[ovs-git] [openvswitch/ovs] d74cf9: flow: Fix remote DoS for crafted MPLS packets with...

GitHub noreply at github.com
Tue Mar 29 00:32:22 UTC 2016


  Branch: refs/heads/branch-2.4
  Home:   https://github.com/openvswitch/ovs
  Commit: d74cf9d7ccc5a6a8445f7d5bcd27792db2f7dec4
      https://github.com/openvswitch/ovs/commit/d74cf9d7ccc5a6a8445f7d5bcd27792db2f7dec4
  Author: Ben Pfaff <blp at ovn.org>
  Date:   2016-03-22 (Tue, 22 Mar 2016)

  Changed paths:
    M lib/flow.c

  Log Message:
  -----------
  flow: Fix remote DoS for crafted MPLS packets with debug logging enabled.

A crafted MPLS packet yields a zero 'count' in this excerpt from
miniflow_extract():
   count = parse_mpls(&data, &size);
  miniflow_push_words_32(mf, mpls_lse, mpls, count);

In turn, miniflow_push_words_32() updated mf.map as follows:

    MF.map |= ((UINT64_MAX >> (64 - DIV_ROUND_UP(N_WORDS, 2))) << ofs64);

which expanded to:

    mf.map |= (UINT64_MAX >> 64) << ofs64;

Unforunately, C renders shifting a 64-bit constant by 64 bits undefined.
On common x86 platforms, 'n << 64' is equal to 'n', so this behaves as:

    mf.map |= UINT64_MAX << ofs64;

In this particular case, ofs64 is 15, so this sets the most-significant 48
bits of mf.map (a 63-bit bit-field) to 1.  Only the least-significant 28
bits of mf.map should ever be set to 1, so this sets 35 bits to 1 that
should never be.  Because of the structure of the data structure that
mf.map is embedded within, this makes it possible later to overwrite 8*35
== 280 bytes of data in the stack.  However, there is no obvious way to
control the data used in the overwrite--it is memcpy'd from one place to
another but the source data does not come from the network.  In the bug
reporter's testing, this overwrite caused a userspace crash if debug
logging was enabled, but not otherwise.

This commit fixes the problem by avoiding the out-of-range shift.

Vulnerability: CVE-2016-2074
Reported-by: Kashyap Thimmaraju <kashyap.thimmaraju at sec.t-labs.tu-berlin.de>
Reported-by: Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp at ovn.org>
Acked-by: Jesse Gross <jesse at kernel.org>


  Commit: f8184f0b6ab34f77cdd4d7c6d60d059fe952df68
      https://github.com/openvswitch/ovs/commit/f8184f0b6ab34f77cdd4d7c6d60d059fe952df68
  Author: Justin Pettit <jpettit at ovn.org>
  Date:   2016-03-22 (Tue, 22 Mar 2016)

  Changed paths:
    M NEWS
    M debian/changelog

  Log Message:
  -----------
  Set release date for 2.4.1.

Signed-off-by: Justin Pettit <jpettit at ovn.org>
Acked-by: Ben Pfaff <blp at ovn.org>


  Commit: 4a82bcb30effef714af52d1bb7248c18e5c72c35
      https://github.com/openvswitch/ovs/commit/4a82bcb30effef714af52d1bb7248c18e5c72c35
  Author: Justin Pettit <jpettit at ovn.org>
  Date:   2016-03-22 (Tue, 22 Mar 2016)

  Changed paths:
    M NEWS
    M configure.ac
    M debian/changelog

  Log Message:
  -----------
  Prepare for 2.4.2.

Signed-off-by: Justin Pettit <jpettit at ovn.org>
Acked-by: Ben Pfaff <blp at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/4e23657c3f10...4a82bcb30eff


More information about the git mailing list