[ovs-git] [openvswitch/ovs] a7d4d5: odp-util: Fix overflow of nested netlink attributes.
gvrose8192
noreply at github.com
Mon Nov 16 18:06:28 UTC 2020
Branch: refs/heads/branch-2.7
Home: https://github.com/openvswitch/ovs
Commit: a7d4d5f0bde68400a99c0927d941af3dbfe634dc
https://github.com/openvswitch/ovs/commit/a7d4d5f0bde68400a99c0927d941af3dbfe634dc
Author: Ilya Maximets <i.maximets at ovn.org>
Date: 2020-11-16 (Mon, 16 Nov 2020)
Changed paths:
M lib/netlink.c
M lib/odp-util.c
M tests/tunnel.at
Log Message:
-----------
odp-util: Fix overflow of nested netlink attributes.
Length of nested attributes must be checked before storing to the
header. If current length exceeds the maximum value parsing should
fail, otherwise the length value will be truncated leading to
corrupted netlink message and out-of-bound memory accesses:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310002cc838
at pc 0x000000575470 bp 0x7ffc6c322d60 sp 0x7ffc6c322d58
READ of size 1 at 0x6310002cc838 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x57546f in format_generic_odp_key lib/odp-util.c:2738:39
#1 0x559e70 in check_attr_len lib/odp-util.c:3572:13
#2 0x56581a in format_odp_key_attr lib/odp-util.c:4392:9
#3 0x5563b9 in format_odp_action lib/odp-util.c:1192:9
#4 0x555d75 in format_odp_actions lib/odp-util.c:1279:13
...
Fix that by checking the length of nested netlink attributes before
updating 'nla_len' inside the header. Additionally introduced
assertion inside nl_msg_end_nested() to catch this kind of issues
before actual overflow happened.
Credit to OSS-Fuzz.
Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20003
Fixes: 65da723b40a5 ("odp-util: Format tunnel attributes directly from netlink.")
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
Commit: 5554785967619f8ff0a56519a9e95a39f888ea8b
https://github.com/openvswitch/ovs/commit/5554785967619f8ff0a56519a9e95a39f888ea8b
Author: Renat Nurgaliyev <impleman at gmail.com>
Date: 2020-11-16 (Mon, 16 Nov 2020)
Changed paths:
M NEWS
M lib/sha1.c
M lib/sha1.h
Log Message:
-----------
sha1: Fix algorithm for data bigger than 512 megabytes.
In modern systems, size_t is 64 bits. There is a 32 bit overflow check
in sha1_update(), which will not work correctly, because compiler will
do an automatic cast to 64 bits, since size_t type variable is in the
expression. We do want however to lose data, since this is the whole
idea of this overflow check.
Because of this, computation of SHA-1 checksum will always be incorrect
for any data, that is bigger than 512 megabytes, which in bits is the
boundary of 32 bits integer.
In practice it means that any OVSDB transaction, bigger or equal to 512
megabytes, is considered corrupt and ovsdb-server will refuse to work
with the database file. This is especially critical for OVN southbound
database, since it tends to grow rapidly.
Fixes: 5eccf359391f ("Replace SHA-1 library with one that is clearly licensed.")
Signed-off-by: Renat Nurgaliyev <impleman at gmail.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
Commit: 3f76c7e89a1edb07d8449b35c20ed6ea24b87492
https://github.com/openvswitch/ovs/commit/3f76c7e89a1edb07d8449b35c20ed6ea24b87492
Author: Vincent Bernat <vincent at bernat.ch>
Date: 2020-11-16 (Mon, 16 Nov 2020)
Changed paths:
M lib/lldp/lldp.c
Log Message:
-----------
lldp: validate a bit more received LLDP frames
Upstream commit:
commit 3aeae72b97716fddac290634fad02b952d981f17
Author: Vincent Bernat <vincent at bernat.ch>
Date: Tue, 1 Oct 2019 21:42:42 +0200
lldp: validate a bit more received LLDP frames
Notably, we ensure the order and unicity of Chassis ID, Port ID and
TTL TLV. For Chassis ID and Port ID, we also ensure the maximum size
does not exceed 256.
