[ovs-git] [openvswitch/ovs] 8ea7e5: odp-util: Fix overflow of nested netlink attributes.

Dumitru Ceara noreply at github.com
Mon Nov 16 18:05:48 UTC 2020


  Branch: refs/heads/branch-2.13
  Home:   https://github.com/openvswitch/ovs
  Commit: 8ea7e55eb65b7bd11cd3937f8b115b81c12a466b
      https://github.com/openvswitch/ovs/commit/8ea7e55eb65b7bd11cd3937f8b115b81c12a466b
  Author: Ilya Maximets <i.maximets at ovn.org>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/netlink.c
    M lib/odp-util.c
    M tests/tunnel.at

  Log Message:
  -----------
  odp-util: Fix overflow of nested netlink attributes.

Length of nested attributes must be checked before storing to the
header.  If current length exceeds the maximum value parsing should
fail, otherwise the length value will be truncated leading to
corrupted netlink message and out-of-bound memory accesses:

  ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310002cc838
         at pc 0x000000575470 bp 0x7ffc6c322d60 sp 0x7ffc6c322d58
  READ of size 1 at 0x6310002cc838 thread T0
  SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x57546f in format_generic_odp_key lib/odp-util.c:2738:39
    #1 0x559e70 in check_attr_len lib/odp-util.c:3572:13
    #2 0x56581a in format_odp_key_attr lib/odp-util.c:4392:9
    #3 0x5563b9 in format_odp_action lib/odp-util.c:1192:9
    #4 0x555d75 in format_odp_actions lib/odp-util.c:1279:13
    ...

Fix that by checking the length of nested netlink attributes before
updating 'nla_len' inside the header.  Additionally introduced
assertion inside nl_msg_end_nested() to catch this kind of issues
before actual overflow happened.

Credit to OSS-Fuzz.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20003
Fixes: 65da723b40a5 ("odp-util: Format tunnel attributes directly from netlink.")
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 3a3c52b8a2c9ce1496d315091edd641f60e4b4ba
      https://github.com/openvswitch/ovs/commit/3a3c52b8a2c9ce1496d315091edd641f60e4b4ba
  Author: Renat Nurgaliyev <impleman at gmail.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M NEWS
    M lib/sha1.c
    M lib/sha1.h

  Log Message:
  -----------
  sha1: Fix algorithm for data bigger than 512 megabytes.

In modern systems, size_t is 64 bits. There is a 32 bit overflow check
in sha1_update(), which will not work correctly, because compiler will
do an automatic cast to 64 bits, since size_t type variable is in the
expression. We do want however to lose data, since this is the whole
idea of this overflow check.

Because of this, computation of SHA-1 checksum will always be incorrect
for any data, that is bigger than 512 megabytes, which in bits is the
boundary of 32 bits integer.

In practice it means that any OVSDB transaction, bigger or equal to 512
megabytes, is considered corrupt and ovsdb-server will refuse to work
with the database file. This is especially critical for OVN southbound
database, since it tends to grow rapidly.

Fixes: 5eccf359391f ("Replace SHA-1 library with one that is clearly licensed.")
Signed-off-by: Renat Nurgaliyev <impleman at gmail.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 364d371c58925ad694eeac9e42fc9cd887b44a2f
      https://github.com/openvswitch/ovs/commit/364d371c58925ad694eeac9e42fc9cd887b44a2f
  Author: Vincent Bernat <vincent at bernat.ch>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/lldp/lldp.c

  Log Message:
  -----------
  lldp: validate a bit more received LLDP frames

Upstream commit:
    commit 3aeae72b97716fddac290634fad02b952d981f17
    Author: Vincent Bernat <vincent at bernat.ch>
    Date:   Tue, 1 Oct 2019 21:42:42 +0200

    lldp: validate a bit more received LLDP frames

    Notably, we ensure the order and unicity of Chassis ID, Port ID and
    TTL TLV. For Chassis ID and Port ID, we also ensure the maximum size
    does not exceed 256.

