* CVE-2021-36980: use-after-free in decode_NXAST_RAW_ENCAPAdd. Add upstream patch...

author Thomas Goirand <zigo@debian.org>

Mon, 3 Jan 2022 11:07:02 +0000 (12:07 +0100)

committer Thomas Goirand <zigo@debian.org>

Mon, 3 Jan 2022 12:55:17 +0000 (13:55 +0100)
author Thomas Goirand <zigo@debian.org>
Mon, 3 Jan 2022 11:07:02 +0000 (12:07 +0100)
committer Thomas Goirand <zigo@debian.org>
Mon, 3 Jan 2022 12:55:17 +0000 (13:55 +0100)
diff --git a/debian/changelog b/debian/changelog

index bb2ddcaf450c85120cf61309770993e3ec3d44bd..2f79455e8d23170f243e2363c0e2bf6989fcfc35 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openvswitch (2.15.0+ds1-2+deb11u1) bullseye; urgency=medium
+
+  * CVE-2021-36980: use-after-free in decode_NXAST_RAW_ENCAPAdd. Add upstream
+    patch (Closes: #991308).
+
+ -- Thomas Goirand <zigo@debian.org>  Mon, 03 Jan 2022 13:53:38 +0100
+
  openvswitch (2.15.0+ds1-2) unstable; urgency=medium
  
    * Mipsel64 and mipsel: blacklist more tests, as they are failing on these
diff --git a/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch b/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch

new file mode 100644 (file)

index 0000000..ad59116
--- /dev/null
+++ b/debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch
@@ -0,0 +1,87 @@
+Description: CVE-2021-36980: ofp-actions: Fix use-after-free while decoding RAW_ENCAP.
+ While decoding RAW_ENCAP action, decode_ed_prop() might re-allocate
+ ofpbuf if there is no enough space left.  However, function
+ 'decode_NXAST_RAW_ENCAP' continues to use old pointer to 'encap'
+ structure leading to write-after-free and incorrect decoding.
+ .
+   ==3549105==ERROR: AddressSanitizer: heap-use-after-free on address
+   0x60600000011a at pc 0x0000005f6cc6 bp 0x7ffc3a2d4410 sp 0x7ffc3a2d4408
+   WRITE of size 2 at 0x60600000011a thread T0
+     #0 0x5f6cc5 in decode_NXAST_RAW_ENCAP lib/ofp-actions.c:4461:20
+     #1 0x5f0551 in ofpact_decode ./lib/ofp-actions.inc2:4777:16
+     #2 0x5ed17c in ofpacts_decode lib/ofp-actions.c:7752:21
+     #3 0x5eba9a in ofpacts_pull_openflow_actions__ lib/ofp-actions.c:7791:13
+     #4 0x5eb9fc in ofpacts_pull_openflow_actions lib/ofp-actions.c:7835:12
+     #5 0x64bb8b in ofputil_decode_packet_out lib/ofp-packet.c:1113:17
+     #6 0x65b6f4 in ofp_print_packet_out lib/ofp-print.c:148:13
+     #7 0x659e3f in ofp_to_string__ lib/ofp-print.c:1029:16
+     #8 0x659b24 in ofp_to_string lib/ofp-print.c:1244:21
+     #9 0x65a28c in ofp_print lib/ofp-print.c:1288:28
+     #10 0x540d11 in ofctl_ofp_parse utilities/ovs-ofctl.c:2814:9
+     #11 0x564228 in ovs_cmdl_run_command__ lib/command-line.c:247:17
+     #12 0x56408a in ovs_cmdl_run_command lib/command-line.c:278:5
+     #13 0x5391ae in main utilities/ovs-ofctl.c:179:9
+     #14 0x7f6911ce9081 in __libc_start_main (/lib64/libc.so.6+0x27081)
+     #15 0x461fed in _start (utilities/ovs-ofctl+0x461fed)
+ .
+ Fix that by getting a new pointer before using.
+ .
+ Credit to OSS-Fuzz.
+ .
+ Fuzzer regression test will fail only with AddressSanitizer enabled.
+Author: Ilya Maximets <i.maximets@ovn.org>
+Date: Tue, 16 Feb 2021 23:27:30 +0100
+Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851
+Fixes: f839892a206a ("OF support and translation of generic encap and decap")
+Acked-by: William Tu <u9012063@gmail.com>
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Bug-Debian: https://bugs.debian.org/991308
+Origin: upstream, https://github.com/openvswitch/ovs/commit/38744b1bcb022c611712527f039722115300f58f.patch
+Last-Update: 2021-07-21
+
+diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c
+index e2e829772a5..0342a228b70 100644
+--- a/lib/ofp-actions.c
++++ b/lib/ofp-actions.c
+@@ -4431,6 +4431,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
+ {
+     struct ofpact_encap *encap;
+     const struct ofp_ed_prop_header *ofp_prop;
++    const size_t encap_ofs = out->size;
+     size_t props_len;
+     uint16_t n_props = 0;
+     int err;
+@@ -4458,6 +4459,7 @@ decode_NXAST_RAW_ENCAP(const struct nx_action_encap *nae,
+         }
+         n_props++;
+     }
++    encap = ofpbuf_at_assert(out, encap_ofs, sizeof *encap);
+     encap->n_props = n_props;
+     out->header = &encap->ofpact;
+     ofpact_finish_ENCAP(out, &encap);
+diff --git a/tests/automake.mk b/tests/automake.mk
+index 677b99a6b48..fc80e027dfc 100644
+--- a/tests/automake.mk
++++ b/tests/automake.mk
+@@ -134,7 +134,8 @@ FUZZ_REGRESSION_TESTS = \
+       tests/fuzz-regression/ofp_print_fuzzer-5722747668791296 \
+       tests/fuzz-regression/ofp_print_fuzzer-6285128790704128 \
+       tests/fuzz-regression/ofp_print_fuzzer-6470117922701312 \
+-      tests/fuzz-regression/ofp_print_fuzzer-6502620041576448
++      tests/fuzz-regression/ofp_print_fuzzer-6502620041576448 \
++      tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
+ $(srcdir)/tests/fuzz-regression-list.at: tests/automake.mk
+       $(AM_V_GEN)for name in $(FUZZ_REGRESSION_TESTS); do \
+             basename=`echo $$name | sed 's,^.*/,,'`; \
+diff --git a/tests/fuzz-regression-list.at b/tests/fuzz-regression-list.at
+index e3173fb88f0..2347c690eff 100644
+--- a/tests/fuzz-regression-list.at
++++ b/tests/fuzz-regression-list.at
+@@ -21,3 +21,4 @@ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-5722747668791296])
+ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6285128790704128])
+ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6470117922701312])
+ TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6502620041576448])
++TEST_FUZZ_REGRESSION([ofp_print_fuzzer-6540965472632832])
+diff --git a/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832 b/tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
+new file mode 100644
+index 00000000000..e69de29bb2d
diff --git a/debian/patches/series b/debian/patches/series

