 100644 tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
>> +
>> +diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
>> +index e2e829772..0342a228b 100644
>> +--- a/lib/ofp-actions.c
>> ++++ b/lib/ofp-actions.c
>> +@@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
>> + {
>> + struct ofpact_encap *encap;
>> + const struct ofp_ed_prop_header *ofp_prop;
>> ++ const size_t encap_ofs = out->size;
>> + size_t props_len;
>> + uint16_t n_props = 0;
>> + int err;
>> +@@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
>> + }
>> + n_props++;
>> + }
>> ++ encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap);
>> + encap->n_props = n_props;
>> + out->header = &encap->ofpact;
>> + ofpact_finish_ENCAP(out, &encap);
>> +diff --git a/tests/automake.mk b/tests/automake.mk
>> +index 677b99a6b..fc80e027d 100644
>> +--- a/tests/automake.mk
>> ++++ b/tests/automake.mk
>> +@@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \
>> + tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \
>> + tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \
>> + tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \
>> +- tests/fuzz-regression/ofp_print_fuzzer-6502620041576448
>> ++ tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \
>> ++ tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
>> + $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk
>> + $(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \
>> + basename=`echo $$name | sed 's,^.*/,,'`; \
>> +diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at
>> +index e3173fb88..2347c690e 100644
>> +--- a/tests/fuzz-regression-list.at
>> ++++ b/tests/fuzz-regression-list.at
>> +@@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296])
>> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128])
>> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312])
>> + TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448])
>> ++TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832])
>> +diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
>> +new file mode 100644
>> +index 000000000..e69de29bb
>> +--
>> +2.27.0
>> +
>> diff --git a/recipes-networking/openvswitch/openvswitch_git.bb b/recipes-networking/openvswitch/openvswitch_git.bb
>> index 16ec4c72..56f1297c 100644
>> --- a/recipes-networking/openvswitch/openvswitch_git.bb
>> +++ b/recipes-networking/openvswitch/openvswitch_git.bb
>> @@ -30,6 +30,7 @@ SRC_URI += "git://github.com/openvswitch/ovs.git;protocol=git;branch=branch-2.15
>> file://0001-ovs-use-run-instead-of-var-run-for-in-systemd-units.patch \
>> file://0001-openvswitch-fix-do_configure-with-DPDK-19.11-error.patch \
>> file://0001-openvswitch-fix-netdev-dpdk-compile-error.patch \
>> + file://0001-ofp-actions-Fix-use-after-free-while-decoding-RAW_EN.patch \
>
Sorry for this late rely due to a long vocation.
> You are carrying local patches to your ovs recipe that don't match meta-virt.
>
> As such, this didn't directly apply. I fixed it up and merged it.
> > But you should consider carrying those patches in a bbappend, so that
> upstream sends like this have proper context, and I can be more sure
> of the testing that is done on submissions.
>
Thanks for remainding.
> I also took this as an opportunity to bump OVS in master, since I wanted
> to be sure that we have the same CVE addressed there.
>
I notice the ovs has been updated to 2.15.1, thanks a lot.
Cheers,
Yanfei
> Bruce
>
>> "
>>
>> LIC_FILES_CHKSUM = "file://LICENSE;md5=1ce5d23a6429dff345518758f13aaeab"
>> --
>> 2.27.0
>>
>
>>
>>
>>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-08 2:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-29 3:36 [meta-virtualization][hardknott][PATCH] openvswitch: Security fix for CVE-2021-36980 Xu, Yanfei
2021-10-01 2:50 ` Bruce Ashfield
2021-10-08 2:39 ` Xu, Yanfei
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.