[ovs-git] [openvswitch/ovs] a7d4d5: odp-util: Fix overflow of nested netlink attributes.

gvrose8192 noreply at github.com
Mon Nov 16 18:06:28 UTC 2020


  Branch: refs/heads/branch-2.7
  Home:   https://github.com/openvswitch/ovs
  Commit: a7d4d5f0bde68400a99c0927d941af3dbfe634dc
      https://github.com/openvswitch/ovs/commit/a7d4d5f0bde68400a99c0927d941af3dbfe634dc
  Author: Ilya Maximets <i.maximets at ovn.org>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/netlink.c
    M lib/odp-util.c
    M tests/tunnel.at

  Log Message:
  -----------
  odp-util: Fix overflow of nested netlink attributes.

Length of nested attributes must be checked before storing to the
header.  If current length exceeds the maximum value parsing should
fail, otherwise the length value will be truncated leading to
corrupted netlink message and out-of-bound memory accesses:

  ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6310002cc838
         at pc 0x000000575470 bp 0x7ffc6c322d60 sp 0x7ffc6c322d58
  READ of size 1 at 0x6310002cc838 thread T0
  SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x57546f in format_generic_odp_key lib/odp-util.c:2738:39
    #1 0x559e70 in check_attr_len lib/odp-util.c:3572:13
    #2 0x56581a in format_odp_key_attr lib/odp-util.c:4392:9
    #3 0x5563b9 in format_odp_action lib/odp-util.c:1192:9
    #4 0x555d75 in format_odp_actions lib/odp-util.c:1279:13
    ...

Fix that by checking the length of nested netlink attributes before
updating 'nla_len' inside the header.  Additionally introduced
assertion inside nl_msg_end_nested() to catch this kind of issues
before actual overflow happened.

Credit to OSS-Fuzz.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20003
Fixes: 65da723b40a5 ("odp-util: Format tunnel attributes directly from netlink.")
Acked-by: Flavio Leitner <fbl at sysclose.org>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 5554785967619f8ff0a56519a9e95a39f888ea8b
      https://github.com/openvswitch/ovs/commit/5554785967619f8ff0a56519a9e95a39f888ea8b
  Author: Renat Nurgaliyev <impleman at gmail.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M NEWS
    M lib/sha1.c
    M lib/sha1.h

  Log Message:
  -----------
  sha1: Fix algorithm for data bigger than 512 megabytes.

In modern systems, size_t is 64 bits. There is a 32 bit overflow check
in sha1_update(), which will not work correctly, because compiler will
do an automatic cast to 64 bits, since size_t type variable is in the
expression. We do want however to lose data, since this is the whole
idea of this overflow check.

Because of this, computation of SHA-1 checksum will always be incorrect
for any data, that is bigger than 512 megabytes, which in bits is the
boundary of 32 bits integer.

In practice it means that any OVSDB transaction, bigger or equal to 512
megabytes, is considered corrupt and ovsdb-server will refuse to work
with the database file. This is especially critical for OVN southbound
database, since it tends to grow rapidly.

Fixes: 5eccf359391f ("Replace SHA-1 library with one that is clearly licensed.")
Signed-off-by: Renat Nurgaliyev <impleman at gmail.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 3f76c7e89a1edb07d8449b35c20ed6ea24b87492
      https://github.com/openvswitch/ovs/commit/3f76c7e89a1edb07d8449b35c20ed6ea24b87492
  Author: Vincent Bernat <vincent at bernat.ch>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/lldp/lldp.c

  Log Message:
  -----------
  lldp: validate a bit more received LLDP frames

Upstream commit:
    commit 3aeae72b97716fddac290634fad02b952d981f17
    Author: Vincent Bernat <vincent at bernat.ch>
    Date:   Tue, 1 Oct 2019 21:42:42 +0200

    lldp: validate a bit more received LLDP frames

    Notably, we ensure the order and unicity of Chassis ID, Port ID and
    TTL TLV. For Chassis ID and Port ID, we also ensure the maximum size
    does not exceed 256.

    Fix https://github.com/vincentbernat/lldpd/issues/351

Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Signed-off-by: Aaron Conole <aconole at redhat.com>
Co-authored-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 789a82330d2920fff78d62707cf0648163d3499b
      https://github.com/openvswitch/ovs/commit/789a82330d2920fff78d62707cf0648163d3499b
  Author: Jonas Johansson <jonasj76 at gmail.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/lldp/lldp.c

  Log Message:
  -----------
  lldp: Fix size of PEEK_DISCARD_UINT32()

Upstream commit:
    commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b
    Author: Jonas Johansson <jonasj76 at gmail.com>
    Date:   Thu, 21 Apr 2016 11:50:06 +0200

    Fix size of PEEK_DISCARD_UINT32()

    Signed-off-by: Jonas Johansson <jonasj76 at gmail.com>

Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Reported-by: Jonas Rudloff <jonas.t.rudloff at gmail.com>
Reported-at: https://github.com/openvswitch/ovs/pull/336
Signed-off-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 4bd18070e1875d8d2623304cf7d864a8bca435e5
      https://github.com/openvswitch/ovs/commit/4bd18070e1875d8d2623304cf7d864a8bca435e5
  Author: Vincent Bernat <vincent at bernat.im>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/lldp/lldp.c

  Log Message:
  -----------
  lldp: fix a buffer overflow when handling management address TLV

Upstream commit:
    commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b
    Author: Vincent Bernat <vincent at bernat.im>
    Date: Sun, 4 Oct 2015 01:50:38 +0200

    lldp: fix a buffer overflow when handling management address TLV

    When a remote device was advertising a too large management address
    while still respecting TLV boundaries, lldpd would crash due to a buffer
    overflow. However, the buffer being a static one, this buffer overflow
    is not exploitable if hardening was not disabled. This bug exists since
    version 0.5.6.

Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Reported-by: Jonas Rudloff <jonas.t.rudloff at gmail.com>
Reported-at: https://github.com/openvswitch/ovs/pull/335
Co-authored-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Signed-off-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 630c62c53da13d650efbcbac4ca29f950dbf0fe3
      https://github.com/openvswitch/ovs/commit/630c62c53da13d650efbcbac4ca29f950dbf0fe3
  Author: Vincent Bernat <vincent at bernat.ch>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/lldp/lldp.c

  Log Message:
  -----------
  lldp: increase statsTLVsUnrecognizedTotal on unknown TLV

Upstream commit:
    commit 109bcd423cd560545ec7940d73a50c5584aebb0c
    Author: Vincent Bernat <vincent at bernat.ch>
    Date: Sat, 6 Apr 2019 21:17:25 +0200

    This was done for organization TLVs, but not for other TLVs.

    Fix https://github.com/vincentbernat/lldpd/issues/323

Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Signed-off-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 5a93a8c13486cc3b6efccf5ed05665c76d97e2a7
      https://github.com/openvswitch/ovs/commit/5a93a8c13486cc3b6efccf5ed05665c76d97e2a7
  Author: Vincent Bernat <vincent at bernat.im>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/lldp/lldpd.c

  Log Message:
  -----------
  lldp: correctly increase discarded count

Upstream commit:
    commit 32f0deeebc9172c3f5f4a4d02aab32e6904947f6
    Date: Sat, 18 Feb 2017 20:11:47 +0100

    lldpd: correctly increase discarded count

    When a frame cannot be decoded but has been guessed, increase the
    discarded count.

    Fix https://github.com/vincentbernat/lldpd/issues/223

Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard")
Co-authored-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Signed-off-by: Fabrizio D'Angelo <fdangelo at redhat.com>
Acked-by: Aaron Conole <aconole at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: f93250cb9c9b671d20bcb29683f46f5de55112be
      https://github.com/openvswitch/ovs/commit/f93250cb9c9b671d20bcb29683f46f5de55112be
  Author: Timothy Redaelli <tredaelli at redhat.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M lib/nx-match.c

  Log Message:
  -----------
  ofp-actions: Fix userspace support for mpls_ttl.

Currently mpls_ttl is ignored when a flow is added because MFF_MPLS_TTL is
not handled in nx_put_raw().

This commit adds the correct handling of MFF_MPLS_TTL in nx_put_raw().

Fixes: bef3f465bcd5 ("openflow: Support matching and modifying MPLS TTL field.")
Signed-off-by: Timothy Redaelli <tredaelli at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 78083a3f2dd65b1592fb78e351b06a38c4a52563
      https://github.com/openvswitch/ovs/commit/78083a3f2dd65b1592fb78e351b06a38c4a52563
  Author: Timothy Redaelli <tredaelli at redhat.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M tests/ovs-ofctl.at

  Log Message:
  -----------
  tests: Add parse-flow tests for MPLS fields.

Currently "ovs-ofctl parse-flows (NXM)" test doesn't test MPLS fields at all.

This commit adds a test for the the 4 MPLS fields (mpls_label, mpls_tc,
mpls_bos and mpls_ttl) to "ovs-ofctl parse-flows (NXM)" test.

Signed-off-by: Timothy Redaelli <tredaelli at redhat.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 8248b8aaaa782e45acb56307f463e70f89d64a6c
      https://github.com/openvswitch/ovs/commit/8248b8aaaa782e45acb56307f463e70f89d64a6c
  Author: Greg Rose <gvrose8192 at gmail.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M acinclude.m4
    M datapath/linux/compat/include/linux/percpu.h
    M datapath/linux/compat/include/linux/skbuff.h

  Log Message:
  -----------
  compat: Remove stale code.

Remove stale and unused code left over after support for kernels
older than 3.10 was removed.

Fixes: 8063e0958780 ("datapath: Drop support for kernel older than 3.10")
Signed-off-by: Greg Rose <gvrose8192 at gmail.com>
Acked-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


  Commit: 1d484939e84a96ed0fe32b25a272c93cf060c6fc
      https://github.com/openvswitch/ovs/commit/1d484939e84a96ed0fe32b25a272c93cf060c6fc
  Author: Greg Rose <gvrose8192 at gmail.com>
  Date:   2020-11-16 (Mon, 16 Nov 2020)

  Changed paths:
    M datapath/linux/compat/nf_conntrack_reasm.c

  Log Message:
  -----------
  compat: Fix compile warning.

In ../compat/nf_conntrack_reasm.c nf_frags_cache_name is declared
if OVS_NF_DEFRAG6_BACKPORT is defined.  However, later in the patch
it is only used if HAVE_INET_FRAGS_WITH_FRAGS_WORK is defined and
HAVE_INET_FRAGS_RND is not defined.  This will cause a compile warning
about unused variables.

Fix it up by using the same defines that enable its use to decide
if it should be declared and avoid the compiler warning.

Fixes: 4a90b277baca ("compat: Fixup ipv6 fragmentation on 4.9.135+ kernels")
Signed-off-by: Greg Rose <gvrose8192 at gmail.com>
Acked-by: Yi-Hung Wei <yihung.wei at gmail.com>
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/49a57da69ade...1d484939e84a


More information about the git mailing list