    Fix https://github.com/vincentbernat/lldpd/issues/351

Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Signed-off-by: Aaron Conole <aconole at redhat.com>
Co-authored-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 46b5101de08cbeeb6f3d1b62b230ce65525900ce
      https://github.com/openvswitch/ovs/commit/46b5101de08cbeeb6f3d1b62b230ce65525900ce
  Author: Jonas Johansson <jonasj76 at gmail.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/lldp/lldp.c

  Log Message:
  -----------
  lldp: Fix size of PEEK_DISCARD_UINT32()

Upstream commit:
    commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b
    Author: Jonas Johansson <jonasj76 at gmail.com>
    Date:   Thu, 21 Apr 2016 11:50:06 +0200

    Fix size of PEEK_DISCARD_UINT32()

    Signed-off-by: Jonas Johansson <jonasj76 at gmail.com>

Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Reported-by: Jonas Rudloff <jonas.t.rudloff at gmail.com>
Reported-at: https://github.com/openvswitch/ovs/pull/336
Signed-off-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 12ffc6118e4fc35289692f3ac93be28eb27b49d5
      https://github.com/openvswitch/ovs/commit/12ffc6118e4fc35289692f3ac93be28eb27b49d5
  Author: Vincent Bernat <vincent at bernat.im>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/lldp/lldp.c

  Log Message:
  -----------
  lldp: fix a buffer overflow when handling management address TLV

Upstream commit:
    commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b
    Author: Vincent Bernat <vincent at bernat.im>
    Date: Sun, 4 Oct 2015 01:50:38 +0200

    lldp: fix a buffer overflow when handling management address TLV

    When a remote device was advertising a too large management address
    while still respecting TLV boundaries, lldpd would crash due to a buffer
    overflow. However, the buffer being a static one, this buffer overflow
    is not exploitable if hardening was not disabled. This bug exists since
    version 0.5.6.

Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Reported-by: Jonas Rudloff <jonas.t.rudloff at gmail.com>
Reported-at: https://github.com/openvswitch/ovs/pull/335
Co-authored-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Signed-off-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: f051229561a26ac79323ec84437992e6f54f8398
      https://github.com/openvswitch/ovs/commit/f051229561a26ac79323ec84437992e6f54f8398
  Author: Vincent Bernat <vincent at bernat.ch>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/lldp/lldp.c

  Log Message:
  -----------
  lldp: increase statsTLVsUnrecognizedTotal on unknown TLV

Upstream commit:
    commit 109bcd423cd560545ec7940d73a50c5584aebb0c
    Author: Vincent Bernat <vincent at bernat.ch>
    Date: Sat, 6 Apr 2019 21:17:25 +0200

    This was done for organization TLVs, but not for other TLVs.

    Fix https://github.com/vincentbernat/lldpd/issues/323

Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Signed-off-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 032fd056fe56a8edbc2249f09799f0e843d4cfc3
      https://github.com/openvswitch/ovs/commit/032fd056fe56a8edbc2249f09799f0e843d4cfc3
  Author: Vincent Bernat <vincent at bernat.im>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/lldp/lldpd.c

  Log Message:
  -----------
  lldp: correctly increase discarded count

Upstream commit:
    commit 32f0deeebc9172c3f5f4a4d02aab32e6904947f6
    Date: Sat, 18 Feb 2017 20:11:47 +0100

    lldpd: correctly increase discarded count

    When a frame cannot be decoded but has been guessed, increase the
    discarded count.

    Fix https://github.com/vincentbernat/lldpd/issues/223

Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Co-authored-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Signed-off-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: cdf2cf98e31ea4c99f62bf7a2c57a22050a71bbd
      https://github.com/openvswitch/ovs/commit/cdf2cf98e31ea4c99f62bf7a2c57a22050a71bbd
  Author: Terry Wilson <twilson at redhat.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M python/ovs/stream.py

  Log Message:
  -----------
  python: Don't raise an Exception on failure to connect via SSL.