index 737902db1d7eae1f66d2ea9ed84d13e9455f8bb6..f8a605ce1f8368f711798d922c159fae88e0f57e 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
  remove-include-debian-automake.mk.patch
  py3-compat.patch
+CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch
diff --git a/debian/rules b/debian/rules

index 205596f0049854a3968074eb2fe475a587a7c3e3..b6d451c9c448b8c8effa9283ed0f4c279b1749f0 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -181,6 +181,7 @@ endif # i386/amd64/ppc64el/arm64
  endif # nocheck
  
  override_dh_auto_build:
+       touch tests/fuzz-regression/ofp_print_fuzzer-6540965472632832
         set -e ; set -x ; for MYMAINTSCRIPT in openvswitch-common.postinst openvswitch-switch-dpdk.postinst ; do \
                 sed s/%%MULTIARCH_TRIPLETT%%/$$(dpkg-architecture -qDEB_HOST_MULTIARCH)/ debian/$$MYMAINTSCRIPT.in >debian/$$MYMAINTSCRIPT ; \
         done
author	Thomas Goirand <zigo@debian.org>
	Mon, 3 Jan 2022 11:07:02 +0000 (12:07 +0100)
committer	Thomas Goirand <zigo@debian.org>
	Mon, 3 Jan 2022 12:55:17 +0000 (13:55 +0100)
debian/changelog		patch \| blob \| blame \| history
debian/patches/CVE-2021-36980_Fix_use-after-free_while_decoding_RAW_ENCAP.patch	[new file with mode: 0644]	patch \| blob
debian/patches/series		patch \| blob \| blame \| history
debian/rules		patch \| blob \| blame \| history