projects / ovs.git / blame
| Commit | Line | Data |
|---|---|---|
| e4d0330f TG |
1 | Description: CVE-2021-36980: ofp-actions: Fix use-after-free while decoding RAW_ENCAP. |
| 2 | While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate | |
| 3 | ofpbuf if there is no enough space left. However, function | |
| 4 | 'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap' | |
| 5 | structure leading to write-after-free and incorrect decoding. | |
| 6 | . | |
| 7 | ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address | |
| 8 | 0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408 | |
| 9 | WRITE of size 2 at 0x60600000011a thread T0 | |
| 10 | #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20 | |
| 11 | #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16 | |
| 12 | #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21 | |
| 13 | #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13 | |
| 14 | #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12 | |
| 15 | #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17 | |
| 16 | #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13 | |
| 17 | #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16 | |
| 18 | #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21 | |
| 19 | #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28 | |
| 20 | #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9 | |
| 21 | #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17 | |
| 22 | #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5 | |
| 23 | #13 0x5391ae in main utilities/ovs-ofctl.c:179:9 | |
| 24 | #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081) | |
| 25 | #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed) | |
| 26 | . | |
| 27 | Fix that by getting a new pointer before using. | |
| 28 | . | |
| 29 | Credit to OSS-Fuzz. | |
| 30 | . | |
| 31 | Fuzzer regression test will fail only with AddressSanitizer enabled. | |
| 32 | Author: Ilya Maximets <i.maximets@ovn.org> | |
| 33 | Date: Tue, 16 Feb 2021 23:27:30 +0100 | |
| 34 | Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851 | |
| 35 | Fixes: f839892a206a ("OF support and translation of generic encap and decap") | |
| 36 | Acked-by: William Tu <u9012063@gmail.com> | |
| 37 | Signed-off-by: Ilya Maximets <i.maximets@ovn.org> | |
| 38 | Bug-Debian: https://bugs.debian.org/991308 | |
| 39 | Origin: upstream, https://github.com/openvswitch/ovs/commit/38744b1bcb022c611712527f039722115300f58f.patch | |
| 40 | Last-Update: 2021-07-21 | |
| 41 | ||
| 42 | diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c | |
| 43 | index e2e829772a5..0342a228b70 100644 | |
| 44 | --- a/lib/ofp-actions.c | |
| 45 | +++ b/lib/ofp-actions.c | |
| 46 | @@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae, | |
| 47 | { | |
| 48 | struct ofpact_encap *encap; | |
| 49 | const struct ofp_ed_prop_header *ofp_prop; | |
| 50 | + const size_t encap_ofs = out->size; | |
| 51 | size_t props_len; | |
| 52 | uint16_t n_props = 0; | |
| 53 | int err; | |
| 54 | @@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae, | |
| 55 | } | |
| 56 | n_props++; | |
| 57 | } | |
| 58 | + encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap); | |
| 59 | encap->n_props = n_props; | |
| 60 | out->header = &encap->ofpact; | |
| 61 | ofpact_finish_ENCAP(out, &encap); | |
| 62 | diff --git a/tests/automake.mk b/tests/automake.mk | |
| 63 | index 677b99a6b48..fc80e027dfc 100644 | |
| 64 | --- a/tests/automake.mk | |
| 65 | +++ b/tests/automake.mk | |
| 66 | @@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \ | |
| 67 | tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \ | |
| 68 | tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \ | |
| 69 | tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \ | |
| 70 | - tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 | |
| 71 | + tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \ | |
| 72 | + tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | |
| 73 | $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk | |
| 74 | $(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \ | |
| 75 | basename=`echo $$name | sed 's,^.*/,,'`; \ | |
| 76 | diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at | |
| 77 | index e3173fb88f0..2347c690eff 100644 | |
| 78 | --- a/tests/fuzz-regression-list.at | |
| 79 | +++ b/tests/fuzz-regression-list.at | |
| 80 | @@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296]) | |
| 81 | TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128]) | |
| 82 | TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312]) | |
| 83 | TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448]) | |
| 84 | +TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832]) | |
| 85 | diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 | |
| 86 | new file mode 100644 | |
| 87 | index 00000000000..e69de29bb2d |