With other socket types, trying to connect and failing will return
an error code, but if an SSL Stream is used, then when
check_connection_completion(sock) is called, SSL will raise an
exception that doesn't derive from socket.error which is handled.

This adds handling for SSL.SysCallError which has the same
arguments as socket.error (errno, string). A future enhancement
could be to go through SSLStream class and implement error
checking for all of the possible exceptions similar to how
lib/stream-ssl.c's interpret_ssl_error() works across the various
methods that are implemented.

Fixes: d90ed7d65ba8 ("python: Add SSL support to the python ovs client library")
Signed-off-by: Terry Wilson <twilson at redhat.com>
Acked-by: Thomas Neuman <thomas.neuman at nutanix.com>
Acked-by: Mark Michelson <mmichels at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: fa597818261189c82a0179ff2d9424b581c6ead8
      https://github.com/openvswitch/ovs/commit/fa597818261189c82a0179ff2d9424b581c6ead8
  Author: Timothy Redaelli <tredaelli at redhat.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/nx-match.c

  Log Message:
  -----------
  ofp-actions: Fix userspace support for mpls_ttl.

Currently mpls_ttl is ignored when a flow is added because MFF_MPLS_TTL is
not handled in nx_put_raw().

This commit adds the correct handling of MFF_MPLS_TTL in nx_put_raw().

Fixes: bef3f465bcd5 ("openflow: Support matching and modifying MPLS TTL field.")
Signed-off-by: Timothy Redaelli <tredaelli at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 6c5cd45051d41bfa92e2ccbb992eb311981258dc
      https://github.com/openvswitch/ovs/commit/6c5cd45051d41bfa92e2ccbb992eb311981258dc
  Author: Timothy Redaelli <tredaelli at redhat.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M tests/ovs-ofctl.at

  Log Message:
  -----------
  tests: Add parse-flow tests for MPLS fields.

Currently "ovs-ofctl parse-flows (NXM)" test doesn't test MPLS fields at all.

This commit adds a test for the the 4 MPLS fields (mpls_label, mpls_tc,
mpls_bos and mpls_ttl) to "ovs-ofctl parse-flows (NXM)" test.

Signed-off-by: Timothy Redaelli <tredaelli at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: cb874fa2f28c426f90441a6ef6e6dc56310f5ce7
      https://github.com/openvswitch/ovs/commit/cb874fa2f28c426f90441a6ef6e6dc56310f5ce7
  Author: Greg Rose <gvrose8192 at gmail.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M acinclude.m4
    M datapath/linux/compat/include/linux/percpu.h
    M datapath/linux/compat/include/linux/skbuff.h

  Log Message:
  -----------
  compat: Remove stale code.

Remove stale and unused code left over after support for kernels
older than 3.10 was removed.

Fixes: 8063e0958780 ("datapath: Drop support for kernel older than 3.10")
Signed-off-by: Greg Rose <gvrose8192 at gmail.com>
Acked-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: b876447179615a9cc9e8454268c3c24717ab989c
      https://github.com/openvswitch/ovs/commit/b876447179615a9cc9e8454268c3c24717ab989c
  Author: Greg Rose <gvrose8192 at gmail.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M datapath/linux/compat/nf_conntrack_reasm.c

  Log Message:
  -----------
  compat: Fix compile warning.

In ../compat/nf_conntrack_reasm.c nf_frags_cache_name is declared
if OVS_NF_DEFRAG6_BACKPORT is defined.  However, later in the patch
it is only used if HAVE_INET_FRAGS_WITH_FRAGS_WORK is defined and
HAVE_INET_FRAGS_RND is not defined.  This will cause a compile warning
about unused variables.

Fix it up by using the same defines that enable its use to decide
if it should be declared and avoid the compiler warning.

