diff --git a/0001-lldp-validate-a-bit-more-received-LLDP-frames.patch b/0001-lldp-validate-a-bit-more-received-LLDP-frames.patch new file mode 100644 index 0000000..0752856 --- /dev/null +++ b/0001-lldp-validate-a-bit-more-received-LLDP-frames.patch @@ -0,0 +1,132 @@ +From d0e86f3353677fd9432608c7189928467767a109 Mon Sep 17 00:00:00 2001 +From: Vincent Bernat +Date: Thu, 12 Nov 2020 19:54:50 -0500 +Subject: [PATCH 1/5] lldp: validate a bit more received LLDP frames + +Upstream commit: + commit 3aeae72b97716fddac290634fad02b952d981f17 + Author: Vincent Bernat + Date: Tue, 1 Oct 2019 21:42:42 +0200 + + lldp: validate a bit more received LLDP frames + + Notably, we ensure the order and unicity of Chassis ID, Port ID and + TTL TLV. For Chassis ID and Port ID, we also ensure the maximum size + does not exceed 256. + + Fix https://github.com/vincentbernat/lldpd/issues/351 + +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") +Signed-off-by: Aaron Conole +Co-authored-by: Aaron Conole +Signed-off-by: Ilya Maximets +--- + lib/lldp/lldp.c | 53 +++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 51 insertions(+), 2 deletions(-) + +diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c +index 74f747fcd..e61ce6774 100644 +--- a/lib/lldp/lldp.c ++++ b/lib/lldp/lldp.c +@@ -341,6 +341,12 @@ lldp_send(struct lldpd *global OVS_UNUSED, + + return dp_packet_size(p); + } ++#define CHECK_TLV_MAX_SIZE(x, name) \ ++ do { if (tlv_size > (x)) { \ ++ VLOG_WARN(name " TLV too large received on %s", \ ++ hardware->h_ifname); \ ++ goto malformed; \ ++ } } while (0) + + int + lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, +@@ -359,7 +365,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + int length, af; + bool gotend = false; + bool ttl_received = false; +- int tlv_size, tlv_type, tlv_subtype; ++ int tlv_size, tlv_type, tlv_subtype, tlv_count = 0; + u_int8_t *pos, *tlv; + void *b; + struct lldpd_aa_isid_vlan_maps_tlv *isid_vlan_map = NULL; +@@ -411,6 +417,31 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + hardware->h_ifname); + goto malformed; + } ++ /* Check order for mandatory TLVs */ ++ tlv_count++; ++ switch (tlv_type) { ++ case LLDP_TLV_CHASSIS_ID: ++ if (tlv_count != 1) { ++ VLOG_WARN("first TLV should be a chassis ID on %s, not %d", ++ hardware->h_ifname, tlv_type); ++ goto malformed; ++ } ++ break; ++ case LLDP_TLV_PORT_ID: ++ if (tlv_count != 2) { ++ VLOG_WARN("second TLV should be a port ID on %s, not %d", ++ hardware->h_ifname, tlv_type); ++ goto malformed; ++ } ++ break; ++ case LLDP_TLV_TTL: ++ if (tlv_count != 3) { ++ VLOG_WARN("third TLV should be a TTL on %s, not %d", ++ hardware->h_ifname, tlv_type); ++ goto malformed; ++ } ++ break; ++ } + + switch (tlv_type) { + case LLDP_TLV_END: +@@ -428,7 +459,8 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + + case LLDP_TLV_CHASSIS_ID: + case LLDP_TLV_PORT_ID: +- CHECK_TLV_SIZE(2, "Port Id"); ++ CHECK_TLV_SIZE(2, "Port/Chassis Id"); ++ CHECK_TLV_MAX_SIZE(256, "Port/Chassis Id"); + tlv_subtype = PEEK_UINT8; + if (tlv_subtype == 0 || tlv_subtype > 7) { + VLOG_WARN("unknown subtype for tlv id received on %s", +@@ -438,10 +470,22 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + b = xzalloc(tlv_size - 1); + PEEK_BYTES(b, tlv_size - 1); + if (tlv_type == LLDP_TLV_PORT_ID) { ++ if (port->p_id != NULL) { ++ VLOG_WARN("Port ID TLV received twice on %s", ++ hardware->h_ifname); ++ free(b); ++ goto malformed; ++ } + port->p_id_subtype = tlv_subtype; + port->p_id = b; + port->p_id_len = tlv_size - 1; + } else { ++ if (chassis->c_id != NULL) { ++ VLOG_WARN("Chassis ID TLV received twice on %s", ++ hardware->h_ifname); ++ free(b); ++ goto malformed; ++ } + chassis->c_id_subtype = tlv_subtype; + chassis->c_id = b; + chassis->c_id_len = tlv_size - 1; +@@ -449,6 +493,11 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + break; + + case LLDP_TLV_TTL: ++ if (ttl_received) { ++ VLOG_WARN("TTL TLV received twice on %s", ++ hardware->h_ifname); ++ goto malformed; ++ } + CHECK_TLV_SIZE(2, "TTL"); + chassis->c_ttl = PEEK_UINT16; + ttl_received = true; +-- +2.28.0 + diff --git a/0002-lldp-Fix-size-of-PEEK_DISCARD_UINT32.patch b/0002-lldp-Fix-size-of-PEEK_DISCARD_UINT32.patch new file mode 100644 index 0000000..e4a2a4d --- /dev/null +++ b/0002-lldp-Fix-size-of-PEEK_DISCARD_UINT32.patch @@ -0,0 +1,40 @@ +From 800ce88f52c68e9754d9d9085daf47cf90bb10cf Mon Sep 17 00:00:00 2001 +From: Jonas Johansson +Date: Thu, 12 Nov 2020 19:54:51 -0500 +Subject: [PATCH 2/5] lldp: Fix size of PEEK_DISCARD_UINT32() + +Upstream commit: + commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b + Author: Jonas Johansson + Date: Thu, 21 Apr 2016 11:50:06 +0200 + + Fix size of PEEK_DISCARD_UINT32() + + Signed-off-by: Jonas Johansson + +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") +Reported-by: Jonas Rudloff +Reported-at: https://github.com/openvswitch/ovs/pull/336 +Signed-off-by: Fabrizio D'Angelo +Acked-by: Aaron Conole +Signed-off-by: Ilya Maximets +--- + lib/lldp/lldp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c +index e61ce6774..593c5e1c3 100644 +--- a/lib/lldp/lldp.c ++++ b/lib/lldp/lldp.c +@@ -59,7 +59,7 @@ VLOG_DEFINE_THIS_MODULE(lldp); + } while (0) + #define PEEK_DISCARD_UINT8 PEEK_DISCARD(1) + #define PEEK_DISCARD_UINT16 PEEK_DISCARD(2) +-#define PEEK_DISCARD_UINT32 PEEK_DISCARD(3) ++#define PEEK_DISCARD_UINT32 PEEK_DISCARD(4) + #define PEEK_CMP(value, bytes) \ + (length -= (bytes), \ + pos += (bytes), \ +-- +2.28.0 + diff --git a/0003-lldp-fix-a-buffer-overflow-when-handling-management-.patch b/0003-lldp-fix-a-buffer-overflow-when-handling-management-.patch new file mode 100644 index 0000000..47d427f --- /dev/null +++ b/0003-lldp-fix-a-buffer-overflow-when-handling-management-.patch @@ -0,0 +1,58 @@ +From ec51fc90669e5fe1a2096581296d55b3acda6711 Mon Sep 17 00:00:00 2001 +From: Vincent Bernat +Date: Thu, 12 Nov 2020 19:54:52 -0500 +Subject: [PATCH 3/5] lldp: fix a buffer overflow when handling management + address TLV + +Upstream commit: + commit a8d8006c06d9ac16ebcf33295cbd625c0847ca9b + Author: Vincent Bernat + Date: Sun, 4 Oct 2015 01:50:38 +0200 + + lldp: fix a buffer overflow when handling management address TLV + + When a remote device was advertising a too large management address + while still respecting TLV boundaries, lldpd would crash due to a buffer + overflow. However, the buffer being a static one, this buffer overflow + is not exploitable if hardening was not disabled. This bug exists since + version 0.5.6. + +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") +Reported-by: Jonas Rudloff +Reported-at: https://github.com/openvswitch/ovs/pull/335 +Co-authored-by: Fabrizio D'Angelo +Signed-off-by: Fabrizio D'Angelo +Acked-by: Aaron Conole +Signed-off-by: Ilya Maximets +--- + lib/lldp/lldp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c +index 593c5e1c3..628d0f863 100644 +--- a/lib/lldp/lldp.c ++++ b/lib/lldp/lldp.c +@@ -530,6 +530,11 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + case LLDP_TLV_MGMT_ADDR: + CHECK_TLV_SIZE(1, "Management address"); + addr_str_length = PEEK_UINT8; ++ if (addr_str_length > sizeof(addr_str_buffer)) { ++ VLOG_WARN("too large management address on %s", ++ hardware->h_ifname); ++ goto malformed; ++ } + CHECK_TLV_SIZE(1 + addr_str_length, "Management address"); + PEEK_BYTES(addr_str_buffer, addr_str_length); + addr_length = addr_str_length - 1; +@@ -554,7 +559,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + break; + + case LLDP_TLV_ORG: +- CHECK_TLV_SIZE(4, "Organisational"); ++ CHECK_TLV_SIZE(1 + sizeof orgid, "Organisational"); + PEEK_BYTES(orgid, sizeof orgid); + tlv_subtype = PEEK_UINT8; + if (memcmp(dot1, orgid, sizeof orgid) == 0) { +-- +2.28.0 + diff --git a/0004-lldp-increase-statsTLVsUnrecognizedTotal-on-unknown-.patch b/0004-lldp-increase-statsTLVsUnrecognizedTotal-on-unknown-.patch new file mode 100644 index 0000000..84e8ebd --- /dev/null +++ b/0004-lldp-increase-statsTLVsUnrecognizedTotal-on-unknown-.patch @@ -0,0 +1,37 @@ +From