[ovs-dev] [PATCH] flow: Verify that tot_len >= ip_len in miniflow_extract().
Flavio Leitner
fbl at sysclose.org
Sat Jul 23 05:29:35 UTC 2016
On Fri, Jul 22, 2016 at 04:43:50PM -0700, Ben Pfaff wrote:
> miniflow_extract() uses the following quantities when it examines an IPv4
> header:
>
> size, the number of bytes from the start of the IPv4 header onward
> ip_len, the number of bytes in the IPv4 header (from the IHL field)
> tot_len, same as size but taken from IPv4 header Total Length field
>
> Until now, the code in miniflow_extract() verified these invariants:
>
> size >= 20 (minimum IP header length)
> ip_len >= 20 (ditto)
> ip_len <= size (to avoid reading past end of packet)
> tot_len <= size (ditto)
> size - tot_len <= 255 (because this is stored in a 1-byte variable
> internally and wouldn't normally be big)
>
> It failed to verify the following, which is not implied by the conjunction
> of the above:
>
> ip_len <= tot_len (e.g. that the IP header fits in the packet)
>
> This means that the code was willing to read past the end of an IP
> packet's declared length, up to the actual end of the packet including any
> L2 padding. For example, given:
>
> size = 44
> ip_len = 44
> tot_len = 40
>
> miniflow_extract() would successfully verify all the constraints, then:
>
> * Trim off 4 bytes of tail padding (size - tot_len), reducing size to
> 40 to match tot_len.
> * Pull 44 (ip_len) bytes of IP header, even though there are only 40
> bytes left. This causes 'size' to wrap around to SIZE_MAX-4.
>
> Given an IP protocol that OVS understands (such as TCP or UDP), this
> integer wraparound could cause OVS to read past the end of the packet.
> In turn, this could cause OVS to extract invalid port numbers, TCP flags,
> or ICMPv4 or ICMPv6 or IGMP type and code from arbitrary heap data
> past the end of a packet.
>
> This bug has common hallmarks of a security vulnerability, but we do not
> know of a way to exploit this bug to cause an Open vSwitch crash, or to
> extract sensitive data from Open vSwitch address space to an attacker's
> benefit.
>
> We do not have a specific example, but it is reasonable to suspect that
> this bug could allow an attacker in some circumstances to bypass ACLs
> implemented via Open vSwitch flow tables. However, any IP packet that
> triggers this bug is invalid and should be rejected in an early stage of a
> receiver's IP stack. For the same reason, any IP packet that triggers this
> bug will also be dropped by any IP router, so an attacker would have to
> share the same L2 segment as the victim. In conjunction with an IP stack
> that has a similar bug, of course, this could cause some damage, but we do
> not know of an IP stack with such a bug; neither Linux nor the OVS
> userspace tunnel implementation appear to have such a bug.
>
> Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
> Reported-by: Kashyap Thimmaraju <Kashyap.Thimmaraju at sec.t-labs.tu-berlin.de>
> Signed-off-by: Ben Pfaff <blp at ovn.org>
> ---
Acked-by: Flavio Leitner <fbl at sysclose.org>
More information about the dev
mailing list