Fix https://github.com/vincentbernat/lldpd/issues/351
Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Signed-off-by: Aaron Conole <aconole at redhat.com>
Co-authored-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
Commit: 789a82330d2920fff78d62707cf0648163d3499b
https://github.com/openvswitch/ovs/commit/789a82330d2920fff78d62707cf0648163d3499b
Author: Jonas Johansson <jonasj76 at gmail.com>
Date: 2020-11-16 (Mon, 16 Nov 2020)
Changed paths:
M lib/lldp/lldp.c
Log Message:
-----------
lldp: Fix size of PEEK_DISCARD_UINT32()
Upstream commit:
commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b
Author: Jonas Johansson <jonasj76 at gmail.com>
Date: Thu, 21 Apr 2016 11:50:06 +0200
Fix size of PEEK_DISCARD_UINT32()
Signed-off-by: Jonas Johansson <jonasj76 at gmail.com>
Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Reported-by: Jonas Rudloff <jonas.t.rudloff at gmail.com>
Reported-at: https://github.com/openvswitch/ovs/pull/336
Signed-off-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
Commit: 4bd18070e1875d8d2623304cf7d864a8bca435e5
https://github.com/openvswitch/ovs/commit/4bd18070e1875d8d2623304cf7d864a8bca435e5
Author: Vincent Bernat <vincent at bernat.im>
Date: 2020-11-16 (Mon, 16 Nov 2020)
Changed paths:
M lib/lldp/lldp.c
Log Message:
-----------
lldp: fix a buffer overflow when handling management address TLV
Upstream commit:
commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b
Author: Vincent Bernat <vincent at bernat.im>
Date: Sun, 4 Oct 2015 01:50:38 +0200
lldp: fix a buffer overflow when handling management address TLV
When a remote device was advertising a too large management address
while still respecting TLV boundaries, lldpd would crash due to a buffer
overflow. However, the buffer being a static one, this buffer overflow
is not exploitable if hardening was not disabled. This bug exists since
version 0.5.6.
Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Reported-by: Jonas Rudloff <jonas.t.rudloff at gmail.com>
Reported-at: https://github.com/openvswitch/ovs/pull/335
Co-authored-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Signed-off-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
Commit: 630c62c53da13d650efbcbac4ca29f950dbf0fe3
https://github.com/openvswitch/ovs/commit/630c62c53da13d650efbcbac4ca29f950dbf0fe3
Author: Vincent Bernat <vincent at bernat.ch>
Date: 2020-11-16 (Mon, 16 Nov 2020)
Changed paths:
M lib/lldp/lldp.c
Log Message:
-----------
lldp: increase statsTLVsUnrecognizedTotal on unknown TLV
Upstream commit:
commit 109bcd423cd560545ec7940d73a50c5584aebb0c
Author: Vincent Bernat <vincent at bernat.ch>
Date: Sat, 6 Apr 2019 21:17:25 +0200
This was done for organization TLVs, but not for other TLVs.
Fix https://github.com/vincentbernat/lldpd/issues/323
Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Signed-off-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
Commit: 5a93a8c13486cc3b6efccf5ed05665c76d97e2a7
https://github.com/openvswitch/ovs/commit/5a93a8c13486cc3b6efccf5ed05665c76d97e2a7
Author: Vincent Bernat <vincent at bernat.im>
Date: 2020-11-16 (Mon, 16 Nov 2020)
Changed paths:
M lib/lldp/lldpd.c
Log Message:
-----------
lldp: correctly increase discarded count
Upstream commit:
commit 32f0deeebc9172c3f5f4a4d02aab32e6904947f6
Date: Sat, 18 Feb 2017 20:11:47 +0100
lldpd: correctly increase discarded count
When a frame cannot be decoded but has been guessed, increase the
discarded count.