d9140c3fd0bcba05a9e33fc7b1e042b86e31ae37 Mon Sep 17 00:00:00 2001 +From: Vincent Bernat +Date: Thu, 12 Nov 2020 19:54:53 -0500 +Subject: [PATCH 4/5] lldp: increase statsTLVsUnrecognizedTotal on unknown TLV + +Upstream commit: + commit 109bcd423cd560545ec7940d73a50c5584aebb0c + Author: Vincent Bernat + Date: Sat, 6 Apr 2019 21:17:25 +0200 + + This was done for organization TLVs, but not for other TLVs. + + Fix https://github.com/vincentbernat/lldpd/issues/323 + +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") +Signed-off-by: Fabrizio D'Angelo +Acked-by: Aaron Conole +Signed-off-by: Ilya Maximets +--- + lib/lldp/lldp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c +index 628d0f863..e5755307f 100644 +--- a/lib/lldp/lldp.c ++++ b/lib/lldp/lldp.c +@@ -679,6 +679,7 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, + VLOG_WARN("unknown tlv (%d) received on %s", + tlv_type, + hardware->h_ifname); ++ hardware->h_rx_unrecognized_cnt++; + goto malformed; + } + if (pos > tlv + tlv_size) { +-- +2.28.0 + diff --git a/0005-lldp-correctly-increase-discarded-count.patch b/0005-lldp-correctly-increase-discarded-count.patch new file mode 100644 index 0000000..67b34f1 --- /dev/null +++ b/0005-lldp-correctly-increase-discarded-count.patch @@ -0,0 +1,48 @@ +From 45fd5e7ea1a63a62b70fdf05de782c31222696ad Mon Sep 17 00:00:00 2001 +From: Vincent Bernat +Date: Thu, 12 Nov 2020 19:54:54 -0500 +Subject: [PATCH 5/5] lldp: correctly increase discarded count + +Upstream commit: + commit 32f0deeebc9172c3f5f4a4d02aab32e6904947f6 + Date: Sat, 18 Feb 2017 20:11:47 +0100 + + lldpd: correctly increase discarded count + + When a frame cannot be decoded but has been guessed, increase the + discarded count. + + Fix https://github.com/vincentbernat/lldpd/issues/223 + +Fixes: be53a5c447c3 ("auto-attach: Initial support for Auto-Attach standard") +Co-authored-by: Fabrizio D'Angelo +Signed-off-by: Fabrizio D'Angelo +Acked-by: Aaron Conole +Signed-off-by: Ilya Maximets +--- + lib/lldp/lldpd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/lldp/lldpd.c b/lib/lldp/lldpd.c +index 19e930526..34738535d 100644 +--- a/lib/lldp/lldpd.c ++++ b/lib/lldp/lldpd.c +@@ -244,6 +244,7 @@ lldpd_decode(struct lldpd *cfg, char *frame, int s, + + if (s < sizeof(struct eth_header) + 4) { + /* Too short, just discard it */ ++ hw->h_rx_discarded_cnt++; + return; + } + +@@ -284,6 +285,7 @@ lldpd_decode(struct lldpd *cfg, char *frame, int s, + VLOG_DBG("function for %s protocol did not " + "decode this frame", + cfg->g_protocols[i].name); ++ hw->h_rx_discarded_cnt++; + return; + } + chassis->c_protocol = port->p_protocol = cfg->g_protocols[i].mode; +-- +2.28.0 + diff --git a/openvswitch.spec b/openvswitch.spec index 4e802eb..c79191f 100644 --- a/openvswitch.spec +++ b/openvswitch.spec @@ -45,7 +45,7 @@ Name: openvswitch Summary: Open vSwitch daemon/database/utilities URL: http://www.openvswitch.org/ Version: 2.14.0 -Release: 2%{?commit0:.%{date}git%{shortcommit0}}%{?dist} +Release: 3%{?commit0:.%{date}git%{shortcommit0}}%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -61,6 +61,13 @@ Source: https://github.com/openvswitch/ovs/archive/%{commit0}.tar.gz#/%{name}-%{ Source: http://openvswitch.org/releases/%{name}-%{version}.tar.gz %endif +# 1899303 - CVE-2015-8011 +Patch10: 0001-lldp-validate-a-bit-more-received-LLDP-frames.patch +Patch11: 0002-lldp-Fix-size-of-PEEK_DISCARD_UINT32.patch +Patch12: 0003-lldp-fix-a-buffer-overflow-when-handling-management-.patch +Patch13: 0004-lldp-increase-statsTLVsUnrecognizedTotal-on-unknown-.patch +Patch14: 0005-lldp-correctly-increase-discarded-count.patch + # ovs-patches # OVS (including OVN) backports (0 - 300) @@ -474,6 +481,9 @@ chown -R openvswitch:openvswitch /etc/openvswitch %endif %changelog +* Thu Nov 19 2020 Timothy Redaelli - 2.14.0-3 +- Backport patches for CVE-2015-8011 (#1899303) + * Mon Sep 14 2020 Aaron Conole - 2.14.0-2 - Merge 'https://src.fedoraproject.org/rpms/openvswitch/pull-request/11' to set hugetlbfs group as a system group.