Fixes: 4a90b277baca ("compat: Fixup ipv6 fragmentation on 4.9.135+ kernels")
Signed-off-by: Greg Rose <gvrose8192 at gmail.com>
Acked-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 1b73731eef3cf985fc46903231a0901e5c12c9c2
      https://github.com/openvswitch/ovs/commit/1b73731eef3cf985fc46903231a0901e5c12c9c2
  Author: Ilya Maximets <i.maximets at ovn.org>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M tests/ovsdb-idl.at

  Log Message:
  -----------
  ovsdb-idl.at: Return stream open_block python tests.

Invocations of CHECK_STREAM_OPEN_BLOCK_PY was accidentally removed
during python2 to python3 conversion.  So, these tests was not
checked since that time.

This change returns tests back.  CHECK_STREAM_OPEN_BLOCK_PY needed
updates, so instead I refactored function for C tests to be able to
perform python tests too.  Also, added test for python with IPv6.

Fixes: 1ca0323e7c29 ("Require Python 3 and remove support for Python 2.")
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
Acked-by: Gaetan Rivet <grive at u256.net>


  Commit: 03c12fe0765d35c820311d61307971db51cff86e
      https://github.com/openvswitch/ovs/commit/03c12fe0765d35c820311d61307971db51cff86e
  Author: Mark Gray <mark.d.gray at redhat.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/ovsdb-idl.c
    M ovsdb/ovsdb-idlc.in
    M tests/ovsdb-idl.at
    M tests/test-ovsdb.c

  Log Message:
  -----------
  ovsdb-idl: Fix *_is_new() IDL functions.

Currently all functions of the type *_is_new() always return
'false'. This patch resolves this issue by using the
'OVSDB_IDL_CHANGE_INSERT' 'change_seqno' instead of the
'OVSDB_IDL_CHANGE_MODIFY' 'change_seqno' to determine if a row
is new and by resetting the 'OVSDB_IDL_CHANGE_INSERT'
'change_seqno' on clear.

Further to this, the code is also updated to match the following
behaviour:

When a row is inserted, the 'OVSDB_IDL_CHANGE_INSERT'
'change_seqno' is updated to match the new database
change_seqno. The 'OVSDB_IDL_CHANGE_MODIFY' 'change_seqno'
is not set for inserted rows (only for updated rows).

At the end of a run, ovsdb_idl_db_track_clear() should be
called to clear all tracking information, this includes
resetting all row 'change_seqno' to zero. This will ensure
that subsequent runs will not see a previously 'new' row.

add_tracked_change_for_references() is updated to only
track rows that reference the current row.

Also, update unit tests in order to test the *_is_new(),
*_is_delete() functions.

Suggested-by: Dumitru Ceara <dceara at redhat.com>
Reported-at: https://bugzilla.redhat.com/1883562
Fixes: ca545a787ac0 ("ovsdb-idl.c: Increase seqno for change-tracking of table references.")
Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
Acked-by: Han Zhou <hzhou at ovn.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: abe7fe44862153e93cff8992ae27915931634a80
      https://github.com/openvswitch/ovs/commit/abe7fe44862153e93cff8992ae27915931634a80
  Author: Dumitru Ceara <dceara at redhat.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/ovsdb-idl.c
    M tests/test-ovsdb.c

  Log Message:
  -----------
  ovsdb-idl: Return correct seqno from ovsdb_idl_db_set_condition().

If an IDL client sets the same monitor condition twice, the expected
seqno when the IDL contents are updated should be the same for both
calls.

In the following scenario:
1. Client calls ovsdb_idl_db_set_condition(db, table, cond1)
2. ovsdb_idl sends monitor_cond_change(cond1) but the server doesn't yet
   reply.
3. Client calls ovsdb_idl_db_set_condition(db, table, cond1)

At step 3 the returned expected seqno should be the same as at step 1.
Similarly, if step 2 is skipped, i.e., the client calls sets
the condition twice in the same iteration, then both
ovsdb_idl_db_set_condition() calls should return the same value.

Fixes: 46437c5232bd ("ovsdb-idl: Enhance conditional monitoring API")
Signed-off-by: Dumitru Ceara <dceara at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/d43d10e10c83...abe7fe448621


More information about the git mailing list