Fix https://github.com/vincentbernat/lldpd/issues/223
Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Co-authored-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Signed-off-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
Commit: f93250cb9c9b671d20bcb29683f46f5de55112be
https://github.com/openvswitch/ovs/commit/f93250cb9c9b671d20bcb29683f46f5de55112be
Author: Timothy Redaelli <tredaelli at redhat.com>
Date: 2020-11-16 (Mon, 16 Nov 2020)
Changed paths:
M lib/nx-match.c
Log Message:
-----------
ofp-actions: Fix userspace support for mpls_ttl.
Currently mpls_ttl is ignored when a flow is added because MFF_MPLS_TTL is
not handled in nx_put_raw().
This commit adds the correct handling of MFF_MPLS_TTL in nx_put_raw().
Fixes: bef3f465bcd5 ("openflow: Support matching and modifying MPLS TTL field.")
Signed-off-by: Timothy Redaelli <tredaelli at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
Commit: 78083a3f2dd65b1592fb78e351b06a38c4a52563
https://github.com/openvswitch/ovs/commit/78083a3f2dd65b1592fb78e351b06a38c4a52563
Author: Timothy Redaelli <tredaelli at redhat.com>
Date: 2020-11-16 (Mon, 16 Nov 2020)
Changed paths:
M tests/ovs-ofctl.at
Log Message:
-----------
tests: Add parse-flow tests for MPLS fields.
Currently "ovs-ofctl parse-flows (NXM)" test doesn't test MPLS fields at all.
This commit adds a test for the the 4 MPLS fields (mpls_label, mpls_tc,
mpls_bos and mpls_ttl) to "ovs-ofctl parse-flows (NXM)" test.
Signed-off-by: Timothy Redaelli <tredaelli at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
Commit: 8248b8aaaa782e45acb56307f463e70f89d64a6c
https://github.com/openvswitch/ovs/commit/8248b8aaaa782e45acb56307f463e70f89d64a6c
Author: Greg Rose <gvrose8192 at gmail.com>
Date: 2020-11-16 (Mon, 16 Nov 2020)
Changed paths:
M acinclude.m4
M datapath/linux/compat/include/linux/percpu.h
M datapath/linux/compat/include/linux/skbuff.h
Log Message:
-----------
compat: Remove stale code.
Remove stale and unused code left over after support for kernels
older than 3.10 was removed.
Fixes: 8063e0958780 ("datapath: Drop support for kernel older than 3.10")
Signed-off-by: Greg Rose <gvrose8192 at gmail.com>
Acked-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
Commit: 1d484939e84a96ed0fe32b25a272c93cf060c6fc
https://github.com/openvswitch/ovs/commit/1d484939e84a96ed0fe32b25a272c93cf060c6fc
Author: Greg Rose <gvrose8192 at gmail.com>
Date: 2020-11-16 (Mon, 16 Nov 2020)
Changed paths:
M datapath/linux/compat/nf_conntrack_reasm.c
Log Message:
-----------
compat: Fix compile warning.
In ../compat/nf_conntrack_reasm.c nf_frags_cache_name is declared
if OVS_NF_DEFRAG6_BACKPORT is defined. However, later in the patch
it is only used if HAVE_INET_FRAGS_WITH_FRAGS_WORK is defined and
HAVE_INET_FRAGS_RND is not defined. This will cause a compile warning
about unused variables.
Fix it up by using the same defines that enable its use to decide
if it should be declared and avoid the compiler warning.
Fixes: 4a90b277baca ("compat: Fixup ipv6 fragmentation on 4.9.135+ kernels")
Signed-off-by: Greg Rose <gvrose8192 at gmail.com>
Acked-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
Compare: https://github.com/openvswitch/ovs/compare/49a57da69ade...1d484939e84a
More information about the git
mailing list